{}
|
-| global.sysdig.secureAPIToken | Global API token to access Sysdig Secure. | ""
|
-| global.sysdig.secureAPITokenSecret | Global secret with API Token to access Sysdig Secure. | ""
|
-| global.sysdig.region | Global Sysdig Secure region | "us1"
|
-| global.proxy | Global HTTP Proxy settings. | {}
|
-| global.image.pullSecrets | | []
|
-| global.image.pullPolicy | | IfNotPresent
|
-| global.ssl.ca.cert | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. |
|
-| global.ssl.ca.keyName | Example of a certificate cert: | -----BEGIN CERTIFICATE----- MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= -----END CERTIFICATE----- Filename that is used when creating the secret. Required if cert is provided. |
|
-| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
-| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
-| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
-| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
-| clusterName | **required** ""
|
-| namespace | Namespace to install components (Optional, will default to release namespace). ""
|
-| sysdig.secureAPIToken | **required** ""
|
-| sysdig.existingSecureAPITokenSecret | **required** ""
|
-| sysdig.apiEndpoint | Sysdig URL.""
|
-| features.k8sAuditDetections | Enable K8s Audit detections with Falco rules | true
|
-| features.k8sAuditDetectionsRules | [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]
|
-| verifySSL | For outbound connections (secure backend, proxy,...) true
|
-| nameOverride | Chart name override | ""
|
-| fullnameOverride | Chart full name override | ""
|
-| labels | Additional labels, applies to both scanner and webhook | {}
|
-| serviceAccounts.webhook.create | Create the service account | true
|
-| serviceAccounts.webhook.annotations | Extra annotations for serviceAccount | {}
|
-| serviceAccounts.webhook.name | Use this value as serviceAccount Name | ""
|
-| serviceAccounts.scanner.create | Create the service account | true
|
-| serviceAccounts.scanner.annotations | Extra annotations for serviceAccount | {}
|
-| serviceAccounts.scanner.name | Use this value as serviceAccount Name | ""
|
-| podMonitors.webhook.enabled | Enable the webhook PodMonitor to scrape metrics | false
|
-| podMonitors.webhook.labels | Labels on the webhook PodMonitor | {}
|
-| podMonitors.webhook.annotations | Annotations on the webhook PodMonitor | {}
|
-| podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics | false
|
-| podMonitors.scanner.labels | Labels on the scanner PodMonitor | {}
|
-| podMonitors.scanner.annotations | Annotatons on the scanner PodMonitor | {}
|
-| webhook.name | Service name for Webhook deployment | webhook
|
-| webhook.replicaCount | Amount of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. | 1
|
-| webhook.image.registry | Webhook image registry | quay.io
|
-| webhook.image.repository | Webhook image registry | sysdig/admission-controller
|
-| webhook.image.pullPolicy | PullPolicy for Webhook image |
|
-| webhook.image.tag | Override the default image tag. If not specified, it defaults to appVersion in Chart.yaml |
|
-| webhook.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. |
|
-| webhook.labels | Additional labels, applies to webhook only | {}
|
-| webhook.service.type | Use this type as webhook service | ClusterIP
|
-| webhook.service.port | Configure port for the webhook service | 443
|
-| webhook.rbac.create | Enable the creation of ClusterRoles and the binding of these roles | true
|
-| webhook.httpProxy | HTTP Proxy settings for webhook. ""
|
-| webhook.httpsProxy | HTTPS Proxy settings for webhook. ""
|
-| webhook.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8
|
-| webhook.podAnnotations | Webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. | {}
|
-| webhook.podSecurityContext | Pod Security context for webhook.If empty, some security context are automatically generated. | {}
|
-| webhook.securityContext | Configure securityContext for webhook. If empty, some security context are automatically generated. | {}
|
-| webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode. false
|
-| webhook.imagePullSecrets | The image pull secrets for webhook | []
|
-| webhook.resources | Resource request and limits for webhook | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}
|
-| webhook.autoscaling.enabled | Enable horizontal pod autoscaling | true
|
-| webhook.autoscaling.minReplicas | Min replicas to use while autoscaling the webhook | 2
|
-| webhook.autoscaling.maxReplicas | Max replicas to use while autoscaling the webhook | 5
|
-| webhook.autoscaling.targetCPUUtilizationPercentage | Target CPU to use when the number of replicas must be increased | 80
|
-| webhook.timeoutSeconds | Number of seconds for the request to time out | 5
|
-| webhook.nodeSelector | Configure nodeSelector for scheduling for webhook | {}
|
-| webhook.priorityClassName | priorityClassName config for the webhook |
|
-| webhook.tolerations | Tolerations for scheduling for webhook | []
|
-| webhook.affinity | Configure affinity rules for webhook | {}
|
-| webhook.denyOnError | Deny request when an error happened evaluating request | false
|
-| webhook.dryRun | Dry Run request | false
|
-| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info
|
-| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false
|
-| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
|
-| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...)
|
-| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. |
|
-| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
-| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
-| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
-| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
-| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook. ""
|
-| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook. ""
|
-| webhook.customEntryPoint | Custom entrypoint for the webhook []
|
-| webhook.http.port | HTTP serve port where the requests will be served from | 5000
|
-| scc.create | Enable the creation of Security Context Constraints in Openshift | true
|
-| scanner.enabled | If you only want the Kubernetes Audit Log functionality then disable this, and it will disable the Admission Controller Scanning Policy functionality. | true
|
-| scanner.name | Service name for Scanner deployment | scanner
|
-| scanner.replicaCount | Amount of replicas for scanner | 1
|
-| scanner.image.registry | Scanner image registry | quay.io
|
-| scanner.image.repository | Scanner image repository | sysdig/inline-scan-service
|
-| scanner.image.pullPolicy | PullPolicy for Scanner image |
|
-| scanner.image.tag | Scanner image tag | 0.0.13
|
-| scanner.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. |
|
-| scanner.labels | Additional labels, applies to scanner only | {}
|
-| scanner.service.port | Configure port for the webhook service | 8080
|
-| scanner.authWithSecureToken | Authenticate with Secure token | false
|
-| scanner.httpProxy | HTTP Proxy settings for scanner. ""
|
-| scanner.httpsProxy | HTTPS Proxy settings for scanner. ""
|
-| scanner.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8
|
-| scanner.podAnnotations | Scanner pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"}
|
-| scanner.psp.create | Whether to create a psp policy and role / role-binding | false
|
-| scanner.podSecurityContext | PSP's for scanner | {}
|
-| scanner.verifyRegistryTLS | Verify TLS on image pull from registries | true
|
-| scanner.dockerCfgSecretName | Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry) | ""
|
-| scanner.securityContext | Configure securityContext for scanner | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
|
-| scanner.imagePullSecrets | The image pull secrets for scanner | []
|
-| scanner.resources | Resource requests and limits for scanner | {}
|
-| scanner.nodeSelector | Configure nodeSelector for scheduling for the scanner | {}
|
-| scanner.priorityClassName | priorityClassName config for the scanner |
|
-| scanner.tolerations | Tolerations for scheduling for the scanner | []
|
-| scanner.affinity | Configure affinity rules for the scanner | {}
|
-| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
|
-| scanner.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. |
|
-| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
-| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
-| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
-| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
-| scanner.customEntryPoint | Custom entrypoint for the scanner. []
|
+| Parameter | Description | Default |
+|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| global.clusterConfig | Global cluster config options. | {}
|
+| global.sysdig.secureAPIToken | Global API token to access Sysdig Secure. | ""
|
+| global.sysdig.secureAPITokenSecret | Global secret with API Token to access Sysdig Secure. | ""
|
+| global.sysdig.region | Global Sysdig Secure region | "us1"
|
+| global.proxy | Global HTTP Proxy settings. | {}
|
+| global.image.pullSecrets | | []
|
+| global.image.pullPolicy | | IfNotPresent
|
+| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | []
|
+| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. |
|
+| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
+| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
+| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
+| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
+| clusterName | **required** ""
|
+| namespace | Namespace to install components (Optional, will default to release namespace). ""
|
+| sysdig.secureAPIToken | **required** ""
|
+| sysdig.existingSecureAPITokenSecret | **required** ""
|
+| sysdig.apiEndpoint | Sysdig URL.""
|
+| features.k8sAuditDetections | Enable K8s Audit detections with Falco rules | true
|
+| features.k8sAuditDetectionsRules | [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]
|
+| verifySSL | For outbound connections (secure backend, proxy,...) true
|
+| nameOverride | Chart name override | ""
|
+| fullnameOverride | Chart full name override | ""
|
+| labels | Additional labels, applies to both scanner and webhook | {}
|
+| serviceAccounts.webhook.create | Create the service account | true
|
+| serviceAccounts.webhook.annotations | Extra annotations for serviceAccount | {}
|
+| serviceAccounts.webhook.name | Use this value as serviceAccount Name | ""
|
+| serviceAccounts.scanner.create | Create the service account | true
|
+| serviceAccounts.scanner.annotations | Extra annotations for serviceAccount | {}
|
+| serviceAccounts.scanner.name | Use this value as serviceAccount Name | ""
|
+| podMonitors.webhook.enabled | Enable the webhook PodMonitor to scrape metrics | false
|
+| podMonitors.webhook.labels | Labels on the webhook PodMonitor | {}
|
+| podMonitors.webhook.annotations | Annotations on the webhook PodMonitor | {}
|
+| podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics | false
|
+| podMonitors.scanner.labels | Labels on the scanner PodMonitor | {}
|
+| podMonitors.scanner.annotations | Annotatons on the scanner PodMonitor | {}
|
+| webhook.name | Service name for Webhook deployment | webhook
|
+| webhook.replicaCount | Amount of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. | 1
|
+| webhook.image.registry | Webhook image registry | quay.io
|
+| webhook.image.repository | Webhook image registry | sysdig/admission-controller
|
+| webhook.image.pullPolicy | PullPolicy for Webhook image |
|
+| webhook.image.tag | Override the default image tag. If not specified, it defaults to appVersion in Chart.yaml |
|
+| webhook.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. |
|
+| webhook.labels | Additional labels, applies to webhook only | {}
|
+| webhook.service.type | Use this type as webhook service | ClusterIP
|
+| webhook.service.port | Configure port for the webhook service | 443
|
+| webhook.rbac.create | Enable the creation of ClusterRoles and the binding of these roles | true
|
+| webhook.httpProxy | HTTP Proxy settings for webhook. ""
|
+| webhook.httpsProxy | HTTPS Proxy settings for webhook. ""
|
+| webhook.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8
|
+| webhook.podAnnotations | Webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. | {}
|
+| webhook.podSecurityContext | Pod Security context for webhook.If empty, some security context are automatically generated. | {}
|
+| webhook.securityContext | Configure securityContext for webhook. If empty, some security context are automatically generated. | {}
|
+| webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode. false
|
+| webhook.imagePullSecrets | The image pull secrets for webhook | []
|
+| webhook.resources | Resource request and limits for webhook | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}
|
+| webhook.autoscaling.enabled | Enable horizontal pod autoscaling | true
|
+| webhook.autoscaling.minReplicas | Min replicas to use while autoscaling the webhook | 2
|
+| webhook.autoscaling.maxReplicas | Max replicas to use while autoscaling the webhook | 5
|
+| webhook.autoscaling.targetCPUUtilizationPercentage | Target CPU to use when the number of replicas must be increased | 80
|
+| webhook.timeoutSeconds | Number of seconds for the request to time out | 5
|
+| webhook.nodeSelector | Configure nodeSelector for scheduling for webhook | {}
|
+| webhook.priorityClassName | priorityClassName config for the webhook |
|
+| webhook.tolerations | Tolerations for scheduling for webhook | []
|
+| webhook.affinity | Configure affinity rules for webhook | {}
|
+| webhook.denyOnError | Deny request when an error happened evaluating request | false
|
+| webhook.dryRun | Dry Run request | false
|
+| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info
|
+| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false
|
+| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...) ""
|
+| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...) ""
|
+| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | []
|
+| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. |
|
+| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
+| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
+| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
+| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
+| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook. ""
|
+| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook. ""
|
+| webhook.customEntryPoint | Custom entrypoint for the webhook []
|
+| webhook.http.port | HTTP serve port where the requests will be served from | 5000
|
+| scc.create | Enable the creation of Security Context Constraints in Openshift | true
|
+| scanner.enabled | If you only want the Kubernetes Audit Log functionality then disable this, and it will disable the Admission Controller Scanning Policy functionality. | true
|
+| scanner.name | Service name for Scanner deployment | scanner
|
+| scanner.replicaCount | Amount of replicas for scanner | 1
|
+| scanner.image.registry | Scanner image registry | quay.io
|
+| scanner.image.repository | Scanner image repository | sysdig/inline-scan-service
|
+| scanner.image.pullPolicy | PullPolicy for Scanner image |
|
+| scanner.image.tag | Scanner image tag | 0.0.13
|
+| scanner.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. |
|
+| scanner.labels | Additional labels, applies to scanner only | {}
|
+| scanner.service.port | Configure port for the webhook service | 8080
|
+| scanner.authWithSecureToken | Authenticate with Secure token | false
|
+| scanner.httpProxy | HTTP Proxy settings for scanner. ""
|
+| scanner.httpsProxy | HTTPS Proxy settings for scanner. ""
|
+| scanner.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8
|
+| scanner.podAnnotations | Scanner pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"}
|
+| scanner.psp.create | Whether to create a psp policy and role / role-binding | false
|
+| scanner.podSecurityContext | PSP's for scanner | {}
|
+| scanner.verifyRegistryTLS | Verify TLS on image pull from registries | true
|
+| scanner.dockerCfgSecretName | Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry) | ""
|
+| scanner.securityContext | Configure securityContext for scanner | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
|
+| scanner.imagePullSecrets | The image pull secrets for scanner | []
|
+| scanner.resources | Resource requests and limits for scanner | {}
|
+| scanner.nodeSelector | Configure nodeSelector for scheduling for the scanner | {}
|
+| scanner.priorityClassName | priorityClassName config for the scanner |
|
+| scanner.tolerations | Tolerations for scheduling for the scanner | []
|
+| scanner.affinity | Configure affinity rules for the scanner | {}
|
+| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...). ""
|
+| scanner.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | []
|
+| scanner.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. |
|
+| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required |
|
+| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. |
|
+| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required |
|
+| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. |
|
+| scanner.customEntryPoint | Custom entrypoint for the scanner. []
|
Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example:
diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl
index 633c39b32..1256ad932 100644
--- a/charts/admission-controller/templates/_helpers.tpl
+++ b/charts/admission-controller/templates/_helpers.tpl
@@ -257,20 +257,6 @@ Create the name of the service account to use
{{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }}
{{- end -}}
-{{/*
-Generate certificates for aggregated api server
-*/}}
-
-{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}}
-
-{{- define "admissionController.scanner.gen-certs" -}}
-{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}}
-{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}}
-{{- $san := list $cn -}}
-{{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
-{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}}
-{{- end -}}
-
{{/*
Allow overriding registry and repository for air-gapped environments
*/}}
diff --git a/charts/admission-controller/templates/scanner/deployment.yaml b/charts/admission-controller/templates/scanner/deployment.yaml
index bb150fee4..4712f1fd1 100644
--- a/charts/admission-controller/templates/scanner/deployment.yaml
+++ b/charts/admission-controller/templates/scanner/deployment.yaml
@@ -41,7 +41,7 @@ spec:
defaultMode: 420
secretName: {{ .Values.scanner.dockerCfgSecretName }}
{{- end }}
- {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+ {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.scanner.fullname" . }}-ca
@@ -67,7 +67,7 @@ spec:
name: dockercfg
readOnly: true
{{- end }}
- {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+ {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-certs
readOnly: true
@@ -91,9 +91,9 @@ spec:
- name: NO_PROXY
value: {{ include "scanner.noProxy" . }}
{{- end }}
- {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
- - name: SSL_CERT_FILE
- value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) -}}
+ {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
+ - name: SSL_CERT_DIR
+ value: /ca-certs
{{- end }}
envFrom:
- configMapRef:
diff --git a/charts/admission-controller/templates/scanner/secret.yaml b/charts/admission-controller/templates/scanner/secret.yaml
index 506d4a566..10b6c4ad8 100644
--- a/charts/admission-controller/templates/scanner/secret.yaml
+++ b/charts/admission-controller/templates/scanner/secret.yaml
@@ -19,7 +19,7 @@ stringData:
AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
-{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
+{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
@@ -27,6 +27,11 @@ metadata:
namespace: {{ include "admissionController.namespace" . }}
labels: {{- include "admissionController.scanner.labels" . | nindent 4 }}
data:
+ {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+ {{- end }}
+ {{- if or .Values.scanner.ssl.ca.cert }}
+ root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }}
+ {{- end }}
{{- end }}
{{- end }}
diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml
index 5ac6e5a3a..2171000c7 100644
--- a/charts/admission-controller/templates/webhook/deployment.yaml
+++ b/charts/admission-controller/templates/webhook/deployment.yaml
@@ -84,9 +84,9 @@ spec:
- name: NO_PROXY
value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
{{- end }}
- {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
- - name: SSL_CERT_FILE
- value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) -}}
+ {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
+ - name: SSL_CERT_DIR
+ value: /ca-certs
{{- end }}
ports:
- name: http
@@ -117,7 +117,7 @@ spec:
- name: cert
mountPath: /cert
readOnly: true
- {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+ {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-certs
readOnly: true
@@ -128,7 +128,7 @@ spec:
- name: cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-tls
- {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+ {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-ca
diff --git a/charts/admission-controller/templates/webhook/secret.yaml b/charts/admission-controller/templates/webhook/secret.yaml
index 57685bb28..f9473c78b 100644
--- a/charts/admission-controller/templates/webhook/secret.yaml
+++ b/charts/admission-controller/templates/webhook/secret.yaml
@@ -10,7 +10,7 @@ stringData:
SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
-{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
+{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
@@ -19,5 +19,10 @@ metadata:
labels:
{{ include "admissionController.webhook.labels" . | nindent 4 }}
data:
+ {{- if or .Values.webhook.ssl.ca.cert }}
+ root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }}
+ {{- end }}
+ {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
+ {{- end }}
{{- end }}
diff --git a/charts/admission-controller/tests/ca_cert_test.yaml b/charts/admission-controller/tests/ca_cert_test.yaml
index a9d40ffee..e6047f7ec 100644
--- a/charts/admission-controller/tests/ca_cert_test.yaml
+++ b/charts/admission-controller/tests/ca_cert_test.yaml
@@ -28,8 +28,8 @@ tests:
- notContains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/global_root_ca.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.volumes
@@ -48,8 +48,8 @@ tests:
- notContains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/global_root_ca.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: scanner/deployment.yaml
- notContains:
path: spec.template.spec.volumes
@@ -77,10 +77,11 @@ tests:
global:
ssl:
ca:
- cert: |
- -----BEGIN CERTIFICATE-----
- my-test-cert
- -----END CERTIFICATE-----
+ certs:
+ - |
+ -----BEGIN CERTIFICATE-----
+ my-test-cert
+ -----END CERTIFICATE-----
keyName: "global_root_ca.crt"
sysdig:
accessKey: standard-key
@@ -89,8 +90,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/global_root_ca.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
@@ -109,8 +110,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/global_root_ca.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
@@ -147,8 +148,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/test-fake-ca-secret-key.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
@@ -167,8 +168,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/test-fake-ca-secret-key.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
@@ -205,8 +206,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/test-fake-ca-configmap-key.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
@@ -225,8 +226,8 @@ tests:
- contains:
path: spec.template.spec.containers[0].env
content:
- name: SSL_CERT_FILE
- value: "/ca-certs/test-fake-ca-configmap-key.crt"
+ name: SSL_CERT_DIR
+ value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml
index 6b9afd702..3c5d8d1ed 100644
--- a/charts/admission-controller/values.yaml
+++ b/charts/admission-controller/values.yaml
@@ -22,22 +22,23 @@ global:
ca:
# For outbound connections (secure backend, proxy,...)
# A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates.
- cert:
-
- # Example of a certificate
- # cert: |
- # -----BEGIN CERTIFICATE-----
- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
- # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
- # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
- # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
- # -----END CERTIFICATE-----
- # -----BEGIN CERTIFICATE-----
- # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
- # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
- # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
- # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
- # -----END CERTIFICATE-----
+ certs: []
+ # Example of certificate
+ # certs:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+ # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+ # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E=
+ # -----END CERTIFICATE-----
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU
+ # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1
+ # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+ # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D=
+ # -----END CERTIFICATE-----
# Filename that is used when creating the secret. Required if cert is provided.
keyName:
@@ -256,11 +257,31 @@ webhook:
#