Merge branch 'master' into SSPROD-23092_Integrate_new_Admission_Contr…

…oller_to_existing_AC_chart

charts/admission-controller/CHANGELOG.md

@@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used
 exclusively to fix incorrect entries and not to add new ones.
 
 ## Change Log
+# v0.12.4
+### New Features
+* **admission-controller** [ffa2c439](https://github.com/sysdiglabs/charts/commit/ffa2c439bd0a1a76443dc41439f048a2fc41e016): internal test ([#1297](https://github.com/sysdiglabs/charts/issues/1297))
 # v0.12.3
 ### Documentation
 * **admission-controller, cluster-scanner, registry-scanner, cloud-connector, node-analyzer, rapid-response, sysdig-deploy, agent** [df733e62](https://github.com/sysdiglabs/charts/commit/df733e6294eae1967197e3521473a5fab0282b67): update maintainers list ([#1283](https://github.com/sysdiglabs/charts/issues/1283))

charts/admission-controller/RELEASE-NOTES.md

@@ -1,5 +1,5 @@
 # What's Changed
 
-### Documentation
-- **admission-controller, cluster-scanner, registry-scanner, cloud-connector, node-analyzer, rapid-response, sysdig-deploy, agent** [df733e62](https://github.com/sysdiglabs/charts/commit/df733e6294eae1967197e3521473a5fab0282b67): update maintainers list ([#1283](https://github.com/sysdiglabs/charts/issues/1283))
-#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.12.2...admission-controller-0.12.3
+### New Features
+- **admission-controller** [ffa2c439](https://github.com/sysdiglabs/charts/commit/ffa2c439bd0a1a76443dc41439f048a2fc41e016): internal test ([#1297](https://github.com/sysdiglabs/charts/issues/1297))
+#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.12.3...admission-controller-0.12.4

charts/admission-controller/templates/webhook/admissioncontrollerconfigmap.yaml

@@ -0,0 +1,13 @@
+# Warning! This file is for internal tests only.
+{{- if .Values.webhook.acConfig }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: admissioncontrollerconfigmap
+  namespace: {{ include "admissionController.namespace" . }}
+  labels:
+    {{ include "admissionController.webhook.labels" . | nindent 4 }}
+data:
+  acConfig: |
+    {{ .Values.webhook.acConfig | nindent 4 }}
+{{- end }}

charts/admission-controller/templates/webhook/admissionregistration.yaml

@@ -60,7 +60,7 @@ webhooks:
   timeoutSeconds: {{ .Values.webhook.v2.timeoutSeconds }}
   failurePolicy: Ignore
 {{- end }}
-{{- if .Values.scanner.enabled }}
+{{- if or .Values.scanner.enabled .Values.webhook.acConfig }}
 - name: scanning.secure.sysdig.com
   matchPolicy: Equivalent
   rules:

charts/admission-controller/templates/webhook/clusterrole.yaml

@@ -16,8 +16,21 @@ rules:
   - ""
   resources:
   - pods
+{{- if .Values.webhook.acConfig }}
+  - configmaps
+{{- end }}
+  verbs:
+  - get
+{{- if .Values.webhook.acConfig }}
+- apiGroups:
+  - "batch"
+  resources:
+  - jobs
   verbs:
+  - create
   - get
+  - delete
+{{- end }}
 - apiGroups:
   - "apps"
   resources:

charts/admission-controller/templates/webhook/deployment.yaml

@@ -116,11 +116,17 @@ spec:
               value: {{ include "webhook.httpsProxy" . }}
             - name: NO_PROXY
               value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
+            - name: AC_NAMESPACE
+              value: {{ include "admissionController.namespace" . }}
             {{- end }}
             {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
             - name: SSL_CERT_DIR
               value: /ca-certs
             {{- end }}
+            {{- if .Values.webhook.acConfig }}
+            - name: VM_ENGINE_V2_ENABLED
+              value: "true"
+            {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.webhook.http.port }}

charts/admission-controller/tests/configmap_test.yaml

@@ -0,0 +1,56 @@
+suite: Test admissioncontrollerconfigmap
+templates:
+  - templates/webhook/admissioncontrollerconfigmap.yaml
+  - templates/webhook/clusterrole.yaml
+tests:
+  - it: Creates the configmap if webhook.acConfig is present
+    set:
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+        template: templates/webhook/admissioncontrollerconfigmap.yaml
+  - it: Creates the clusterrole if webhook.acConfig is present
+    set:
+      webhook:
+        acConfig: |
+          foo: bar
+          fizz: buzz
+    asserts:
+      - isSubset:
+          path: rules[2]
+          content:
+            apiGroups: ["batch"]
+            resources: ["jobs"]
+            verbs: ["create", "get", "delete"]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [""]
+            resources: ["pods", "configmaps"]
+            verbs: ["get"]
+        template: templates/webhook/clusterrole.yaml
+  - it: Does not create the configmap if webhook.acConfig is not present
+    set: {}
+    asserts:
+      - notContains:
+          path: rules
+          content:
+            apiGroups: [ "batch" ]
+        template: templates/webhook/clusterrole.yaml
+      - isSubset:
+          path: rules[1]
+          content:
+            apiGroups: [""]
+            resources: ["pods"]
+            verbs: ["get"]
+        template: templates/webhook/clusterrole.yaml
+#    asserts:
+#      - isNullOrEmpty:
+#          path: data
+#        template: templates/webhook/admissioncontrollerconfigmap.yaml

charts/admission-controller/values.yaml

@@ -251,6 +251,7 @@ webhook:
 
   # The image pull secrets for webhook.
   imagePullSecrets: []
+
   # Resource request and limits for webhook.
   resources:  # +doc-gen:break
     limits: