feat(admission-controller,agent,common,kspm-collector,node-analyzer,r…

…apid-response,sysdig-deploy): refactor in order to allow certs to be specified as list and avoid BC
sysdiglabs · Jul 19, 2023 · 888036f · 888036f
1 parent 0e99f92
commit 888036f
Show file tree

Hide file tree

Showing 20 changed files with 477 additions and 407 deletions.
diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md
diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl
@@ -257,20 +257,6 @@ Create the name of the service account to use
     {{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }}
 {{- end -}}
 
-{{/*
-Generate certificates for aggregated api server
-*/}}
-
-{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}}
-
-{{- define "admissionController.scanner.gen-certs" -}}
-{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}}
-{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}}
-{{- $san := list $cn -}}
-{{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
-{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}}
-{{- end -}}
-
 {{/*
 Allow overriding registry and repository for air-gapped environments
 */}}

diff --git a/charts/admission-controller/templates/scanner/deployment.yaml b/charts/admission-controller/templates/scanner/deployment.yaml
@@ -41,7 +41,7 @@ spec:
             defaultMode: 420
             secretName: {{ .Values.scanner.dockerCfgSecretName }}
         {{- end }}
-        {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+        {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
         - name: ca-cert
           secret:
             secretName: {{ include "admissionController.scanner.fullname" . }}-ca
@@ -67,7 +67,7 @@ spec:
               name: dockercfg
               readOnly: true
             {{- end }}
-            {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+            {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
             - name: ca-cert
               mountPath: /ca-certs
               readOnly: true
@@ -91,9 +91,9 @@ spec:
             - name: NO_PROXY
               value: {{ include "scanner.noProxy" . }}
             {{- end }}
-            {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
-            - name: SSL_CERT_FILE
-              value: /ca-certs/{{- include "sysdig.custom_ca.keyName"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) -}}
+            {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
+            - name: SSL_CERT_DIR
+              value: /ca-certs
             {{- end }}
           envFrom:
             - configMapRef:

diff --git a/charts/admission-controller/templates/scanner/secret.yaml b/charts/admission-controller/templates/scanner/secret.yaml
@@ -19,14 +19,19 @@ stringData:
   AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }}
 {{- end }}
 ---
-{{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "admissionController.scanner.fullname" . }}-ca
   namespace: {{ include "admissionController.namespace" . }}
   labels: {{- include "admissionController.scanner.labels" . | nindent 4 }}
 data:
+  {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+  {{- end }}
+  {{- if or .Values.scanner.ssl.ca.cert }}
+  root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }}
+  {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml
@@ -84,9 +84,9 @@ spec:
             - name: NO_PROXY
               value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
             {{- end }}
-            {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
-            - name: SSL_CERT_FILE
-              value: /ca-certs/{{- include "sysdig.custom_ca.keyName"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) -}}
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
+            - name: SSL_CERT_DIR
+              value: /ca-certs
             {{- end }}
           ports:
             - name: http
@@ -117,7 +117,7 @@ spec:
             - name: cert
               mountPath: /cert
               readOnly: true
-            {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+            {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
             - name: ca-cert
               mountPath: /ca-certs
               readOnly: true
@@ -128,7 +128,7 @@ spec:
         - name: cert
           secret:
             secretName: {{ include "admissionController.webhook.fullname" . }}-tls
-        {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+        {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
         - name: ca-cert
           secret:
             secretName: {{ include "admissionController.webhook.fullname" . }}-ca

diff --git a/charts/admission-controller/templates/webhook/secret.yaml b/charts/admission-controller/templates/webhook/secret.yaml
@@ -10,7 +10,7 @@ stringData:
   SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }}
 {{- end }}
 ---
-{{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -19,5 +19,10 @@ metadata:
   labels:
     {{ include "admissionController.webhook.labels" . | nindent 4 }}
 data:
+  {{- if or .Values.webhook.ssl.ca.cert }}
+  root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }}
+  {{- end }}
+  {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+  {{- end }}
 {{- end }}
diff --git a/charts/admission-controller/tests/ca_cert_test.yaml b/charts/admission-controller/tests/ca_cert_test.yaml
@@ -28,8 +28,8 @@ tests:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/global_root_ca.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: webhook/deployment.yaml
       - notContains:
           path: spec.template.spec.volumes
@@ -48,8 +48,8 @@ tests:
       - notContains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/global_root_ca.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: scanner/deployment.yaml
       - notContains:
           path: spec.template.spec.volumes
@@ -77,10 +77,11 @@ tests:
       global:
         ssl:
           ca:
-            cert: |
-              -----BEGIN CERTIFICATE-----
-              my-test-cert
-              -----END CERTIFICATE-----
+            certs:
+              - |
+                -----BEGIN CERTIFICATE-----
+                my-test-cert
+                -----END CERTIFICATE-----
             keyName: "global_root_ca.crt"
       sysdig:
         accessKey: standard-key
@@ -89,8 +90,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/global_root_ca.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: webhook/deployment.yaml
       - contains:
           path: spec.template.spec.volumes
@@ -109,8 +110,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/global_root_ca.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: scanner/deployment.yaml
       - contains:
           path: spec.template.spec.volumes
@@ -147,8 +148,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/test-fake-ca-secret-key.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: webhook/deployment.yaml
       - contains:
           path: spec.template.spec.volumes
@@ -167,8 +168,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/test-fake-ca-secret-key.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: scanner/deployment.yaml
       - contains:
           path: spec.template.spec.volumes
@@ -205,8 +206,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/test-fake-ca-configmap-key.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: webhook/deployment.yaml
       - contains:
           path: spec.template.spec.volumes
@@ -225,8 +226,8 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].env
           content:
-            name: SSL_CERT_FILE
-            value: "/ca-certs/test-fake-ca-configmap-key.crt"
+            name: SSL_CERT_DIR
+            value: "/ca-certs"
         template: scanner/deployment.yaml
       - contains:
           path: spec.template.spec.volumes

diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml
@@ -22,22 +22,23 @@ global:
     ca:
       # For outbound connections (secure backend, proxy,...)
       # A PEM-encoded x509 certificate.  This can also be a bundle with multiple certificates.
-      cert:
-
-      # Example of a certificate
-      # cert: |
-      #   -----BEGIN CERTIFICATE-----
-      #   MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
-      #   MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
-      #   NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-      #   MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
-      #   -----END CERTIFICATE-----
-      #   -----BEGIN CERTIFICATE-----
-      #   MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
-      #   MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
-      #   NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-      #   MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
-      #   -----END CERTIFICATE-----
+      certs: []
+      # Example of certificate
+      # certs:
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
+      #       -----END CERTIFICATE-----
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
+      #       -----END CERTIFICATE-----
 
       # Filename that is used when creating the secret.  Required if cert is provided.
       keyName:
@@ -256,11 +257,31 @@ webhook:
       # <br/>And inbound connections to serve HttpRequests as Kubernetes Webhook.
       # <br/>A PEM-encoded x509 certificate authority.
       # <br/>If empty, a new CA will be autogenerated.
-      cert:
+      cert: ""
       # For outbound connections (secure backend, proxy,...)
       # <br/>A PEM-encoded private key of the certificate authority to use in the certificate generation.
       # <br/>If empty, a new CA will be autogenerated.
-      key:
+      key: ""
+
+      # For outbound connections (secure backend, proxy,...)
+      # A PEM-encoded x509 certificate.  This can also be a bundle with multiple certificates.
+      certs: []
+      # Example of certificate
+      # certs:
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
+      #       -----END CERTIFICATE-----
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
+      #       -----END CERTIFICATE-----
 
       # Filename that is used when creating the secret. Required if cert is provided.
       keyName:
@@ -396,7 +417,27 @@ scanner:
       # For outbound connections (secure backend, proxy,...).
       # <br/>A PEM-encoded x509 certificate authority.
       # <br/>If empty, a new CA will be autogenerated.
-      cert:
+      cert: ""
+
+      # For outbound connections (secure backend, proxy,...)
+      # A PEM-encoded x509 certificate.  This can also be a bundle with multiple certificates.
+      certs: []
+      # Example of certificate
+      # certs:
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
+      #       -----END CERTIFICATE-----
+      #   - |
+      #       -----BEGIN CERTIFICATE-----
+      #       MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+      #       MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+      #       NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      #       MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
+      #       -----END CERTIFICATE-----
 
       # Filename that is used when creating the secret. Required if cert is provided.
       keyName: