From 2dca8e7c5308e76c2da63c974ae75c4ad510c201 Mon Sep 17 00:00:00 2001 From: Drew Thomson <74609149+saltycr3w@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:30:23 -0500 Subject: [PATCH 1/9] feat(sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller): Global Custom CA Bundle Support (#961) Co-authored-by: Alberto Barba --- charts/admission-controller/Chart.yaml | 4 +- charts/admission-controller/README.md | 26 +- .../templates/scanner/deployment.yaml | 20 +- .../templates/scanner/secret.yaml | 7 +- .../templates/webhook/deployment.yaml | 22 +- .../templates/webhook/secret.yaml | 7 +- .../tests/ca_cert_test.yaml | 245 ++++++++ charts/admission-controller/values.yaml | 99 +++ charts/agent/Chart.yaml | 4 +- charts/agent/templates/NOTES.txt | 8 + charts/agent/templates/_helpers.tpl | 3 + .../agent/templates/configmap-deployment.yaml | 14 +- charts/agent/templates/configmap.yaml | 24 +- charts/agent/templates/daemonset.yaml | 35 +- charts/agent/templates/deployment.yaml | 22 + charts/agent/templates/secrets.yaml | 12 + charts/agent/tests/ca_cert_test.yaml | 586 ++++++++++++++++++ charts/agent/values.yaml | 66 ++ charts/cluster-scanner/Chart.yaml | 4 +- charts/cluster-scanner/README.md | 20 +- .../cluster-scanner/templates/deployment.yaml | 34 + charts/cluster-scanner/templates/secret.yaml | 12 + charts/cluster-scanner/values.yaml | 66 ++ charts/common/Chart.yaml | 2 +- charts/common/sysdig_ca.toml | 61 ++ charts/common/templates/_custom_ca.tpl | 91 +++ charts/kspm-collector/Chart.yaml | 4 +- .../kspm-collector/templates/deployment.yaml | 24 + charts/kspm-collector/templates/secret.yaml | 13 + charts/kspm-collector/tests/ca_cert_test.yaml | 147 +++++ charts/kspm-collector/values.yaml | 69 +++ charts/node-analyzer/Chart.yaml | 4 +- charts/node-analyzer/templates/_helpers.tpl | 2 +- .../templates/daemonset-node-analyzer.yaml | 69 ++- .../eveconnector-api-deployment.yaml | 24 + .../runtimeScanner/sysdig-eve-secret.yaml | 12 + charts/node-analyzer/templates/secrets.yaml | 13 + charts/node-analyzer/tests/ca_cert_test.yaml | 189 ++++++ .../tests/readme_command_test.yaml | 4 +- charts/node-analyzer/values.yaml | 68 ++ charts/rapid-response/Chart.yaml | 4 +- .../rapid-response/templates/daemonset.yaml | 25 +- charts/rapid-response/templates/secrets.yaml | 8 +- charts/rapid-response/tests/ca_cert_test.yaml | 170 +++++ charts/rapid-response/values.yaml | 110 ++-- charts/sysdig-deploy/Chart.yaml | 16 +- charts/sysdig-deploy/values.yaml | 33 + 47 files changed, 2391 insertions(+), 111 deletions(-) create mode 100644 charts/admission-controller/tests/ca_cert_test.yaml create mode 100644 charts/agent/tests/ca_cert_test.yaml create mode 100644 charts/common/sysdig_ca.toml create mode 100644 charts/common/templates/_custom_ca.tpl create mode 100644 charts/kspm-collector/tests/ca_cert_test.yaml create mode 100644 charts/node-analyzer/tests/ca_cert_test.yaml create mode 100644 charts/rapid-response/tests/ca_cert_test.yaml diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index b4dfc99d0..49b3e17ee 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.11.9 +version: 0.12.0 appVersion: 3.9.26 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 @@ -21,4 +21,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 7c0e23b56..80e070b4a 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -23,7 +23,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.9 \ + --create-namespace -n sysdig-admission-controller --version=0.12.0 \ --set clusterName=CLUSTER_NAME \ --set sysdig.secureAPIToken=SECURE_API_TOKEN ``` @@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube To install the chart with the release name `admission-controller`: ```console -$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.9 +$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.12.0 ``` The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. @@ -87,6 +87,12 @@ The following table lists the configurable parameters of the `admission-controll | global.proxy | Global HTTP Proxy settings. | {} | | global.image.pullSecrets | | [] | | global.image.pullPolicy | | IfNotPresent | +| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | | clusterName | **required**
Cluster Name which appear on Secure UI | "" | | namespace | Namespace to install components (Optional, will default to release namespace).

IMPORTANT: If a namespace is specified this way it must already exist otherwise installation will fail. | "" | | sysdig.secureAPIToken | **required**
API Token to access Sysdig Secure.

If neither this value nor `sysdig.existingSecureAPITokenSecret` are configured, the user will be required to provide the deployment the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variables. Overrides `global.sysdig.secureAPIToken` | "" | @@ -144,6 +150,12 @@ The following table lists the configurable parameters of the `admission-controll | webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info | | webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false | | webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
A PEM-encoded x509 certificate authority. | "" | +| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | | webhook.customEntryPoint | Custom entrypoint for the webhook
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | [] | | webhook.http.port | HTTP serve port where the requests will be served from | 5000 | | scc.create | Enable the creation of Security Context Constraints in Openshift | true | @@ -174,6 +186,12 @@ The following table lists the configurable parameters of the `admission-controll | scanner.tolerations | Tolerations for scheduling for the scanner | [] | | scanner.affinity | Configure affinity rules for the scanner | {} | | scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority. | "" | +| scanner.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| scanner.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | | scanner.customEntryPoint | Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token`
default: /inline-scan-service --server_port=8080 | [] | @@ -181,7 +199,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.9 \ + --create-namespace -n sysdig-admission-controller --version=0.12.0 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -190,7 +208,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.9 \ + --create-namespace -n sysdig-admission-controller --version=0.12.0 \ --values values.yaml ``` diff --git a/charts/admission-controller/templates/scanner/deployment.yaml b/charts/admission-controller/templates/scanner/deployment.yaml index e25c27636..4712f1fd1 100644 --- a/charts/admission-controller/templates/scanner/deployment.yaml +++ b/charts/admission-controller/templates/scanner/deployment.yaml @@ -41,10 +41,18 @@ spec: defaultMode: 420 secretName: {{ .Values.scanner.dockerCfgSecretName }} {{- end }} - {{- if .Values.scanner.ssl.ca.cert }} + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} - name: ca-cert secret: secretName: {{ include "admissionController.scanner.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }} {{- end }} containers: - name: inline-scanner @@ -59,9 +67,9 @@ spec: name: dockercfg readOnly: true {{- end }} - {{- if .Values.scanner.ssl.ca.cert }} + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} - name: ca-cert - mountPath: /ca-cert + mountPath: /ca-certs readOnly: true {{- end }} {{- if .Values.scanner.customEntryPoint }} @@ -83,9 +91,9 @@ spec: - name: NO_PROXY value: {{ include "scanner.noProxy" . }} {{- end }} - {{- if .Values.scanner.ssl.ca.cert }} - - name: SSL_CERT_FILE - value: /ca-cert/root_ca_file.crt # mounted from the secret + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} + - name: SSL_CERT_DIR + value: /ca-certs {{- end }} envFrom: - configMapRef: diff --git a/charts/admission-controller/templates/scanner/secret.yaml b/charts/admission-controller/templates/scanner/secret.yaml index f1e8313d6..10b6c4ad8 100644 --- a/charts/admission-controller/templates/scanner/secret.yaml +++ b/charts/admission-controller/templates/scanner/secret.yaml @@ -19,7 +19,7 @@ stringData: AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }} {{- end }} --- -{{- if .Values.scanner.ssl.ca.cert }} +{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} apiVersion: v1 kind: Secret metadata: @@ -27,6 +27,11 @@ metadata: namespace: {{ include "admissionController.namespace" . }} labels: {{- include "admissionController.scanner.labels" . | nindent 4 }} data: + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} + {{- end }} + {{- if or .Values.scanner.ssl.ca.cert }} root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index 62d9294c2..2171000c7 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -84,9 +84,9 @@ spec: - name: NO_PROXY value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }} {{- end }} - {{- if .Values.webhook.ssl.ca.cert }} - - name: SSL_CERT_FILE - value: /ca-cert/root_ca_file.crt # mounted from the secret + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} + - name: SSL_CERT_DIR + value: /ca-certs {{- end }} ports: - name: http @@ -117,9 +117,9 @@ spec: - name: cert mountPath: /cert readOnly: true - {{- if .Values.webhook.ssl.ca.cert }} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: ca-cert - mountPath: /ca-cert + mountPath: /ca-certs readOnly: true {{- end }} resources: @@ -128,11 +128,19 @@ spec: - name: cert secret: secretName: {{ include "admissionController.webhook.fullname" . }}-tls - {{- if .Values.webhook.ssl.ca.cert }} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: ca-cert secret: secretName: {{ include "admissionController.webhook.fullname" . }}-ca - {{- end }} + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }} + {{- end }} {{- with .Values.webhook.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/admission-controller/templates/webhook/secret.yaml b/charts/admission-controller/templates/webhook/secret.yaml index fb39a4300..f9473c78b 100644 --- a/charts/admission-controller/templates/webhook/secret.yaml +++ b/charts/admission-controller/templates/webhook/secret.yaml @@ -10,7 +10,7 @@ stringData: SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }} {{- end }} --- -{{- if .Values.webhook.ssl.ca.cert }} +{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} apiVersion: v1 kind: Secret metadata: @@ -19,5 +19,10 @@ metadata: labels: {{ include "admissionController.webhook.labels" . | nindent 4 }} data: + {{- if or .Values.webhook.ssl.ca.cert }} root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }} + {{- end }} + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} + {{- end }} {{- end }} diff --git a/charts/admission-controller/tests/ca_cert_test.yaml b/charts/admission-controller/tests/ca_cert_test.yaml new file mode 100644 index 000000000..e6047f7ec --- /dev/null +++ b/charts/admission-controller/tests/ca_cert_test.yaml @@ -0,0 +1,245 @@ +suite: Test admission-controller CA cert +templates: + - scanner/serviceaccount.yaml + - scanner/deployment.yaml + - scanner/podmonitor.yaml + - scanner/secret.yaml + - scanner/service.yaml + - scanner/configmap.yaml + - webhook/serviceaccount.yaml + - webhook/deployment.yaml + - webhook/configmap.yaml + - webhook/secret.yaml + - webhook/admissionregistration.yaml + - webhook/podmonitor.yaml +tests: + - it: Check Custsom CA Cert Disabled + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-admission-controller-webhook-ca + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: scanner/deployment.yaml + - notContains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-admission-controller-scanner-ca + template: scanner/deployment.yaml + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: scanner/deployment.yaml + + - it: Check Custsom CA Cert defined with Values + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-admission-controller-webhook-ca + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-admission-controller-scanner-ca + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: scanner/deployment.yaml + + - it: Check Custsom CA Cert defined with Existing Secret + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + existingCaSecret: "test-fake-ca-secret-name" + existingCaSecretKeyName: "test-fake-ca-secret-key.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: test-fake-ca-secret-name + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: test-fake-ca-secret-name + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: scanner/deployment.yaml + + - it: Check Custsom CA Cert defined with Existing ConfigMap + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + existingCaConfigMap: "test-fake-ca-configmap-name" + existingCaConfigMapKeyName: "test-fake-ca-configmap-key.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + configMap: + name: test-fake-ca-configmap-name + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: webhook/deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_DIR + value: "/ca-certs" + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + configMap: + name: test-fake-ca-configmap-name + template: scanner/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: scanner/deployment.yaml diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 1149211af..1367aafff 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -18,6 +18,40 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: # **required** #
Cluster Name which appear on Secure UI @@ -222,6 +256,38 @@ webhook: # For outbound connections (secure backend, proxy,...) #
A PEM-encoded x509 certificate authority. cert: "" + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: + # Custom entrypoint for the webhook #
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`. @@ -332,6 +398,39 @@ scanner: #
A PEM-encoded x509 certificate authority. cert: "" + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: + # Custom entrypoint for the scanner. #
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token` #
default: /inline-scan-service --server_port=8080 diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 03d2dc227..cb6749a63 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -5,7 +5,7 @@ description: Sysdig Monitor and Secure agent type: application # currently matching sysdig 1.14.32 -version: 1.12.1 +version: 1.13.0 appVersion: 12.15.0 @@ -36,4 +36,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/agent/templates/NOTES.txt b/charts/agent/templates/NOTES.txt index eb79aaa54..b5ebcaa00 100644 --- a/charts/agent/templates/NOTES.txt +++ b/charts/agent/templates/NOTES.txt @@ -44,5 +44,13 @@ The monitor.enabled parameter is true while using sysdig.settings.feature.mode t secure or secure_light mode. Please set monitor.enabled=false to ensure all Sysdig Monitor components are disabled when running the Agent in secure or secure_light modes. {{ else }} +{{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + +We have appended the Sysdig Public CA to the CA bundle that you have provided. +This is to handle edge cases for on-premise installations that might need a Custom CA to verify the Collector and still download +the pre-compiled probe from https://download.sysdig.com. + +{{- end }} + No further action should be required. {{ end }} diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index 53ee1f6ff..f78ddad2d 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -444,6 +444,9 @@ ssl: {{ $ssl }} {{- if $sslVerifyCertificate }} ssl_verify_certificate: {{ $sslVerifyCertificate }} {{- end }} +{{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} +ca_certificate: /etc/ca-certs/{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }} +{{- end }} {{- end }} {{/* diff --git a/charts/agent/templates/configmap-deployment.yaml b/charts/agent/templates/configmap-deployment.yaml index 71028e762..51b4cbf07 100644 --- a/charts/agent/templates/configmap-deployment.yaml +++ b/charts/agent/templates/configmap-deployment.yaml @@ -43,8 +43,16 @@ data: {{- if .Values.global.sysdig.tags }} tags: {{ include "agent.tags" . }} {{- end }} -{{/* add in the remaining items from sysdig.settings */}} -{{- if .Values.sysdig.settings }} -{{- toYaml .Values.sysdig.settings | nindent 4 }} +{{/* + Checking here the user is using Custom CA and if http_proxy.ssl = true + If these conditions are true, then we use the agent.sslCaFileName for the http_proxy.ca_certificate +*/}} +{{- if and (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true") (.Values.sysdig.settings) (hasKey .Values.sysdig.settings "http_proxy") (hasKey .Values.sysdig.settings.http_proxy "ssl") (eq (get .Values.sysdig.settings.http_proxy "ssl") true) }} + {{- $baseSettings := .Values.sysdig.settings -}} + {{- $caFilePath := printf "%s%s" "/etc/ca-certs/" (include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl)) }} + {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}} + {{ toYaml $mergedSettings | indent 4 }} +{{- else if .Values.sysdig.settings }} + {{ toYaml .Values.sysdig.settings | indent 4 }} {{- end }} {{- end }} diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index baef1e4ff..9947d63df 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -26,9 +26,27 @@ data: {{- if .Values.global.sysdig.tags }} tags: {{ include "agent.tags" . }} {{- end }} -{{/* add in the remaining items from sysdig.settings */}} -{{- if .Values.sysdig.settings }} - {{- toYaml .Values.sysdig.settings | trim | nindent 4 }} +{{/* + Checking here the user is using Custom CA and if http_proxy.ssl = true + If these conditions are true, then we use the agent.sslCaFileName for the http_proxy.ca_certificate +*/}} +{{- if and (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true") (.Values.sysdig.settings) (hasKey .Values.sysdig.settings "http_proxy") (hasKey .Values.sysdig.settings.http_proxy "ssl") (eq (get .Values.sysdig.settings.http_proxy "ssl") true) }} + {{- $baseSettings := .Values.sysdig.settings -}} + {{- $caFilePath := printf "%s%s" "/etc/ca-certs/" (include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl)) }} + {{- $mergedSettings := mergeOverwrite $baseSettings (dict "http_proxy" (dict "ca_certificate" $caFilePath)) -}} + {{ toYaml $mergedSettings | indent 4 }} +{{- else if .Values.sysdig.settings }} + {{ toYaml .Values.sysdig.settings | indent 4 }} +{{- end }} +{{- if .Values.leaderelection.enable }} + k8s_delegation_election: true + k8s_coldstart: + enabled: true + enforce_leader_election: true + namespace: {{ include "agent.namespace" . }} +{{- end }} +{{- if .Values.global.sysdig.tags }} + tags: {{ include "agent.tags" . }} {{- end }} {{- if .Values.prometheus.file }} prometheus.yaml: | diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index a37d6363f..477fb29c2 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -111,7 +111,18 @@ spec: - name: no_proxy value: {{ .Values.proxy.noProxy | default .Values.global.proxy.noProxy }} {{- end }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /opt/draios/etc/ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} volumeMounts: + {{- /* Always requested */}} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + {{- end }} + {{- /* Slim = true, Autopilot = false */}} {{- if not (include "agent.gke.autopilot" .) }} - mountPath: /etc/modprobe.d @@ -191,6 +202,10 @@ spec: - name: {{ $key | quote }} value: {{ $value | quote }} {{- end }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /opt/draios/etc/ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} readinessProbe: exec: command: [ "test", "-e", "/opt/draios/logs/running" ] @@ -211,6 +226,12 @@ spec: - mountPath: /etc/podinfo name: podinfo + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + {{- end }} + {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} - mountPath: /etc/modprobe.d @@ -297,7 +318,6 @@ spec: {{- if .Values.extraVolumes.mounts }} {{ toYaml .Values.extraVolumes.mounts | nindent 12 }} {{- end }} - volumes: {{- /* Always requested */}} - name: dev-vol @@ -332,6 +352,19 @@ spec: apiVersion: v1 fieldPath: metadata.name path: name + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "agent.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- end }} {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index 6814f0fd0..191659247 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -98,6 +98,10 @@ spec: - name: no_proxy value: {{ .Values.proxy.noProxy | default .Values.global.proxy.noProxy }} {{- end }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /opt/draios/etc/ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} readinessProbe: exec: command: [ "test", "-e", "/opt/draios/logs/running" ] @@ -119,6 +123,11 @@ spec: name: sysdig-agent-secrets - mountPath: /etc/podinfo name: podinfo + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + {{- end }} {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} @@ -248,6 +257,19 @@ spec: apiVersion: v1 fieldPath: metadata.name path: name + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "agent.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- end }} {{- /* Slim = false, Autopilot = false */}} {{- if and (not .Values.slim.enabled) (not (include "agent.gke.autopilot" .)) }} diff --git a/charts/agent/templates/secrets.yaml b/charts/agent/templates/secrets.yaml index 2051ef7c3..efba84fb0 100644 --- a/charts/agent/templates/secrets.yaml +++ b/charts/agent/templates/secrets.yaml @@ -24,3 +24,15 @@ data: {{ toYaml .data | indent 2 }} --- {{- end }} +{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "agent.fullname" . }}-ca + namespace: {{ include "agent.namespace" . }} + labels: +{{ include "agent.labels" . | indent 4 }} +data: + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} +--- +{{- end }} diff --git a/charts/agent/tests/ca_cert_test.yaml b/charts/agent/tests/ca_cert_test.yaml new file mode 100644 index 000000000..ece7e9224 --- /dev/null +++ b/charts/agent/tests/ca_cert_test.yaml @@ -0,0 +1,586 @@ +suite: Test agent CA cert +templates: + - templates/configmap.yaml + - templates/configmap-deployment.yaml + - templates/daemonset.yaml + - templates/deployment.yaml + - templates/secrets.yaml +tests: + - it: Checking Agent CA Cert Secret + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - isKind: + of: Secret + template: templates/secrets.yaml + - it: Check Local CA Cert + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - it: Check Local CA Cert Delegated Agent Deployment + set: + delegatedAgentDeployment: + enabled: true + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/deployment.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/deployment.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap-deployment.yaml + - it: Check Local CA Cert with SSL Proxy + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + ssl: true + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - it: Check Local CA Cert with SSL Proxy Delegated Agent Deployment + set: + delegatedAgentDeployment: + enabled: true + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + ssl: true + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/deployment.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/deployment.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap-deployment.yaml + - it: Check Global CA Cert with local CA cert override + set: + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - it: Check Global CA Cert with local CA cert override Delegated Agent Deployment + set: + delegatedAgentDeployment: + enabled: true + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/root_ca.crt" + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/deployment.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/deployment.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/root_ca\.crt.* + template: templates/configmap-deployment.yaml + - it: Check Global CA Cert + set: + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap.yaml + - it: Check Global CA Cert Delegated Agent Deployment + set: + delegatedAgentDeployment: + enabled: true + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/deployment.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap-deployment.yaml + - it: Check Global CA Cert with SSL Proxy + set: + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + ssl: true + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap.yaml + - it: Check Global CA Cert with SSL Proxy Delegated Agent Deployment + set: + delegatedAgentDeployment: + enabled: true + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + ssl: true + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/opt/draios/etc/ca-certs/global_root_ca.crt" + template: templates/deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: RELEASE-NAME-agent-ca + template: templates/deployment.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /opt/draios/etc/ca-certs + readOnly: true + template: templates/daemonset.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap.yaml + - matchRegex: + path: data['dragent.yaml'] + pattern: .*\/etc\/ca-certs\/global_root_ca\.crt.* + template: templates/configmap-deployment.yaml diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 99e26f98a..f825ba520 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -11,6 +11,39 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret + existingCaSecretKeyName: + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap + existingCaConfigMapKeyName: namespace: "" @@ -327,6 +360,39 @@ delegatedAgentDeployment: # Allow direct setting of Agent log priority levels for console and file logs (info|debug) logPriority: +ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret + existingCaSecretKeyName: + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap + existingCaConfigMapKeyName: tests: timeout: 300s image: diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 9dbbd1921..6b7b6ae07 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner type: application -version: 0.3.3 +version: 0.4.0 appVersion: "0.1.0" home: https://www.sysdig.com/ @@ -24,4 +24,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index a1d5597ac..c1c7d75d6 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.3.3 \ + --create-namespace -n sysdig --version=0.4.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.3.3 \ + --create-namespace -n sysdig --version=0.4.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -94,6 +94,12 @@ The following table lists the configurable parameters of the `cluster-scanner` c | global.image.pullSecrets | The pull secrets for Cluster Scanner | [] | | global.image.pullPolicy | The pull policy for Cluster Scanner | IfNotPresent | | global.loggingLevel | Set the logging level to use, useful for troubleshooting. Valid values, sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`. | "INFO" | +| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | | eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | false | | eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | false | | rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | @@ -140,13 +146,19 @@ The following table lists the configurable parameters of the `cluster-scanner` c | nodeSelector.kubernetes.io/arch | Cluster Scanner is only supported on nodes with amd64 architecture | amd64 | | tolerations | Set Cluster Scanner scheduling tolerations | [] | | affinity | Set Cluster Scanner affinity | {} | +| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.3.3 \ + --create-namespace -n sysdig --version=0.4.0 \ --set global.sysdig.region="us1" ``` @@ -155,7 +167,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.3.3 \ + --create-namespace -n sysdig --version=0.4.0 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index 11967ef7f..68f044a56 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -34,12 +34,32 @@ spec: serviceAccountName: {{ include "cluster-scanner.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} + volumes: + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "cluster-scanner.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- end }} containers: - name: rsi securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: {{ template "cluster-scanner.runtimeStatusIntegrator.image" . }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} + volumeMounts: + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} {{- with .Values.runtimeStatusIntegrator }} ports: - name: metrics @@ -53,6 +73,10 @@ spec: - name: PPROF_PORT value: {{ .ports.pprof | default "6060" | quote }} {{- end }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} - name: MODE valueFrom: configMapKeyRef: @@ -252,6 +276,12 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: {{ template "cluster-scanner.imageSbomExtractor.image" . }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} + volumeMounts: + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} {{- with .Values.imageSbomExtractor }} ports: - name: metrics @@ -265,6 +295,10 @@ spec: - name: PPROF_PORT value: {{ .ports.pprof | default "6061" | quote }} {{- end }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} - name: LOGGING_LEVEL valueFrom: configMapKeyRef: diff --git a/charts/cluster-scanner/templates/secret.yaml b/charts/cluster-scanner/templates/secret.yaml index 00a50dcb2..1d21f3fe3 100644 --- a/charts/cluster-scanner/templates/secret.yaml +++ b/charts/cluster-scanner/templates/secret.yaml @@ -12,3 +12,15 @@ data: {{- if and (eq .Values.imageSbomExtractor.cache.type "distributed") ((.Values.imageSbomExtractor.cache.redis).password) }} cache_redis_password: {{ .Values.imageSbomExtractor.cache.redis.password | b64enc | quote }} {{- end }} +{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cluster-scanner.fullname" . }}-ca + namespace: {{ include "cluster-scanner.namespace" . }} + labels: +{{ include "cluster-scanner.labels" . | indent 4 }} +data: + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} +{{- end }} diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 7c22e002f..96fde7913 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -29,7 +29,39 @@ global: # sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, # `WARN`, `INFO`, `DEBUG`, `TRACE`. loggingLevel: "INFO" + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret + existingCaSecretKeyName: + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap + existingCaConfigMapKeyName: # Enables Sysdig Eve to retrieve the list of running packages. eveEnabled: false # Enables the integration with Sysdig Eve. Stores the list of running packages @@ -223,3 +255,37 @@ tolerations: [] # Set Cluster Scanner affinity affinity: {} + +ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret + existingCaSecretKeyName: + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap + existingCaConfigMapKeyName: diff --git a/charts/common/Chart.yaml b/charts/common/Chart.yaml index 32c0b2659..c67012116 100644 --- a/charts/common/Chart.yaml +++ b/charts/common/Chart.yaml @@ -16,7 +16,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.2 +version: 1.1.0 maintainers: - name: AlbertoBarba diff --git a/charts/common/sysdig_ca.toml b/charts/common/sysdig_ca.toml new file mode 100644 index 000000000..e693fb345 --- /dev/null +++ b/charts/common/sysdig_ca.toml @@ -0,0 +1,61 @@ +-----BEGIN CERTIFICATE----- +MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw +WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg +RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP +R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx +sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm +NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg +Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG +/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB +Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA +FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw +Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB +gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W +PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl +ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz +CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm +lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 +avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 +yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O +yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids +hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ +HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv +MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX +nLRbwHOoq7hHwg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE----- diff --git a/charts/common/templates/_custom_ca.tpl b/charts/common/templates/_custom_ca.tpl new file mode 100644 index 000000000..4d0492d25 --- /dev/null +++ b/charts/common/templates/_custom_ca.tpl @@ -0,0 +1,91 @@ +{{- define "sysdig.custom_ca.enabled" -}} + {{ or (eq (include "sysdig.custom_ca.useExistingSecret" .) "true") (eq (include "sysdig.custom_ca.useExistingConfigMap" .) "true") (eq (include "sysdig.custom_ca.useValues" .) "true") -}} +{{- end -}} + +{{- define "sysdig.custom_ca.useExistingSecret" -}} + {{- if (and .component.ca.existingCaSecretKeyName .component.ca.existingCaSecret) -}} + {{- true -}} + {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} + {{- false -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} + {{- false -}} + {{- else -}} + {{- include "sysdig.custom_ca.globalUseExistingSecret" . -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.useExistingConfigMap" -}} + {{- if (and .component.ca.existingCaSecretKeyName .component.ca.existingCaSecret) -}} + {{- false -}} + {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} + {{- true -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} + {{- false -}} + {{- else -}} + {{- include "sysdig.custom_ca.globalUseExistingConfigMap" . -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.useValues" -}} + {{- if (and .component.ca.existingCaSecretKeyName .component.ca.existingCaSecret) -}} + {{- false -}} + {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} + {{- false -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} + {{- true -}} + {{- else -}} + {{- include "sysdig.custom_ca.globalUseValues" . -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.globalUseExistingSecret" -}} + {{- if (and .global.ca.existingCaSecretKeyName .global.ca.existingCaSecret) -}} + {{- true -}} + {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} + {{- false -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} + {{- false -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.globalUseExistingConfigMap" -}} + {{- if (and .global.ca.existingCaSecretKeyName .global.ca.existingCaSecret) -}} + {{- false -}} + {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} + {{- true -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} + {{- false -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.globalUseValues" -}} + {{- if (and .global.ca.existingCaSecretKeyName .global.ca.existingCaSecret) -}} + {{- false -}} + {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} + {{- false -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} + {{- true -}} + {{- end -}} +{{- end -}} + +{{- define "sysdig.custom_ca.existingSecret" -}} + {{- .component.ca.existingCaSecret | default .global.ca.existingCaSecret -}} +{{- end -}} + +{{- define "sysdig.custom_ca.existingConfigMap" -}} + {{- .component.ca.existingCaConfigMap | default .global.ca.existingCaConfigMap -}} +{{- end -}} + +{{- define "sysdig.custom_ca.cert" -}} + {{- printf "%s%s" (join "" (.component.ca.certs | default .global.ca.certs)) ( .Files.Get "sysdig_ca.toml" ) -}} +{{- end -}} + +{{- define "sysdig.custom_ca.keyName" -}} + {{- if eq (include "sysdig.custom_ca.useExistingSecret" .) "true" -}} + {{- .component.ca.existingCaSecretKeyName | default .global.ca.existingCaSecretKeyName -}} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" .) "true" -}} + {{- .component.ca.existingCaConfigMapKeyName | default .global.ca.existingCaConfigMapKeyName -}} + {{- else if eq (include "sysdig.custom_ca.useValues" .) "true" -}} + {{- .component.ca.keyName | default .global.ca.keyName -}} + {{- end -}} +{{- end -}} diff --git a/charts/kspm-collector/Chart.yaml b/charts/kspm-collector/Chart.yaml index 563207d97..31e64822a 100644 --- a/charts/kspm-collector/Chart.yaml +++ b/charts/kspm-collector/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kspm-collector description: Sysdig KSPM collector -version: 0.3.4 +version: 0.4.0 appVersion: 1.26.0 keywords: @@ -24,4 +24,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/kspm-collector/templates/deployment.yaml b/charts/kspm-collector/templates/deployment.yaml index 22d79ec63..fed452c45 100644 --- a/charts/kspm-collector/templates/deployment.yaml +++ b/charts/kspm-collector/templates/deployment.yaml @@ -165,3 +165,27 @@ spec: key: agent_port name: {{ template "kspmCollector.fullname" . }} optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) -}} + {{- end }} + volumeMounts: + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - mountPath: /ca-certs + name: ca-cert + readOnly: true + {{- end }} + volumes: + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "kspmCollector.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }} + {{- end }} diff --git a/charts/kspm-collector/templates/secret.yaml b/charts/kspm-collector/templates/secret.yaml index 0bfa5534f..2015e4638 100644 --- a/charts/kspm-collector/templates/secret.yaml +++ b/charts/kspm-collector/templates/secret.yaml @@ -9,4 +9,17 @@ metadata: type: Opaque data: access-key : {{ include "kspmCollector.accessKey" . | b64enc | quote }} +--- +{{- end }} +{{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "kspmCollector.fullname" . }}-ca + namespace: {{ include "kspmCollector.namespace" . }} + labels: +{{ include "kspmCollector.labels" . | indent 4 }} +data: + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} +--- {{- end }} diff --git a/charts/kspm-collector/tests/ca_cert_test.yaml b/charts/kspm-collector/tests/ca_cert_test.yaml new file mode 100644 index 000000000..c69f5fc99 --- /dev/null +++ b/charts/kspm-collector/tests/ca_cert_test.yaml @@ -0,0 +1,147 @@ +suite: Test kspm-collector CA cert +templates: + - secret.yaml + - deployment.yaml +tests: + - it: Check Custsom CA Cert Disabled + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/global_root_ca.crt" + template: deployment.yaml + - isEmpty: + path: spec.template.spec.volumes + template: deployment.yaml + - isEmpty: + path: spec.template.spec.containers[0].volumeMounts + template: deployment.yaml + + - it: Check Custsom CA Cert defined with Values + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/global_root_ca.crt" + template: deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-kspm-collector-ca + template: deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: deployment.yaml + + - it: Check Custsom CA Cert defined with Existing Secret + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + existingCaSecret: "test-fake-ca-secret-name" + existingCaSecretKeyName: "test-fake-ca-secret-key.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/test-fake-ca-secret-key.crt" + template: deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: test-fake-ca-secret-name + template: deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: deployment.yaml + + - it: Check Custsom CA Cert defined with Existing ConfigMap + documentIndex: 0 + set: + clusterName: "test-k8s" + scanner: + enabled: true + webhook: + enabled: true + global: + ssl: + ca: + existingCaConfigMap: "test-fake-ca-configmap-name" + existingCaConfigMapKeyName: "test-fake-ca-configmap-key.crt" + sysdig: + accessKey: standard-key + secureAPIToken: standard-token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/test-fake-ca-configmap-key.crt" + template: deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + configMap: + name: test-fake-ca-configmap-name + template: deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: deployment.yaml diff --git a/charts/kspm-collector/values.yaml b/charts/kspm-collector/values.yaml index dce31b1e4..1b6ea6470 100644 --- a/charts/kspm-collector/values.yaml +++ b/charts/kspm-collector/values.yaml @@ -20,6 +20,40 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: sysdig: # Required: You need your Sysdig access key before running agents, either specifying 'accessKey' here, or using 'existingAccessKeySecret' @@ -137,6 +171,41 @@ affinity: {} labels: {} +ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: + tests: timeout: 300s image: diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml index a704e3e22..5e59bf42f 100644 --- a/charts/node-analyzer/Chart.yaml +++ b/charts/node-analyzer/Chart.yaml @@ -3,7 +3,7 @@ name: node-analyzer description: Sysdig Node Analyzer # currently matching Sysdig's appVersion 1.14.34 -version: 1.12.1 +version: 1.13.0 appVersion: 12.6.0 keywords: - monitoring @@ -34,4 +34,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/node-analyzer/templates/_helpers.tpl b/charts/node-analyzer/templates/_helpers.tpl index cbdf9f705..38bcfe478 100644 --- a/charts/node-analyzer/templates/_helpers.tpl +++ b/charts/node-analyzer/templates/_helpers.tpl @@ -215,7 +215,7 @@ Sysdig NATS service URL {{/* nodeAnalyzer agentConfigmapName */}} -{{- define "agent.configmapName" -}} +{{- define "nodeAnalyzer.configmapName" -}} {{- default .Values.global.agentConfigmapName | default "sysdig-agent" -}} {{- end -}} diff --git a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml index 5e70566a5..f3c1596a6 100644 --- a/charts/node-analyzer/templates/daemonset-node-analyzer.yaml +++ b/charts/node-analyzer/templates/daemonset-node-analyzer.yaml @@ -37,7 +37,7 @@ spec: {{- if include "nodeAnalyzer.deployBenchmarkRunner" . }} - name: sysdig-agent-config configMap: - name: {{ include "agent.configmapName" . }} + name: {{ include "nodeAnalyzer.configmapName" . }} optional: true {{- end }} # Needed for cri-o image inspection. @@ -92,6 +92,19 @@ spec: {{- else }} emptyDir: {} {{- end }} + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "nodeAnalyzer.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }} + {{- end }} {{- with .Values.nodeAnalyzer.imageAnalyzer.extraVolumes.volumes }} {{ toYaml . | indent 8 }} {{- end }} @@ -222,6 +235,10 @@ spec: name: {{ .Release.Name }}-kspm-analyzer key: agent_port optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.kspmAnalyzer.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -232,6 +249,11 @@ spec: readOnly: true - name: tmp-vol mountPath: /host/tmp + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} # kspm-analyzer {{- end }} {{- if include "nodeAnalyzer.deployImageAnalyzer" . }} @@ -256,6 +278,11 @@ spec: readOnly: true - mountPath: /var/lib/containers name: var-lib-containers-vol + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} # Custom volume mount here {{- if .Values.nodeAnalyzer.imageAnalyzer.extraVolumes.mounts }} {{ toYaml .Values.nodeAnalyzer.imageAnalyzer.extraVolumes.mounts | indent 10 }} @@ -360,6 +387,10 @@ spec: name: {{ .Release.Name }}-image-analyzer key: no_proxy optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.imageAnalyzer.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -382,6 +413,11 @@ spec: - mountPath: /host name: root-vol readOnly: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} env: - name: ACCESS_KEY valueFrom: @@ -459,6 +495,10 @@ spec: key: no_proxy name: {{ .Release.Name }}-host-analyzer optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.hostAnalyzer.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -484,6 +524,11 @@ spec: readOnly: true - mountPath: /host/tmp name: tmp-vol + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} env: - name: ACCESS_KEY valueFrom: @@ -533,6 +578,10 @@ spec: key: no_proxy name: {{ .Release.Name }}-benchmark-runner optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.benchmarkRunner.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -637,6 +686,10 @@ spec: name: {{ .Release.Name }}-runtime-scanner key: no_proxy optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.runtimeScanner.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -670,6 +723,11 @@ spec: name: var-lib-containers-vol - mountPath: /tmp name: tmp-vol + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} {{- if .Values.nodeAnalyzer.runtimeScanner.extraMounts }} {{ toYaml .Values.nodeAnalyzer.runtimeScanner.extraMounts | indent 10 }} {{- end }} @@ -788,6 +846,10 @@ spec: value: "/tmp" - name: PROBES_PORT value: {{ .Values.nodeAnalyzer.hostScanner.probesPort | quote }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} {{- range $key, $value := .Values.nodeAnalyzer.hostScanner.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -798,6 +860,11 @@ spec: - mountPath: /host name: root-vol readOnly: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} {{- if .Values.nodeAnalyzer.hostScanner.extraMounts }} {{ toYaml .Values.nodeAnalyzer.hostScanner.extraMounts | indent 10 }} {{- end }} diff --git a/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-deployment.yaml b/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-deployment.yaml index ab8e7bc55..8bf09bdc8 100644 --- a/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-deployment.yaml +++ b/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-deployment.yaml @@ -31,6 +31,20 @@ spec: {{- if .Values.nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName }} priorityClassName: {{ .Values.nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName | quote }} {{- end }} + volumes: + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "nodeAnalyzer.fullname" . }}-eveconnector-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }} + {{- end }} containers: - name: {{ include "nodeAnalyzer.name" . }}-eveconnector-api image: {{ template "nodeAnalyzer.image.eveConnector" . }} @@ -102,4 +116,14 @@ spec: name: {{ template "nodeAnalyzer.fullname" . }}-eveconnector key: no_proxy optional: true + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) -}} + {{- end }} + volumeMounts: + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true + {{- end }} {{- end }} diff --git a/charts/node-analyzer/templates/runtimeScanner/sysdig-eve-secret.yaml b/charts/node-analyzer/templates/runtimeScanner/sysdig-eve-secret.yaml index 14763f101..745b9f034 100644 --- a/charts/node-analyzer/templates/runtimeScanner/sysdig-eve-secret.yaml +++ b/charts/node-analyzer/templates/runtimeScanner/sysdig-eve-secret.yaml @@ -11,3 +11,15 @@ data: endpoint: {{ include "eveconnector.host" . | printf "https://%s" | b64enc | quote }} token: {{ include "eveconnector.token" . }} {{- end }} +{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nodeAnalyzer.fullname" . }}-eveconnector-ca + namespace: {{ include "nodeAnalyzer.namespace" . }} + labels: +{{ include "nodeAnalyzer.labels" . | indent 4 }} +data: + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} +{{- end }} diff --git a/charts/node-analyzer/templates/secrets.yaml b/charts/node-analyzer/templates/secrets.yaml index 1efaf66ee..06fa42560 100644 --- a/charts/node-analyzer/templates/secrets.yaml +++ b/charts/node-analyzer/templates/secrets.yaml @@ -11,4 +11,17 @@ type: Opaque data: access-key : {{ include "nodeAnalyzer.accessKey" . | b64enc | quote }} {{- end }} +--- +{{- end }} +{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl)) "true" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "nodeAnalyzer.fullname" . }}-ca + namespace: {{ include "nodeAnalyzer.namespace" . }} + labels: +{{ include "nodeAnalyzer.labels" . | indent 4 }} +data: + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.nodeAnalyzer.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} +--- {{- end }} diff --git a/charts/node-analyzer/tests/ca_cert_test.yaml b/charts/node-analyzer/tests/ca_cert_test.yaml new file mode 100644 index 000000000..fa08892c1 --- /dev/null +++ b/charts/node-analyzer/tests/ca_cert_test.yaml @@ -0,0 +1,189 @@ +suite: Test node-analyzer CA cert +templates: + - secrets.yaml + - daemonset-node-analyzer.yaml + - runtimeScanner/eveconnector-api-deployment.yaml + - runtimeScanner/sysdig-eve-secret.yaml + - runtimeScanner/eveconnector-api-configmap.yaml +tests: + - it: Checking node-analyzer CA Cert Secret + set: + clusterName: "test" + documentIndex: 0 + secure: + vulnerabilityManagement: + newEngineOnly: true + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + nodeAnalyzer: + benchmarkRunner: { deploy: false } + imageAnalyzer: { deploy: false } + hostAnalyzer: { deploy: false } + hostScanner: { deploy: false } + runtimeScanner: { deploy: true } + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - isKind: + of: Secret + template: secrets.yaml + - it: Check Local CA Cert + set: + clusterName: "test" + documentIndex: 0 + secure: + vulnerabilityManagement: + newEngineOnly: true + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + nodeAnalyzer: + benchmarkRunner: { deploy: false } + imageAnalyzer: { deploy: true } + hostAnalyzer: { deploy: true } + hostScanner: { deploy: true } + runtimeScanner: + deploy: true + eveConnector: + deploy: + true + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "root_ca.crt" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/root_ca.crt" + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-node-analyzer-ca + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/root_ca.crt" + template: runtimeScanner/eveconnector-api-deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: runtimeScanner/eveconnector-api-deployment.yaml + + - it: Check Global CA Cert New Engine Only + set: + documentIndex: 0 + nodeAnalyzer: + benchmarkRunner: { deploy: false } + imageAnalyzer: { deploy: false } + hostAnalyzer: { deploy: false } + hostScanner: { deploy: true } + runtimeScanner: { deploy: true } + secure: + vulnerabilityManagement: + newEngineOnly: true + global: + kspm: + deploy: false + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/global_root_ca.crt" + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-node-analyzer-ca + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset-node-analyzer.yaml + - it: Check Global CA Cert Old Engine + set: + documentIndex: 0 + nodeAnalyzer: + enchmarkRunner: { deploy: true } + imageAnalyzer: { deploy: true } + hostAnalyzer: { deploy: true } + hostScanner: { deploy: false } + runtimeScanner: { deploy: false } + secure: + vulnerabilityManagement: + newEngineOnly: false + global: + kspm: + deploy: false + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/global_root_ca.crt" + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-node-analyzer-ca + template: daemonset-node-analyzer.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset-node-analyzer.yaml diff --git a/charts/node-analyzer/tests/readme_command_test.yaml b/charts/node-analyzer/tests/readme_command_test.yaml index 5f8852722..6e3240fe1 100644 --- a/charts/node-analyzer/tests/readme_command_test.yaml +++ b/charts/node-analyzer/tests/readme_command_test.yaml @@ -8,7 +8,7 @@ tests: sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE nodeAnalyzer: - apiEndpoint: secure.apiendpoint.com + apiEndpoint: secure.sysdig.com asserts: - equal: path: data.access-key @@ -16,7 +16,7 @@ tests: template: secrets.yaml - equal: path: data.collector_endpoint - value: https://secure.apiendpoint.com + value: https://secure.sysdig.com template: configmap-benchmark-runner.yaml - it: check Readme install command showing options usage example diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 96c537a9a..9a9ab42fd 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -13,6 +13,40 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: image: # This is a hack to support RELATED_IMAGE_ feature in Helm based @@ -377,6 +411,40 @@ nodeAnalyzer: periodSeconds: 3 env: {} + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: tests: timeout: 300s diff --git a/charts/rapid-response/Chart.yaml b/charts/rapid-response/Chart.yaml index 5991f6701..65f0ce227 100644 --- a/charts/rapid-response/Chart.yaml +++ b/charts/rapid-response/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.7.0 +version: 0.8.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to @@ -43,4 +43,4 @@ dependencies: - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 diff --git a/charts/rapid-response/templates/daemonset.yaml b/charts/rapid-response/templates/daemonset.yaml index 677df6af2..2299cd100 100644 --- a/charts/rapid-response/templates/daemonset.yaml +++ b/charts/rapid-response/templates/daemonset.yaml @@ -118,26 +118,35 @@ spec: name: {{ ( include "rapidResponse.passphraseSecret" . ) }} {{- end }} key: passphrase - {{- if .Values.rapidResponse.ssl.ca.certs }} - - name: SSL_CERT_DIR - value: /ca-certs + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + - name: SSL_CERT_FILE + value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) -}} {{- end }} volumeMounts: {{- if .Values.rapidResponse.extraVolumes.mounts }} {{ toYaml .Values.rapidResponse.extraVolumes.mounts | indent 12 }} {{- end }} - {{- if .Values.rapidResponse.ssl.ca.certs }} - - mountPath: /ca-certs - name: ca-cert + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + - name: ca-cert + mountPath: /ca-certs + readOnly: true {{- end }} volumes: {{- if .Values.rapidResponse.extraVolumes.volumes }} {{ toYaml .Values.rapidResponse.extraVolumes.volumes | indent 8 }} {{- end }} - {{- if .Values.rapidResponse.ssl.ca.certs }} + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} - name: ca-cert secret: - secretName: {{ template "rapidResponse.fullname" . }}-additionalca + secretName: {{ include "rapidResponse.fullname" . }}-ca + {{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + - name: ca-cert + secret: + secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) }} + {{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + - name: ca-cert + configMap: + name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) }} {{- end }} updateStrategy: type: {{ .Values.rapidResponse.updateStrategy.type }} diff --git a/charts/rapid-response/templates/secrets.yaml b/charts/rapid-response/templates/secrets.yaml index a9545aa0c..d101acdb2 100644 --- a/charts/rapid-response/templates/secrets.yaml +++ b/charts/rapid-response/templates/secrets.yaml @@ -23,18 +23,16 @@ type: Opaque data: passphrase: {{ include "rapidResponse.passphrase" . | b64enc | quote }} {{- end }} -{{- if .Values.rapidResponse.ssl.ca.certs }} +{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} --- apiVersion: v1 kind: Secret metadata: - name: {{ template "rapidResponse.fullname" . }}-additionalca + name: {{ template "rapidResponse.fullname" . }}-ca namespace: {{ .Release.Namespace }} labels: {{ include "rapidResponse.labels" . | indent 4 }} type: Opaque data: -{{- range $index, $cert := ( .Values.rapidResponse.ssl.ca.certs) }} - root_ca_file_{{$index}}.crt: {{ $cert | b64enc }} -{{- end }} + {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} {{- end }} diff --git a/charts/rapid-response/tests/ca_cert_test.yaml b/charts/rapid-response/tests/ca_cert_test.yaml new file mode 100644 index 000000000..7a279fc4b --- /dev/null +++ b/charts/rapid-response/tests/ca_cert_test.yaml @@ -0,0 +1,170 @@ +suite: Test rapid-response CA cert +templates: + - secrets.yaml + - daemonset.yaml +tests: + - it: Checking rapid-response CA Cert Secret + set: + documentIndex: 0 + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + rapidResponse: + passphrase: "THIS_IS_SUPER_SECRET" + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: root_ca_file.crt + asserts: + - containsDocument: + apiVersion: v1 + kind: Secret + name: release-name-rapid-response-ca + template: secrets.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/root_ca_file.crt" + template: daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-rapid-response-ca + template: daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset.yaml + + - it: Check Local CA Cert + set: + documentIndex: 0 + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + rapidResponse: + passphrase: "THIS_IS_SUPER_SECRET" + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: root.crt + asserts: + - containsDocument: + apiVersion: v1 + kind: Secret + name: release-name-rapid-response-ca + template: secrets.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/root.crt" + template: daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-rapid-response-ca + template: daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset.yaml + - it: Check Global CA Cert with local CA cert override + set: + documentIndex: 0 + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + rapidResponse: + passphrase: "THIS_IS_SUPER_SECRET" + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "override_root_ca.crt" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/override_root_ca.crt" + template: daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-rapid-response-ca + template: daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset.yaml + - it: Check Global CA Cert + set: + documentIndex: 0 + global: + ssl: + ca: + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: "global_root_ca.crt" + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + rapidResponse: + passphrase: "THIS_IS_SUPER_SECRET" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: "/ca-certs/global_root_ca.crt" + template: daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: ca-cert + secret: + secretName: release-name-rapid-response-ca + template: daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: ca-cert + mountPath: /ca-certs + readOnly: true + template: daemonset.yaml diff --git a/charts/rapid-response/values.yaml b/charts/rapid-response/values.yaml index a2cabfa2f..2e0631117 100644 --- a/charts/rapid-response/values.yaml +++ b/charts/rapid-response/values.yaml @@ -6,6 +6,41 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + # See below in the rapidResponse.ssl.ca.cert key for an example + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: root_ca_file.crt + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: sysdig: # Required: You need your Sysdig access key before running agents, either specifying 'accessKey' here, or using 'existingAccessKeySecret' @@ -74,49 +109,38 @@ rapidResponse: # Import custom CA certificates ssl: ca: - certs: - [] - # Example of certificate - # - | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # DwAwggEKAoIBAQCqiqSoGHDbQhULBpkS+4Ip4VLF36DZpT8CJ4rOBA5+8Cnjd3XY - # I+n1g6ta/s/6QMEy46rHUysGrmtb/G5+dDAzfNUuAJh2vJEb3Yt8ysihxPwxLie+ - # 85dgEQirruyruvR7zczRo1BVoa7Q5M9kMPnM6a+M5mEjnVoqwdD3g4QigkSQ2ewD - # 7AwwOALgDd4duuUUoCz+IKr+8PWBHvCpRrgwSoVNjw8fckWb4fMLaChiyr9SZfpq - # qjR8rRq65Yb7etmpRew61czWMv2Tv45bz6xigdB/zWe6+qAFiHqXaHDyxytkji3C - # ZuBxa8Xl7xYfpcczEa1qh8ByAQyWzKN5xRY1AgMBAAGjYTBfMA4GA1UdDwEB/wQE - # AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw - # AwEB/zAdBgNVHQ4EFgQUslz034d5FUO+jSzlsgWlFeP/ogwwDQYJKoZIhvcNAQEL - # BQADggEBAJH3MIVEnnjB3XLA6cw61dWTtigLcA5caT5yEJALf126dBaPwFsOn0mi - # ehxdSRh+LrDzEN1MP9NJRpKQxMCy694sAzZGJggBhBGE6P0InLM56lBHlmqN2Cfy - # apwtueUtXm/GoB+3FEsRnjl7qzi40oadosdu0pIrqvviTjmbfm6CfxaW4crAu6Ev - # 3fl41WW/2WWzFU7KV7ApfRfzJUZ82vo8n6CXv2ogt7DOrAE4l27KS5oqNu8K5STh - # FdNM4fBjDhoRhwIrurHDGabsIJa+0yThwRQSSafereqredfafLOHqV/ar6S63BGe - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- - # - | - # -----BEGIN CERTIFICATE----- - # MIIDEzXXAguhgAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # DwAwggEKAoIBAQCqiqSoGHDbQhULBpkS+4Ip4VLF36DZpT8CJ4rOBA5+8Cnjd3XY - # I+n1g6ta/s/6QMEy46rHUysGrmtb/G5+dDAzfNUuAJh2vJEb3Yt8ysihxPwxLie+ - # 85dgEQirruyruvR7zczRo1BVoa7Q5M9kMPnM6a+M5mEjnVoqwdD3g4QigkSQ2ewD - # 7AwwOALgDd4duuUUoCz+IKr+8PWBHvCpRrgwSoVNjw8fckWb4fMLaChiyr9SZfpq - # qjR8rRq65Yb7etmpRew61czWMv2Tv45bz6xigdB/zWe6+qAFiHqXaHDyxytkji3C - # ZuBxa8Xl7xYfpcczEa1qh8ByAQyWzKN5xRY1AgMBAAGjYTBfMA4GA1UdDwEB/wQE - # AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw - # AwEB/zAdBgNVHQ4EFgQUslz034d5FUO+jSzlsgWlFeP/ogwwDQYJKoZIhvcNAQEL - # BQADggEBAJH3MIVEnnjB3XLA6cw61dWTtigLcA5caT5yEJALf126dBaPwFsOn0mi - # ehxdSRh+LrDzEN1MP9NJRpKQxMCy694sAzZGJggBhBGE6P0InLM56lBHlmqN2Cfy - # apwtueUtXm/GoB+3FEsRnjl7qzi40oadosdu0pIrqvviTjmbfm6CfxaW4crAu6Ev - # 3fl41WW/2WWzFU7KV7ApfRfzJUZ82vo8n6CXv2ogt7DOrAE4l27KS5oqNu8K5STh - # FdNM4fBjDhoRhwIrurHDGabsIJa+0yThwRQSSafereqredfafLOHqV/ar6S63BGe - # MMNlTAQ9fvdNOTzZntye0ZZZR5SG13E= - # -----END CERTIFICATE----- + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. + existingCaSecretKeyName: + + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. + existingCaConfigMapKeyName: # The privileged flag is necessary for OCP 4.x and other Kubernetes setups that deny host filesystem access to # running containers by default regardless of volume mounts. In those cases, access to the CRI socket would fail. diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 423ca5902..932b10935 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.15.6 +version: 1.16.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -20,40 +20,40 @@ dependencies: - name: admission-controller # repository: https://charts.sysdig.com repository: file://../admission-controller - version: ~0.11.9 + version: ~0.12.0 alias: admissionController condition: admissionController.enabled - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.12.1 + version: ~1.13.0 alias: agent condition: agent.enabled - name: common # repository: https://charts.sysdig.com repository: file://../common - version: ~1.0.1 + version: ~1.1.0 - name: node-analyzer # repository: https://charts.sysdig.com repository: file://../node-analyzer - version: ~1.12.1 + version: ~1.13.0 alias: nodeAnalyzer condition: nodeAnalyzer.enabled - name: cluster-scanner # repository: https://charts.sysdig.com repository: file://../cluster-scanner - version: ~0.3.3 + version: ~0.4.0 alias: clusterScanner condition: clusterScanner.enabled - name: kspm-collector # repository: https://charts.sysdig.com repository: file://../kspm-collector - version: ~0.3.4 + version: ~0.4.0 alias: kspmCollector condition: global.kspm.deploy - name: rapid-response # repository: https://charts.sysdig.com repository: file://../rapid-response - version: ~0.7.0 + version: ~0.8.0 alias: rapidResponse condition: rapidResponse.enabled diff --git a/charts/sysdig-deploy/values.yaml b/charts/sysdig-deploy/values.yaml index 1bff7ea3c..58d8a5d36 100644 --- a/charts/sysdig-deploy/values.yaml +++ b/charts/sysdig-deploy/values.yaml @@ -18,6 +18,39 @@ global: image: pullSecrets: [] pullPolicy: IfNotPresent + ssl: + ca: + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- + + # Filename that is used when creating the secret. Required if cert is provided. + keyName: + + # Provide the name of an existing Secret that contains the CA required + existingCaSecret: + # Provide the filename that is defined inside the existing Secret + existingCaSecretKeyName: + # Provide the name of an existing ConfigMap that contains the CA required + existingCaConfigMap: + # Provide the filename that is defined inside the existing ConfigMap + existingCaConfigMapKeyName: admissionController: enabled: false From bc9a486d14ce7223aef20da3a1eafb0758e1386c Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 2/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for admission-controller-0.12.0 --- charts/admission-controller/CHANGELOG.md | 3 +++ charts/admission-controller/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/admission-controller/CHANGELOG.md b/charts/admission-controller/CHANGELOG.md index f944eb0a6..772871c6a 100644 --- a/charts/admission-controller/CHANGELOG.md +++ b/charts/admission-controller/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.12.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v0.11.9 ### New Features * **admission-controller** [3d4304d0](https://github.com/sysdiglabs/charts/commit/3d4304d03483f23371f74541102b4cf1036bdfc0): update README with latest CA certificate changes ([#1263](https://github.com/sysdiglabs/charts/issues/1263)) diff --git a/charts/admission-controller/RELEASE-NOTES.md b/charts/admission-controller/RELEASE-NOTES.md index 184b39b14..184f8fe5b 100644 --- a/charts/admission-controller/RELEASE-NOTES.md +++ b/charts/admission-controller/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- **admission-controller** [3d4304d0](https://github.com/sysdiglabs/charts/commit/3d4304d03483f23371f74541102b4cf1036bdfc0): update README with latest CA certificate changes ([#1263](https://github.com/sysdiglabs/charts/issues/1263)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.11.8...admission-controller-0.11.9 +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.11.9...admission-controller-0.12.0 From 6f40e3f2cbe667bdcf7ef663c14e674d3adce5a9 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 3/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for agent-1.13.0 --- charts/agent/CHANGELOG.md | 3 +++ charts/agent/RELEASE-NOTES.md | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/agent/CHANGELOG.md b/charts/agent/CHANGELOG.md index fbf132bb6..80a9d7cd2 100644 --- a/charts/agent/CHANGELOG.md +++ b/charts/agent/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.13.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v1.12.1 # v1.12.0 ### New Features diff --git a/charts/agent/RELEASE-NOTES.md b/charts/agent/RELEASE-NOTES.md index 0f930c86f..85958b544 100644 --- a/charts/agent/RELEASE-NOTES.md +++ b/charts/agent/RELEASE-NOTES.md @@ -1,3 +1,5 @@ # What's Changed -#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.12.0...agent-1.12.1 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/agent-1.12.1...agent-1.13.0 From 3a186f2d6e5c75cd66566d845b5768d171285cf9 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 4/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for cluster-scanner-0.4.0 --- charts/cluster-scanner/CHANGELOG.md | 3 +++ charts/cluster-scanner/RELEASE-NOTES.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/cluster-scanner/CHANGELOG.md b/charts/cluster-scanner/CHANGELOG.md index 6fd435808..2e6300b07 100644 --- a/charts/cluster-scanner/CHANGELOG.md +++ b/charts/cluster-scanner/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.4.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v0.3.3 ### Bug Fixes * **cluster-scanner** [cd8ebe99](https://github.com/sysdiglabs/charts/commit/cd8ebe99dd5313465b5a6cc1cf096cefea71df07): corrected role to support OKD4 ([#1247](https://github.com/sysdiglabs/charts/issues/1247)) diff --git a/charts/cluster-scanner/RELEASE-NOTES.md b/charts/cluster-scanner/RELEASE-NOTES.md index 878523a16..049a56bce 100644 --- a/charts/cluster-scanner/RELEASE-NOTES.md +++ b/charts/cluster-scanner/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Bug Fixes -- **cluster-scanner** [cd8ebe99](https://github.com/sysdiglabs/charts/commit/cd8ebe99dd5313465b5a6cc1cf096cefea71df07): corrected role to support OKD4 ([#1247](https://github.com/sysdiglabs/charts/issues/1247)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.3.2...cluster-scanner-0.3.3 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.3.3...cluster-scanner-0.4.0 From a884b066b289577803b1e6e1d55d43a59a9d18e0 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 5/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for common-1.1.0 --- charts/common/CHANGELOG.md | 3 +++ charts/common/RELEASE-NOTES.md | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/common/CHANGELOG.md b/charts/common/CHANGELOG.md index 2271cfe0a..ba89bec59 100644 --- a/charts/common/CHANGELOG.md +++ b/charts/common/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.1.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v1.0.2 # v1.0.1 ### Bug Fixes diff --git a/charts/common/RELEASE-NOTES.md b/charts/common/RELEASE-NOTES.md index 054329199..2ec79afd1 100644 --- a/charts/common/RELEASE-NOTES.md +++ b/charts/common/RELEASE-NOTES.md @@ -1,3 +1,5 @@ # What's Changed -#### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.0.1...common-1.0.2 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/common-1.0.2...common-1.1.0 From e7c46bb74789a82dbb011f49ac7f50b44b46e828 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 6/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for kspm-collector-0.4.0 --- charts/kspm-collector/CHANGELOG.md | 3 +++ charts/kspm-collector/RELEASE-NOTES.md | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/kspm-collector/CHANGELOG.md b/charts/kspm-collector/CHANGELOG.md index 1fd7edec4..fc58e5b1e 100644 --- a/charts/kspm-collector/CHANGELOG.md +++ b/charts/kspm-collector/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.4.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v0.3.4 # v0.3.3 ### New Features diff --git a/charts/kspm-collector/RELEASE-NOTES.md b/charts/kspm-collector/RELEASE-NOTES.md index 95ff2bd54..531789ad5 100644 --- a/charts/kspm-collector/RELEASE-NOTES.md +++ b/charts/kspm-collector/RELEASE-NOTES.md @@ -1,3 +1,5 @@ # What's Changed -#### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.3.3...kspm-collector-0.3.4 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/kspm-collector-0.3.4...kspm-collector-0.4.0 From 2e41b255c3ef8533e685b0155e53556b2482ba7c Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 7/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for node-analyzer-1.13.0 --- charts/node-analyzer/CHANGELOG.md | 3 +++ charts/node-analyzer/RELEASE-NOTES.md | 11 +++-------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/charts/node-analyzer/CHANGELOG.md b/charts/node-analyzer/CHANGELOG.md index 7ada62e32..1e7829868 100644 --- a/charts/node-analyzer/CHANGELOG.md +++ b/charts/node-analyzer/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.13.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v1.12.1 ### Chores * **sysdig,node-analyzer** [00316d04](https://github.com/sysdiglabs/charts/commit/00316d042378fa75ac0ed9277b547236766ce816): bumped RuntimeScanner to 1.5.2 version ([#1275](https://github.com/sysdiglabs/charts/issues/1275)) diff --git a/charts/node-analyzer/RELEASE-NOTES.md b/charts/node-analyzer/RELEASE-NOTES.md index 071512b25..ae8f0821c 100644 --- a/charts/node-analyzer/RELEASE-NOTES.md +++ b/charts/node-analyzer/RELEASE-NOTES.md @@ -1,10 +1,5 @@ # What's Changed -### Chores -- **sysdig,node-analyzer** [00316d04](https://github.com/sysdiglabs/charts/commit/00316d042378fa75ac0ed9277b547236766ce816): bumped RuntimeScanner to 1.5.2 version ([#1275](https://github.com/sysdiglabs/charts/issues/1275)) - - * * Added env var flag for internal timeout on scheduled operations -* Added fallback when connection to detected container runtime fails -* Security updates (July 2023). Fixed CVE - * CVE-2023-33199 -#### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.12.0...node-analyzer-1.12.1 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/node-analyzer-1.12.1...node-analyzer-1.13.0 From 29b1b10c9b25e0a98d72308ad63c9e1bed502d41 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 8/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for rapid-response-0.8.0 --- charts/rapid-response/CHANGELOG.md | 3 +++ charts/rapid-response/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/rapid-response/CHANGELOG.md b/charts/rapid-response/CHANGELOG.md index d7c3c25f3..528706c02 100644 --- a/charts/rapid-response/CHANGELOG.md +++ b/charts/rapid-response/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.8.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v0.7.0 ### New Features * **agent,rapid-response** [13dc488a](https://github.com/sysdiglabs/charts/commit/13dc488a6c1cbbfda114f90deeef91a43572a54e): set metadata.namespace on all namespaced items ([#1259](https://github.com/sysdiglabs/charts/issues/1259)) diff --git a/charts/rapid-response/RELEASE-NOTES.md b/charts/rapid-response/RELEASE-NOTES.md index 0cd5fa4e4..f1c51ac91 100644 --- a/charts/rapid-response/RELEASE-NOTES.md +++ b/charts/rapid-response/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed ### New Features -- **agent,rapid-response** [13dc488a](https://github.com/sysdiglabs/charts/commit/13dc488a6c1cbbfda114f90deeef91a43572a54e): set metadata.namespace on all namespaced items ([#1259](https://github.com/sysdiglabs/charts/issues/1259)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.6.3...rapid-response-0.7.0 +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/rapid-response-0.7.0...rapid-response-0.8.0 From b842522881c8642e13b6732306432ea99afc7d31 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 1 Aug 2023 16:32:02 +0000 Subject: [PATCH 9/9] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for sysdig-deploy-1.16.0 --- charts/sysdig-deploy/CHANGELOG.md | 3 +++ charts/sysdig-deploy/RELEASE-NOTES.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index 8df030357..388cced82 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.16.0 +### New Features +* **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) # v1.15.6 ### Chores * **sysdig-deploy** [e9df82e5](https://github.com/sysdiglabs/charts/commit/e9df82e57a98cf5a8fffda06ce539424ff47155f): Automatic version bump due to updated dependencies ([#1276](https://github.com/sysdiglabs/charts/issues/1276)) diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index bbca5ddc9..12105fbbc 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,5 +1,5 @@ # What's Changed -### Chores -- **sysdig-deploy** [e9df82e5](https://github.com/sysdiglabs/charts/commit/e9df82e57a98cf5a8fffda06ce539424ff47155f): Automatic version bump due to updated dependencies ([#1276](https://github.com/sysdiglabs/charts/issues/1276)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.15.5...sysdig-deploy-1.15.6 +### New Features +- **sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller** [2dca8e7c](https://github.com/sysdiglabs/charts/commit/2dca8e7c5308e76c2da63c974ae75c4ad510c201): Global Custom CA Bundle Support ([#961](https://github.com/sysdiglabs/charts/issues/961)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.15.6...sysdig-deploy-1.16.0