fix(node-analyzer,sysdig-deploy): Ability to disable sslVerifyCertifi…

…cate per container on node-analyzer (#1445) Signed-off-by: Daniele De Lorenzi <[email protected]> Co-authored-by: Marco Vito Moscaritolo <[email protected]>
sysdiglabs · Nov 6, 2023 · 5ea8986 · 5ea8986
1 parent c55f740
commit 5ea8986
Show file tree

Hide file tree

Showing 16 changed files with 1,093 additions and 21 deletions.
diff --git a/charts/node-analyzer/Chart.yaml b/charts/node-analyzer/Chart.yaml
@@ -3,7 +3,7 @@ name: node-analyzer
 description: Sysdig Node Analyzer
 
 # currently matching Sysdig's appVersion 1.14.34
-version: 1.18.2
+version: 1.18.3
 appVersion: 12.8.0
 keywords:
   - monitoring

diff --git a/charts/node-analyzer/README.md b/charts/node-analyzer/README.md
diff --git a/charts/node-analyzer/templates/_helpers.tpl b/charts/node-analyzer/templates/_helpers.tpl
@@ -113,6 +113,46 @@ Return the proper image name for the CSPM Analyzer
     {{- include "nodeAnalyzer.imageRegistry" . -}} / {{- .Values.nodeAnalyzer.kspmAnalyzer.image.repository -}} {{- if .Values.nodeAnalyzer.kspmAnalyzer.image.digest -}} @ {{- .Values.nodeAnalyzer.kspmAnalyzer.image.digest -}} {{- else -}} : {{- .Values.nodeAnalyzer.kspmAnalyzer.image.tag -}} {{- end -}}
 {{- end -}}
 
+{{/*
+ Helper to define skip of SSL Certificate for Runtime Scanner and Eve Connector
+*/}}
+{{- define "runtimeScanner.sslVerifyCertificate" -}}
+{{- $sslVerifyCertificate := coalesce (.Values.nodeAnalyzer.runtimeScanner.sslVerifyCertificate | quote) (.Values.nodeAnalyzer.sslVerifyCertificate | quote) (.Values.global.sslVerifyCertificate | quote) ("true" | quote) -}}
+{{ $sslVerifyCertificate }}
+{{- end -}}
+
+{{/*
+ Helper to define skip of SSL Certificate for Host Scanner
+*/}}
+{{- define "hostScanner.sslVerifyCertificate" -}}
+{{- $sslVerifyCertificate := coalesce (.Values.nodeAnalyzer.hostScanner.sslVerifyCertificate | quote) (.Values.nodeAnalyzer.sslVerifyCertificate | quote) (.Values.global.sslVerifyCertificate | quote) ("true" | quote) -}}
+{{ $sslVerifyCertificate }}
+{{- end -}}
+
+{{/*
+ Helper to define skip of SSL Certificate for Host Analyzer
+*/}}
+{{- define "hostAnalyzer.sslVerifyCertificate" -}}
+{{- $sslVerifyCertificate := coalesce (.Values.nodeAnalyzer.hostAnalyzer.sslVerifyCertificate | quote) (.Values.nodeAnalyzer.sslVerifyCertificate | quote) (.Values.global.sslVerifyCertificate | quote) ("true" | quote) -}}
+{{ $sslVerifyCertificate }}
+{{- end -}}
+
+{{/*
+ Helper to define skip of SSL Certificate for Image Analyzer
+*/}}
+{{- define "imageAnalyzer.sslVerifyCertificate" -}}
+{{- $sslVerifyCertificate := coalesce (.Values.nodeAnalyzer.imageAnalyzer.sslVerifyCertificate | quote) (.Values.nodeAnalyzer.sslVerifyCertificate | quote) (.Values.global.sslVerifyCertificate | quote) ("true" | quote) -}}
+{{ $sslVerifyCertificate }}
+{{- end -}}
+
+{{/*
+ Helper to define skip of SSL Certificate for Benchmark Runner
+*/}}
+{{- define "benchmarkRunner.sslVerifyCertificate" -}}
+{{- $sslVerifyCertificate := coalesce (.Values.nodeAnalyzer.benchmarkRunner.sslVerifyCertificate | quote) (.Values.nodeAnalyzer.sslVerifyCertificate | quote) (.Values.global.sslVerifyCertificate | quote) ("true" | quote) -}}
+{{ $sslVerifyCertificate }}
+{{- end -}}
+
 {{/*
  Helper to define if to enable nats_insecure
 */}}

diff --git a/charts/node-analyzer/templates/configmap-benchmark-runner.yaml b/charts/node-analyzer/templates/configmap-benchmark-runner.yaml
@@ -9,9 +9,7 @@ metadata:
 {{ include "nodeAnalyzer.labels" . | indent 4 }}
 data:
   collector_endpoint: "https://{{ include "nodeAnalyzer.apiEndpoint" . }}"
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "benchmarkRunner.sslVerifyCertificate" . }}
   debug: "{{ .Values.nodeAnalyzer.debug | default false }}"
   {{- if (.Values.nodeAnalyzer.benchmarkRunner.httpProxy | default .Values.nodeAnalyzer.httpProxy | default .Values.global.proxy.httpProxy) }}
   http_proxy: {{ .Values.nodeAnalyzer.benchmarkRunner.httpProxy | default .Values.nodeAnalyzer.httpProxy | default .Values.global.proxy.httpProxy }}

diff --git a/charts/node-analyzer/templates/configmap-host-analyzer.yaml b/charts/node-analyzer/templates/configmap-host-analyzer.yaml
@@ -13,9 +13,7 @@ data:
   {{- if .Values.nodeAnalyzer.collectorTimeout }}
   collector_timeout: {{ .Values.nodeAnalyzer.collectorTimeout }}
   {{- end }}
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "hostAnalyzer.sslVerifyCertificate" . }}
   debug: "{{ .Values.nodeAnalyzer.debug | default false }}"
   {{- if .Values.nodeAnalyzer.hostAnalyzer.schedule }}
   schedule: {{ .Values.nodeAnalyzer.hostAnalyzer.schedule | quote }}

diff --git a/charts/node-analyzer/templates/configmap-host-scanner.yaml b/charts/node-analyzer/templates/configmap-host-scanner.yaml
@@ -23,9 +23,7 @@ data:
   {{- if .Values.nodeAnalyzer.hostScanner.additionalDirsToScan }}
   additional_dirs_to_scan: {{ .Values.nodeAnalyzer.hostScanner.additionalDirsToScan }}
   {{- end }}
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "hostScanner.sslVerifyCertificate" . }}
   {{- if (.Values.nodeAnalyzer.hostScanner.debug | default .Values.nodeAnalyzer.debug) }}
   debug: "{{ .Values.nodeAnalyzer.hostScanner.debug | default .Values.nodeAnalyzer.debug }}"
   {{- end }}

diff --git a/charts/node-analyzer/templates/configmap-image-analyzer.yaml b/charts/node-analyzer/templates/configmap-image-analyzer.yaml
@@ -8,9 +8,7 @@ metadata:
 {{ include "nodeAnalyzer.labels" . | indent 4 }}
 data:
   collector_endpoint: "https://{{ include "nodeAnalyzer.apiEndpoint" . }}/internal/scanning/scanning-analysis-collector"
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "imageAnalyzer.sslVerifyCertificate" . }}
   debug: "{{ .Values.nodeAnalyzer.debug | default false }}"
   {{- if .Values.nodeAnalyzer.imageAnalyzer.dockerSocketPath }}
   docker_socket_path: {{ .Values.nodeAnalyzer.imageAnalyzer.dockerSocketPath }}

diff --git a/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-configmap.yaml b/charts/node-analyzer/templates/runtimeScanner/eveconnector-api-configmap.yaml
@@ -8,9 +8,7 @@ metadata:
 data:
   api_endpoint: https://{{ include "nodeAnalyzer.apiEndpoint" . }}
   cluster_name: {{ required "A valid clusterName is required" (include "nodeAnalyzer.clusterName" . ) }}
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "runtimeScanner.sslVerifyCertificate" . }}
   {{- if hasKey .Values.nodeAnalyzer.runtimeScanner "eveConnector" }}
   cert_dns_name: {{ include "eveconnector.host" . | quote }}
   {{- end }}

diff --git a/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml b/charts/node-analyzer/templates/runtimeScanner/runtime-scanner-configmap.yaml
@@ -8,9 +8,7 @@ metadata:
 data:
   api_endpoint: https://{{ include "nodeAnalyzer.apiEndpoint" . }}
   cluster_name: {{ required "A valid clusterName is required" (include "nodeAnalyzer.clusterName" . ) }}
-  {{- if hasKey .Values.nodeAnalyzer "sslVerifyCertificate" }}
-  ssl_verify_certificate: "{{ .Values.nodeAnalyzer.sslVerifyCertificate }}"
-  {{- end }}
+  ssl_verify_certificate: {{ include "runtimeScanner.sslVerifyCertificate" . }}
   {{- if (.Values.nodeAnalyzer.runtimeScanner.debug | default .Values.nodeAnalyzer.debug) }}
   debug: "{{ .Values.nodeAnalyzer.runtimeScanner.debug | default .Values.nodeAnalyzer.debug }}"
   {{- end }}

diff --git a/charts/node-analyzer/tests/cert_validation_benchmarkrunner_test.yaml b/charts/node-analyzer/tests/cert_validation_benchmarkrunner_test.yaml
@@ -0,0 +1,182 @@
+suite: Benchmark Runner Skip certificate tests
+templates:
+  - templates/configmap-benchmark-runner.yaml
+tests:
+  - it: "Global SSL certificate validation enabled (default value)"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"
+
+  - it: "Global SSL certificate validation enabled (sslVerifyCertificate: true explicitly set)"
+    set:
+      clusterName: "test"
+      global:
+        sslVerifyCertificate: true
+      nodeAnalyzer:
+        deploy: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"
+
+  - it: "Global SSL certificate validation disabled"
+    set:
+      clusterName: "test"
+      global:
+        sslVerifyCertificate: false
+      nodeAnalyzer:
+        deploy: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation enabled (sslVerifyCertificate: true explicitly set) [Node Analyzer POD]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"
+
+  - it: "SSL certificate validation disabled [Node Analyzer POD]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: false
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation enabled (sslVerifyCertificate: true explicitly set) [benchmarkRunner container]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        benchmarkRunner:
+          sslVerifyCertificate: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"
+
+  - it: "SSL certificate validation disabled [benchmarkRunner container]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        benchmarkRunner:
+          sslVerifyCertificate: false
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation disabled [Global + Node Analyzer POD]"
+    set:
+      global:
+        sslVerifyCertificate: true
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: false
+        benchmarkRunner:
+          deploy: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation disabled [Node Analyzer POD + Container]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: true
+        benchmarkRunner:
+          deploy: true
+          sslVerifyCertificate: false
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation enabled [Node Analyzer POD + Container]"
+    set:
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: false
+        benchmarkRunner:
+          deploy: true
+          sslVerifyCertificate: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"
+
+  - it: "SSL certificate validation disabled [Global + Node Analyzer POD + Container]"
+    set:
+      global:
+        sslVerifyCertificate: true
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: true
+        benchmarkRunner:
+          deploy: true
+          sslVerifyCertificate: false
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "false"
+
+  - it: "SSL certificate validation enabled [Global + Node Analyzer POD + Container]"
+    set:
+      global:
+        sslVerifyCertificate: false
+      clusterName: "test"
+      nodeAnalyzer:
+        deploy: true
+        sslVerifyCertificate: false
+        benchmarkRunner:
+          deploy: true
+          sslVerifyCertificate: true
+    templates:
+      - templates/configmap-benchmark-runner.yaml
+    asserts:
+      - equal:
+          path: data.ssl_verify_certificate
+          value: "true"