From 888036f2dd8b1e22ca4aa9e9abf3605290e07f5f Mon Sep 17 00:00:00 2001 From: Alberto Barba Date: Thu, 13 Jul 2023 12:19:58 +0200 Subject: [PATCH] feat(admission-controller,agent,common,kspm-collector,node-analyzer,rapid-response,sysdig-deploy): refactor in order to allow certs to be specified as list and avoid BC --- charts/admission-controller/README.md | 234 +++++++++--------- .../templates/_helpers.tpl | 14 -- .../templates/scanner/deployment.yaml | 10 +- .../templates/scanner/secret.yaml | 7 +- .../templates/webhook/deployment.yaml | 10 +- .../templates/webhook/secret.yaml | 7 +- .../tests/ca_cert_test.yaml | 41 +-- charts/admission-controller/values.yaml | 79 ++++-- charts/agent/tests/ca_cert_test.yaml | 87 ++++--- charts/agent/values.yaml | 49 +++- charts/common/templates/_custom_ca.tpl | 14 +- charts/kspm-collector/tests/ca_cert_test.yaml | 9 +- charts/kspm-collector/values.yaml | 46 +++- charts/node-analyzer/tests/ca_cert_test.yaml | 36 +-- charts/node-analyzer/values.yaml | 52 ++-- .../rapid-response/templates/daemonset.yaml | 13 +- charts/rapid-response/templates/secrets.yaml | 14 -- charts/rapid-response/tests/ca_cert_test.yaml | 53 ++-- charts/rapid-response/values.yaml | 80 ++---- charts/sysdig-deploy/values.yaml | 29 ++- 20 files changed, 477 insertions(+), 407 deletions(-) diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index ff4946f31..d997f26d3 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -78,122 +78,124 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `admission-controller` chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| global.clusterConfig | Global cluster config options. | {} | -| global.sysdig.secureAPIToken | Global API token to access Sysdig Secure. | "" | -| global.sysdig.secureAPITokenSecret | Global secret with API Token to access Sysdig Secure. | "" | -| global.sysdig.region | Global Sysdig Secure region | "us1" | -| global.proxy | Global HTTP Proxy settings. | {} | -| global.image.pullSecrets | | [] | -| global.image.pullPolicy | | IfNotPresent | -| global.ssl.ca.cert | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | | -| global.ssl.ca.keyName | Example of a certificate cert: | -----BEGIN CERTIFICATE----- MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= -----END CERTIFICATE----- Filename that is used when creating the secret. Required if cert is provided. | | -| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | -| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | -| clusterName | **required**
Cluster Name which appear on Secure UI | "" | -| namespace | Namespace to install components (Optional, will default to release namespace).

IMPORTANT: If a namespace is specified this way it must already exist otherwise installation will fail. | "" | -| sysdig.secureAPIToken | **required**
API Token to access Sysdig Secure.

If neither this value nor `sysdig.existingSecureAPITokenSecret` are configured, the user will be required to provide the deployment the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variables. Overrides `global.sysdig.secureAPIToken` | "" | -| sysdig.existingSecureAPITokenSecret | **required**
Existing secret with API Token to access Sysdig Secure
Alternatively, specify the name of a Kubernetes secret containing `SECURE_API_TOKEN` and `AUTH_BEARER_TOKEN` entry if you're also enabling scanner.

If neither this value nor `sysdig.secureAPIToken` are configured, the user will be required to provide the deployment the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variables. | "" | -| sysdig.apiEndpoint | Sysdig URL.
- Default secure.sysdig.com is for the us-east region.
- For us-west use us2.app.sysdig.com
- For European Union, use eu1.app.sysdig.com
- For APAC, use app.au1.sysdig.com
- For US4 (our west Google cloud region) use app.us4.sysdig.com
- For on-prem, your own enpoints
| "" | -| features.k8sAuditDetections | Enable K8s Audit detections with Falco rules | true | -| features.k8sAuditDetectionsRules | [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] | -| verifySSL | For outbound connections (secure backend, proxy,...)
Whether to verify SSL on HTTPS connections | true | -| nameOverride | Chart name override | "" | -| fullnameOverride | Chart full name override | "" | -| labels | Additional labels, applies to both scanner and webhook | {} | -| serviceAccounts.webhook.create | Create the service account | true | -| serviceAccounts.webhook.annotations | Extra annotations for serviceAccount | {} | -| serviceAccounts.webhook.name | Use this value as serviceAccount Name | "" | -| serviceAccounts.scanner.create | Create the service account | true | -| serviceAccounts.scanner.annotations | Extra annotations for serviceAccount | {} | -| serviceAccounts.scanner.name | Use this value as serviceAccount Name | "" | -| podMonitors.webhook.enabled | Enable the webhook PodMonitor to scrape metrics | false | -| podMonitors.webhook.labels | Labels on the webhook PodMonitor | {} | -| podMonitors.webhook.annotations | Annotations on the webhook PodMonitor | {} | -| podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics | false | -| podMonitors.scanner.labels | Labels on the scanner PodMonitor | {} | -| podMonitors.scanner.annotations | Annotatons on the scanner PodMonitor | {} | -| webhook.name | Service name for Webhook deployment | webhook | -| webhook.replicaCount | Amount of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. | 1 | -| webhook.image.registry | Webhook image registry | quay.io | -| webhook.image.repository | Webhook image registry | sysdig/admission-controller | -| webhook.image.pullPolicy | PullPolicy for Webhook image | | -| webhook.image.tag | Override the default image tag. If not specified, it defaults to appVersion in Chart.yaml | | -| webhook.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. | | -| webhook.labels | Additional labels, applies to webhook only | {} | -| webhook.service.type | Use this type as webhook service | ClusterIP | -| webhook.service.port | Configure port for the webhook service | 443 | -| webhook.rbac.create | Enable the creation of ClusterRoles and the binding of these roles | true | -| webhook.httpProxy | HTTP Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | -| webhook.httpsProxy | HTTPS Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | -| webhook.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8 | -| webhook.podAnnotations | Webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. | {} | -| webhook.podSecurityContext | Pod Security context for webhook.If empty, some security context are automatically generated. | {} | -| webhook.securityContext | Configure securityContext for webhook. If empty, some security context are automatically generated. | {} | -| webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode.
This is required if using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example using Calico CNI plugin on EKS.
This is not required or recommended in most contexts. | false | -| webhook.imagePullSecrets | The image pull secrets for webhook | [] | -| webhook.resources | Resource request and limits for webhook | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}} | -| webhook.autoscaling.enabled | Enable horizontal pod autoscaling | true | -| webhook.autoscaling.minReplicas | Min replicas to use while autoscaling the webhook | 2 | -| webhook.autoscaling.maxReplicas | Max replicas to use while autoscaling the webhook | 5 | -| webhook.autoscaling.targetCPUUtilizationPercentage | Target CPU to use when the number of replicas must be increased | 80 | -| webhook.timeoutSeconds | Number of seconds for the request to time out | 5 | -| webhook.nodeSelector | Configure nodeSelector for scheduling for webhook | {} | -| webhook.priorityClassName | priorityClassName config for the webhook | | -| webhook.tolerations | Tolerations for scheduling for webhook | [] | -| webhook.affinity | Configure affinity rules for webhook | {} | -| webhook.denyOnError | Deny request when an error happened evaluating request | false | -| webhook.dryRun | Dry Run request | false | -| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info | -| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false | -| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
And inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | | -| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...)
A PEM-encoded private key of the certificate authority to use in the certificate generation.
If empty, a new CA will be autogenerated. | | -| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | -| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | -| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate signed by the CA.
If empty, a new cert will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the key must also be provided. | "" | -| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded private key signed by the CA.
If empty, a new key will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the cert must also be provided. | "" | -| webhook.customEntryPoint | Custom entrypoint for the webhook
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | [] | -| webhook.http.port | HTTP serve port where the requests will be served from | 5000 | -| scc.create | Enable the creation of Security Context Constraints in Openshift | true | -| scanner.enabled | If you only want the Kubernetes Audit Log functionality then disable this, and it will disable the Admission Controller Scanning Policy functionality. | true | -| scanner.name | Service name for Scanner deployment | scanner | -| scanner.replicaCount | Amount of replicas for scanner | 1 | -| scanner.image.registry | Scanner image registry | quay.io | -| scanner.image.repository | Scanner image repository | sysdig/inline-scan-service | -| scanner.image.pullPolicy | PullPolicy for Scanner image | | -| scanner.image.tag | Scanner image tag | 0.0.13 | -| scanner.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. | | -| scanner.labels | Additional labels, applies to scanner only | {} | -| scanner.service.port | Configure port for the webhook service | 8080 | -| scanner.authWithSecureToken | Authenticate with Secure token | false | -| scanner.httpProxy | HTTP Proxy settings for scanner.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | -| scanner.httpsProxy | HTTPS Proxy settings for scanner.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | -| scanner.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8 | -| scanner.podAnnotations | Scanner pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"} | -| scanner.psp.create | Whether to create a psp policy and role / role-binding | false | -| scanner.podSecurityContext | PSP's for scanner | {} | -| scanner.verifyRegistryTLS | Verify TLS on image pull from registries | true | -| scanner.dockerCfgSecretName | Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry) | "" | -| scanner.securityContext | Configure securityContext for scanner | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} | -| scanner.imagePullSecrets | The image pull secrets for scanner | [] | -| scanner.resources | Resource requests and limits for scanner | {} | -| scanner.nodeSelector | Configure nodeSelector for scheduling for the scanner | {} | -| scanner.priorityClassName | priorityClassName config for the scanner | | -| scanner.tolerations | Tolerations for scheduling for the scanner | [] | -| scanner.affinity | Configure affinity rules for the scanner | {} | -| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | | -| scanner.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | -| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | -| scanner.customEntryPoint | Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token`
default: /inline-scan-service --server_port=8080 | [] | +| Parameter | Description | Default | +|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| global.clusterConfig | Global cluster config options. | {} | +| global.sysdig.secureAPIToken | Global API token to access Sysdig Secure. | "" | +| global.sysdig.secureAPITokenSecret | Global secret with API Token to access Sysdig Secure. | "" | +| global.sysdig.region | Global Sysdig Secure region | "us1" | +| global.proxy | Global HTTP Proxy settings. | {} | +| global.image.pullSecrets | | [] | +| global.image.pullPolicy | | IfNotPresent | +| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | +| clusterName | **required**
Cluster Name which appear on Secure UI | "" | +| namespace | Namespace to install components (Optional, will default to release namespace).

IMPORTANT: If a namespace is specified this way it must already exist otherwise installation will fail. | "" | +| sysdig.secureAPIToken | **required**
API Token to access Sysdig Secure.

If neither this value nor `sysdig.existingSecureAPITokenSecret` are configured, the user will be required to provide the deployment the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variables. Overrides `global.sysdig.secureAPIToken` | "" | +| sysdig.existingSecureAPITokenSecret | **required**
Existing secret with API Token to access Sysdig Secure
Alternatively, specify the name of a Kubernetes secret containing `SECURE_API_TOKEN` and `AUTH_BEARER_TOKEN` entry if you're also enabling scanner.

If neither this value nor `sysdig.secureAPIToken` are configured, the user will be required to provide the deployment the `SECURE_API_TOKEN` (and `AUTH_BEARER_TOKEN` if the scanner is enabled) environment variables. | "" | +| sysdig.apiEndpoint | Sysdig URL.
- Default secure.sysdig.com is for the us-east region.
- For us-west use us2.app.sysdig.com
- For European Union, use eu1.app.sysdig.com
- For APAC, use app.au1.sysdig.com
- For US4 (our west Google cloud region) use app.us4.sysdig.com
- For on-prem, your own enpoints
| "" | +| features.k8sAuditDetections | Enable K8s Audit detections with Falco rules | true | +| features.k8sAuditDetectionsRules | [Admission Webhook Configuration rules](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-rules) for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] | +| verifySSL | For outbound connections (secure backend, proxy,...)
Whether to verify SSL on HTTPS connections | true | +| nameOverride | Chart name override | "" | +| fullnameOverride | Chart full name override | "" | +| labels | Additional labels, applies to both scanner and webhook | {} | +| serviceAccounts.webhook.create | Create the service account | true | +| serviceAccounts.webhook.annotations | Extra annotations for serviceAccount | {} | +| serviceAccounts.webhook.name | Use this value as serviceAccount Name | "" | +| serviceAccounts.scanner.create | Create the service account | true | +| serviceAccounts.scanner.annotations | Extra annotations for serviceAccount | {} | +| serviceAccounts.scanner.name | Use this value as serviceAccount Name | "" | +| podMonitors.webhook.enabled | Enable the webhook PodMonitor to scrape metrics | false | +| podMonitors.webhook.labels | Labels on the webhook PodMonitor | {} | +| podMonitors.webhook.annotations | Annotations on the webhook PodMonitor | {} | +| podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics | false | +| podMonitors.scanner.labels | Labels on the scanner PodMonitor | {} | +| podMonitors.scanner.annotations | Annotatons on the scanner PodMonitor | {} | +| webhook.name | Service name for Webhook deployment | webhook | +| webhook.replicaCount | Amount of replicas for webhook. **Deprecated**, use `webhook.autoscaling.minReplicas` and `webhook.autoscaling.maxReplicas` instead. | 1 | +| webhook.image.registry | Webhook image registry | quay.io | +| webhook.image.repository | Webhook image registry | sysdig/admission-controller | +| webhook.image.pullPolicy | PullPolicy for Webhook image | | +| webhook.image.tag | Override the default image tag. If not specified, it defaults to appVersion in Chart.yaml | | +| webhook.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. | | +| webhook.labels | Additional labels, applies to webhook only | {} | +| webhook.service.type | Use this type as webhook service | ClusterIP | +| webhook.service.port | Configure port for the webhook service | 443 | +| webhook.rbac.create | Enable the creation of ClusterRoles and the binding of these roles | true | +| webhook.httpProxy | HTTP Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | +| webhook.httpsProxy | HTTPS Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | +| webhook.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8 | +| webhook.podAnnotations | Webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. | {} | +| webhook.podSecurityContext | Pod Security context for webhook.If empty, some security context are automatically generated. | {} | +| webhook.securityContext | Configure securityContext for webhook. If empty, some security context are automatically generated. | {} | +| webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode.
This is required if using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example using Calico CNI plugin on EKS.
This is not required or recommended in most contexts. | false | +| webhook.imagePullSecrets | The image pull secrets for webhook | [] | +| webhook.resources | Resource request and limits for webhook | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}} | +| webhook.autoscaling.enabled | Enable horizontal pod autoscaling | true | +| webhook.autoscaling.minReplicas | Min replicas to use while autoscaling the webhook | 2 | +| webhook.autoscaling.maxReplicas | Max replicas to use while autoscaling the webhook | 5 | +| webhook.autoscaling.targetCPUUtilizationPercentage | Target CPU to use when the number of replicas must be increased | 80 | +| webhook.timeoutSeconds | Number of seconds for the request to time out | 5 | +| webhook.nodeSelector | Configure nodeSelector for scheduling for webhook | {} | +| webhook.priorityClassName | priorityClassName config for the webhook | | +| webhook.tolerations | Tolerations for scheduling for webhook | [] | +| webhook.affinity | Configure affinity rules for webhook | {} | +| webhook.denyOnError | Deny request when an error happened evaluating request | false | +| webhook.dryRun | Dry Run request | false | +| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info | +| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false | +| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
And inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | "" | +| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...)
A PEM-encoded private key of the certificate authority to use in the certificate generation.
If empty, a new CA will be autogenerated. | "" | +| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | +| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate signed by the CA.
If empty, a new cert will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the key must also be provided. | "" | +| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded private key signed by the CA.
If empty, a new key will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the cert must also be provided. | "" | +| webhook.customEntryPoint | Custom entrypoint for the webhook
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | [] | +| webhook.http.port | HTTP serve port where the requests will be served from | 5000 | +| scc.create | Enable the creation of Security Context Constraints in Openshift | true | +| scanner.enabled | If you only want the Kubernetes Audit Log functionality then disable this, and it will disable the Admission Controller Scanning Policy functionality. | true | +| scanner.name | Service name for Scanner deployment | scanner | +| scanner.replicaCount | Amount of replicas for scanner | 1 | +| scanner.image.registry | Scanner image registry | quay.io | +| scanner.image.repository | Scanner image repository | sysdig/inline-scan-service | +| scanner.image.pullPolicy | PullPolicy for Scanner image | | +| scanner.image.tag | Scanner image tag | 0.0.13 | +| scanner.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. | | +| scanner.labels | Additional labels, applies to scanner only | {} | +| scanner.service.port | Configure port for the webhook service | 8080 | +| scanner.authWithSecureToken | Authenticate with Secure token | false | +| scanner.httpProxy | HTTP Proxy settings for scanner.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | +| scanner.httpsProxy | HTTPS Proxy settings for scanner.
Set to http(s)://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy | "" | +| scanner.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include "kubernetes" service and typical 10.0.0.0/8 services | kubernetes,10.0.0.0/8 | +| scanner.podAnnotations | Scanner pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"} | +| scanner.psp.create | Whether to create a psp policy and role / role-binding | false | +| scanner.podSecurityContext | PSP's for scanner | {} | +| scanner.verifyRegistryTLS | Verify TLS on image pull from registries | true | +| scanner.dockerCfgSecretName | Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry) | "" | +| scanner.securityContext | Configure securityContext for scanner | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} | +| scanner.imagePullSecrets | The image pull secrets for scanner | [] | +| scanner.resources | Resource requests and limits for scanner | {} | +| scanner.nodeSelector | Configure nodeSelector for scheduling for the scanner | {} | +| scanner.priorityClassName | priorityClassName config for the scanner | | +| scanner.tolerations | Tolerations for scheduling for the scanner | [] | +| scanner.affinity | Configure affinity rules for the scanner | {} | +| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | "" | +| scanner.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| scanner.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | | +| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | | +| scanner.customEntryPoint | Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token`
default: /inline-scan-service --server_port=8080 | [] | Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example: diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 633c39b32..1256ad932 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -257,20 +257,6 @@ Create the name of the service account to use {{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }} {{- end -}} -{{/* -Generate certificates for aggregated api server -*/}} - -{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}} - -{{- define "admissionController.scanner.gen-certs" -}} -{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}} -{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}} -{{- $san := list $cn -}} -{{- $cert := genSignedCert $cn nil $san 3650 $ca -}} -{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}} -{{- end -}} - {{/* Allow overriding registry and repository for air-gapped environments */}} diff --git a/charts/admission-controller/templates/scanner/deployment.yaml b/charts/admission-controller/templates/scanner/deployment.yaml index bb150fee4..4712f1fd1 100644 --- a/charts/admission-controller/templates/scanner/deployment.yaml +++ b/charts/admission-controller/templates/scanner/deployment.yaml @@ -41,7 +41,7 @@ spec: defaultMode: 420 secretName: {{ .Values.scanner.dockerCfgSecretName }} {{- end }} - {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} - name: ca-cert secret: secretName: {{ include "admissionController.scanner.fullname" . }}-ca @@ -67,7 +67,7 @@ spec: name: dockercfg readOnly: true {{- end }} - {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} - name: ca-cert mountPath: /ca-certs readOnly: true @@ -91,9 +91,9 @@ spec: - name: NO_PROXY value: {{ include "scanner.noProxy" . }} {{- end }} - {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} - - name: SSL_CERT_FILE - value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) -}} + {{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} + - name: SSL_CERT_DIR + value: /ca-certs {{- end }} envFrom: - configMapRef: diff --git a/charts/admission-controller/templates/scanner/secret.yaml b/charts/admission-controller/templates/scanner/secret.yaml index 506d4a566..10b6c4ad8 100644 --- a/charts/admission-controller/templates/scanner/secret.yaml +++ b/charts/admission-controller/templates/scanner/secret.yaml @@ -19,7 +19,7 @@ stringData: AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }} {{- end }} --- -{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} +{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }} apiVersion: v1 kind: Secret metadata: @@ -27,6 +27,11 @@ metadata: namespace: {{ include "admissionController.namespace" . }} labels: {{- include "admissionController.scanner.labels" . | nindent 4 }} data: + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }} {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} + {{- end }} + {{- if or .Values.scanner.ssl.ca.cert }} + root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index 5ac6e5a3a..2171000c7 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -84,9 +84,9 @@ spec: - name: NO_PROXY value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }} {{- end }} - {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} - - name: SSL_CERT_FILE - value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) -}} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} + - name: SSL_CERT_DIR + value: /ca-certs {{- end }} ports: - name: http @@ -117,7 +117,7 @@ spec: - name: cert mountPath: /cert readOnly: true - {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: ca-cert mountPath: /ca-certs readOnly: true @@ -128,7 +128,7 @@ spec: - name: cert secret: secretName: {{ include "admissionController.webhook.fullname" . }}-tls - {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} + {{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} - name: ca-cert secret: secretName: {{ include "admissionController.webhook.fullname" . }}-ca diff --git a/charts/admission-controller/templates/webhook/secret.yaml b/charts/admission-controller/templates/webhook/secret.yaml index 57685bb28..f9473c78b 100644 --- a/charts/admission-controller/templates/webhook/secret.yaml +++ b/charts/admission-controller/templates/webhook/secret.yaml @@ -10,7 +10,7 @@ stringData: SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }} {{- end }} --- -{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} +{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }} apiVersion: v1 kind: Secret metadata: @@ -19,5 +19,10 @@ metadata: labels: {{ include "admissionController.webhook.labels" . | nindent 4 }} data: + {{- if or .Values.webhook.ssl.ca.cert }} + root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }} + {{- end }} + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }} {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} + {{- end }} {{- end }} diff --git a/charts/admission-controller/tests/ca_cert_test.yaml b/charts/admission-controller/tests/ca_cert_test.yaml index a9d40ffee..e6047f7ec 100644 --- a/charts/admission-controller/tests/ca_cert_test.yaml +++ b/charts/admission-controller/tests/ca_cert_test.yaml @@ -28,8 +28,8 @@ tests: - notContains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/global_root_ca.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: webhook/deployment.yaml - notContains: path: spec.template.spec.volumes @@ -48,8 +48,8 @@ tests: - notContains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/global_root_ca.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: scanner/deployment.yaml - notContains: path: spec.template.spec.volumes @@ -77,10 +77,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: standard-key @@ -89,8 +90,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/global_root_ca.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: webhook/deployment.yaml - contains: path: spec.template.spec.volumes @@ -109,8 +110,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/global_root_ca.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: scanner/deployment.yaml - contains: path: spec.template.spec.volumes @@ -147,8 +148,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/test-fake-ca-secret-key.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: webhook/deployment.yaml - contains: path: spec.template.spec.volumes @@ -167,8 +168,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/test-fake-ca-secret-key.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: scanner/deployment.yaml - contains: path: spec.template.spec.volumes @@ -205,8 +206,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/test-fake-ca-configmap-key.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: webhook/deployment.yaml - contains: path: spec.template.spec.volumes @@ -225,8 +226,8 @@ tests: - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_FILE - value: "/ca-certs/test-fake-ca-configmap-key.crt" + name: SSL_CERT_DIR + value: "/ca-certs" template: scanner/deployment.yaml - contains: path: spec.template.spec.volumes diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 6b9afd702..3c5d8d1ed 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -22,22 +22,23 @@ global: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. - cert: - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= - # -----END CERTIFICATE----- + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: @@ -256,11 +257,31 @@ webhook: #
And inbound connections to serve HttpRequests as Kubernetes Webhook. #
A PEM-encoded x509 certificate authority. #
If empty, a new CA will be autogenerated. - cert: + cert: "" # For outbound connections (secure backend, proxy,...) #
A PEM-encoded private key of the certificate authority to use in the certificate generation. #
If empty, a new CA will be autogenerated. - key: + key: "" + + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: @@ -396,7 +417,27 @@ scanner: # For outbound connections (secure backend, proxy,...). #
A PEM-encoded x509 certificate authority. #
If empty, a new CA will be autogenerated. - cert: + cert: "" + + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: diff --git a/charts/agent/tests/ca_cert_test.yaml b/charts/agent/tests/ca_cert_test.yaml index 0b4053d7a..ece7e9224 100644 --- a/charts/agent/tests/ca_cert_test.yaml +++ b/charts/agent/tests/ca_cert_test.yaml @@ -12,10 +12,11 @@ tests: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "root_ca.crt" asserts: - isKind: @@ -27,10 +28,11 @@ tests: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "root_ca.crt" asserts: - contains: @@ -65,7 +67,8 @@ tests: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE ssl: ca: - cert: | + certs: + - | -----BEGIN CERTIFICATE----- my-test-cert -----END CERTIFICATE----- @@ -128,7 +131,8 @@ tests: ssl: true ssl: ca: - cert: | + certs: + - | -----BEGIN CERTIFICATE----- my-test-cert -----END CERTIFICATE----- @@ -169,7 +173,8 @@ tests: ssl: true ssl: ca: - cert: | + certs: + - | -----BEGIN CERTIFICATE----- my-test-cert -----END CERTIFICATE----- @@ -228,16 +233,18 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE ssl: ca: - cert: | + certs: + - | -----BEGIN CERTIFICATE----- my-test-cert -----END CERTIFICATE----- @@ -274,16 +281,18 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE ssl: ca: - cert: | + certs: + - | -----BEGIN CERTIFICATE----- my-test-cert -----END CERTIFICATE----- @@ -342,10 +351,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -388,10 +398,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -456,10 +467,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -505,10 +517,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 0227f3d8c..22fcaadbe 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -14,8 +14,24 @@ global: ssl: ca: # For outbound connections (secure backend, proxy,...) - # A PEM-encoded x509 certificate authority. - cert: + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: @@ -345,17 +361,24 @@ logPriority: ssl: ca: # For outbound connections (secure backend, proxy,...) - # A PEM-encoded x509 certificate authority. - cert: "" - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: diff --git a/charts/common/templates/_custom_ca.tpl b/charts/common/templates/_custom_ca.tpl index 194c95208..4d0492d25 100644 --- a/charts/common/templates/_custom_ca.tpl +++ b/charts/common/templates/_custom_ca.tpl @@ -7,7 +7,7 @@ {{- true -}} {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} {{- false -}} - {{- else if (and .component.ca.cert .component.ca.keyName) -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} {{- false -}} {{- else -}} {{- include "sysdig.custom_ca.globalUseExistingSecret" . -}} @@ -19,7 +19,7 @@ {{- false -}} {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} {{- true -}} - {{- else if (and .component.ca.cert .component.ca.keyName) -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} {{- false -}} {{- else -}} {{- include "sysdig.custom_ca.globalUseExistingConfigMap" . -}} @@ -31,7 +31,7 @@ {{- false -}} {{- else if (and .component.ca.existingCaConfigMapKeyName .component.ca.existingCaConfigMap) -}} {{- false -}} - {{- else if (and .component.ca.cert .component.ca.keyName) -}} + {{- else if (and .component.ca.certs .component.ca.keyName) -}} {{- true -}} {{- else -}} {{- include "sysdig.custom_ca.globalUseValues" . -}} @@ -43,7 +43,7 @@ {{- true -}} {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} {{- false -}} - {{- else if (and .global.ca.cert .global.ca.keyName) -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} {{- false -}} {{- end -}} {{- end -}} @@ -53,7 +53,7 @@ {{- false -}} {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} {{- true -}} - {{- else if (and .global.ca.cert .global.ca.keyName) -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} {{- false -}} {{- end -}} {{- end -}} @@ -63,7 +63,7 @@ {{- false -}} {{- else if (and .global.ca.existingCaConfigMapKeyName .global.ca.existingCaConfigMap) -}} {{- false -}} - {{- else if (and .global.ca.cert .global.ca.keyName) -}} + {{- else if (and .global.ca.certs .global.ca.keyName) -}} {{- true -}} {{- end -}} {{- end -}} @@ -77,7 +77,7 @@ {{- end -}} {{- define "sysdig.custom_ca.cert" -}} - {{- printf "%s%s" (.component.ca.cert | default .global.ca.cert) ( .Files.Get "sysdig_ca.toml" ) -}} + {{- printf "%s%s" (join "" (.component.ca.certs | default .global.ca.certs)) ( .Files.Get "sysdig_ca.toml" ) -}} {{- end -}} {{- define "sysdig.custom_ca.keyName" -}} diff --git a/charts/kspm-collector/tests/ca_cert_test.yaml b/charts/kspm-collector/tests/ca_cert_test.yaml index 60e55d47c..c69f5fc99 100644 --- a/charts/kspm-collector/tests/ca_cert_test.yaml +++ b/charts/kspm-collector/tests/ca_cert_test.yaml @@ -39,10 +39,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: standard-key diff --git a/charts/kspm-collector/values.yaml b/charts/kspm-collector/values.yaml index 5fc027cb6..1b6ea6470 100644 --- a/charts/kspm-collector/values.yaml +++ b/charts/kspm-collector/values.yaml @@ -24,8 +24,23 @@ global: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. - # See below in the ssl.ca.cert key for an example - cert: + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: @@ -160,16 +175,23 @@ ssl: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. - cert: - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: diff --git a/charts/node-analyzer/tests/ca_cert_test.yaml b/charts/node-analyzer/tests/ca_cert_test.yaml index e47e3846b..dce389078 100644 --- a/charts/node-analyzer/tests/ca_cert_test.yaml +++ b/charts/node-analyzer/tests/ca_cert_test.yaml @@ -20,10 +20,11 @@ tests: runtimeScanner: { deploy: true } ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "root_ca.crt" asserts: - isKind: @@ -45,10 +46,11 @@ tests: runtimeScanner: { deploy: true } ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "root_ca.crt" asserts: - contains: @@ -88,10 +90,11 @@ tests: deploy: false ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -133,10 +136,11 @@ tests: deploy: false ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE diff --git a/charts/node-analyzer/values.yaml b/charts/node-analyzer/values.yaml index 4515b0aef..c1265bf37 100644 --- a/charts/node-analyzer/values.yaml +++ b/charts/node-analyzer/values.yaml @@ -17,8 +17,23 @@ global: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. - # See below in the nodeAnalyzer.ssl.ca.cert key for an example - cert: | + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: @@ -394,22 +409,23 @@ nodeAnalyzer: ca: # For outbound connections (secure backend, proxy,...) # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. - cert: "" - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= - # -----END CERTIFICATE----- + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: diff --git a/charts/rapid-response/templates/daemonset.yaml b/charts/rapid-response/templates/daemonset.yaml index 687e2e3e4..0cd616e89 100644 --- a/charts/rapid-response/templates/daemonset.yaml +++ b/charts/rapid-response/templates/daemonset.yaml @@ -117,10 +117,7 @@ spec: name: {{ ( include "rapidResponse.passphraseSecret" . ) }} {{- end }} key: passphrase - {{- if .Values.rapidResponse.ssl.ca.certs }} - - name: SSL_CERT_DIR - value: /ca-certs - {{- else if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} - name: SSL_CERT_FILE value: /ca-certs/{{- include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl) -}} {{- end }} @@ -128,7 +125,7 @@ spec: {{- if .Values.rapidResponse.extraVolumes.mounts }} {{ toYaml .Values.rapidResponse.extraVolumes.mounts | indent 12 }} {{- end }} - {{- if or .Values.rapidResponse.ssl.ca.certs (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true") }} + {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} - name: ca-cert mountPath: /ca-certs readOnly: true @@ -137,11 +134,7 @@ spec: {{- if .Values.rapidResponse.extraVolumes.volumes }} {{ toYaml .Values.rapidResponse.extraVolumes.volumes | indent 8 }} {{- end }} - {{- if.Values.rapidResponse.ssl.ca.certs }} - - name: ca-cert - secret: - secretName: {{ template "rapidResponse.fullname" . }}-additionalca - {{- else if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} + {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} - name: ca-cert secret: secretName: {{ include "rapidResponse.fullname" . }}-ca diff --git a/charts/rapid-response/templates/secrets.yaml b/charts/rapid-response/templates/secrets.yaml index 4368f77b0..46e705ee9 100644 --- a/charts/rapid-response/templates/secrets.yaml +++ b/charts/rapid-response/templates/secrets.yaml @@ -21,20 +21,6 @@ type: Opaque data: passphrase: {{ include "rapidResponse.passphrase" . | b64enc | quote }} {{- end }} -{{- if .Values.rapidResponse.ssl.ca.certs }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "rapidResponse.fullname" . }}-additionalca - labels: -{{ include "rapidResponse.labels" . | indent 4 }} -type: Opaque -data: -{{- range $index, $cert := ( .Values.rapidResponse.ssl.ca.certs) }} - root_ca_file_{{$index}}.crt: {{ $cert | b64enc }} -{{- end }} -{{- end }} {{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.rapidResponse.ssl)) "true" }} --- apiVersion: v1 diff --git a/charts/rapid-response/tests/ca_cert_test.yaml b/charts/rapid-response/tests/ca_cert_test.yaml index f8b68b04b..7a279fc4b 100644 --- a/charts/rapid-response/tests/ca_cert_test.yaml +++ b/charts/rapid-response/tests/ca_cert_test.yaml @@ -13,28 +13,29 @@ tests: ssl: ca: certs: - - | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- + keyName: root_ca_file.crt asserts: - containsDocument: apiVersion: v1 kind: Secret - name: release-name-rapid-response-additionalca + name: release-name-rapid-response-ca template: secrets.yaml - contains: path: spec.template.spec.containers[0].env content: - name: SSL_CERT_DIR - value: "/ca-certs" + name: SSL_CERT_FILE + value: "/ca-certs/root_ca_file.crt" template: daemonset.yaml - contains: path: spec.template.spec.volumes content: name: ca-cert secret: - secretName: release-name-rapid-response-additionalca + secretName: release-name-rapid-response-ca template: daemonset.yaml - contains: path: spec.template.spec.containers[0].volumeMounts @@ -53,10 +54,11 @@ tests: passphrase: "THIS_IS_SUPER_SECRET" ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: root.crt asserts: - containsDocument: @@ -90,10 +92,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -101,10 +104,11 @@ tests: passphrase: "THIS_IS_SUPER_SECRET" ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "override_root_ca.crt" asserts: - contains: @@ -133,10 +137,11 @@ tests: global: ssl: ca: - cert: | - -----BEGIN CERTIFICATE----- - my-test-cert - -----END CERTIFICATE----- + certs: + - | + -----BEGIN CERTIFICATE----- + my-test-cert + -----END CERTIFICATE----- keyName: "global_root_ca.crt" sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE diff --git a/charts/rapid-response/values.yaml b/charts/rapid-response/values.yaml index 8b2c3db27..5b96dc101 100644 --- a/charts/rapid-response/values.yaml +++ b/charts/rapid-response/values.yaml @@ -29,7 +29,7 @@ global: # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. - keyName: + keyName: root_ca_file.crt # Provide the name of an existing Secret that contains the CA required existingCaSecret: @@ -108,65 +108,25 @@ rapidResponse: # Import custom CA certificates ssl: ca: - certs: - [] - # Example of certificate - # - | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # DwAwggEKAoIBAQCqiqSoGHDbQhULBpkS+4Ip4VLF36DZpT8CJ4rOBA5+8Cnjd3XY - # I+n1g6ta/s/6QMEy46rHUysGrmtb/G5+dDAzfNUuAJh2vJEb3Yt8ysihxPwxLie+ - # 85dgEQirruyruvR7zczRo1BVoa7Q5M9kMPnM6a+M5mEjnVoqwdD3g4QigkSQ2ewD - # 7AwwOALgDd4duuUUoCz+IKr+8PWBHvCpRrgwSoVNjw8fckWb4fMLaChiyr9SZfpq - # qjR8rRq65Yb7etmpRew61czWMv2Tv45bz6xigdB/zWe6+qAFiHqXaHDyxytkji3C - # ZuBxa8Xl7xYfpcczEa1qh8ByAQyWzKN5xRY1AgMBAAGjYTBfMA4GA1UdDwEB/wQE - # AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw - # AwEB/zAdBgNVHQ4EFgQUslz034d5FUO+jSzlsgWlFeP/ogwwDQYJKoZIhvcNAQEL - # BQADggEBAJH3MIVEnnjB3XLA6cw61dWTtigLcA5caT5yEJALf126dBaPwFsOn0mi - # ehxdSRh+LrDzEN1MP9NJRpKQxMCy694sAzZGJggBhBGE6P0InLM56lBHlmqN2Cfy - # apwtueUtXm/GoB+3FEsRnjl7qzi40oadosdu0pIrqvviTjmbfm6CfxaW4crAu6Ev - # 3fl41WW/2WWzFU7KV7ApfRfzJUZ82vo8n6CXv2ogt7DOrAE4l27KS5oqNu8K5STh - # FdNM4fBjDhoRhwIrurHDGabsIJa+0yThwRQSSafereqredfafLOHqV/ar6S63BGe - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- - # - | - # -----BEGIN CERTIFICATE----- - # MIIDEzXXAguhgAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # DwAwggEKAoIBAQCqiqSoGHDbQhULBpkS+4Ip4VLF36DZpT8CJ4rOBA5+8Cnjd3XY - # I+n1g6ta/s/6QMEy46rHUysGrmtb/G5+dDAzfNUuAJh2vJEb3Yt8ysihxPwxLie+ - # 85dgEQirruyruvR7zczRo1BVoa7Q5M9kMPnM6a+M5mEjnVoqwdD3g4QigkSQ2ewD - # 7AwwOALgDd4duuUUoCz+IKr+8PWBHvCpRrgwSoVNjw8fckWb4fMLaChiyr9SZfpq - # qjR8rRq65Yb7etmpRew61czWMv2Tv45bz6xigdB/zWe6+qAFiHqXaHDyxytkji3C - # ZuBxa8Xl7xYfpcczEa1qh8ByAQyWzKN5xRY1AgMBAAGjYTBfMA4GA1UdDwEB/wQE - # AwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUw - # AwEB/zAdBgNVHQ4EFgQUslz034d5FUO+jSzlsgWlFeP/ogwwDQYJKoZIhvcNAQEL - # BQADggEBAJH3MIVEnnjB3XLA6cw61dWTtigLcA5caT5yEJALf126dBaPwFsOn0mi - # ehxdSRh+LrDzEN1MP9NJRpKQxMCy694sAzZGJggBhBGE6P0InLM56lBHlmqN2Cfy - # apwtueUtXm/GoB+3FEsRnjl7qzi40oadosdu0pIrqvviTjmbfm6CfxaW4crAu6Ev - # 3fl41WW/2WWzFU7KV7ApfRfzJUZ82vo8n6CXv2ogt7DOrAE4l27KS5oqNu8K5STh - # FdNM4fBjDhoRhwIrurHDGabsIJa+0yThwRQSSafereqredfafLOHqV/ar6S63BGe - # MMNlTAQ9fvdNOTzZntye0ZZZR5SG13E= - # -----END CERTIFICATE----- - cert: - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= - # -----END CERTIFICATE----- + # For outbound connections (secure backend, proxy,...) + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: diff --git a/charts/sysdig-deploy/values.yaml b/charts/sysdig-deploy/values.yaml index 72dd82565..58d8a5d36 100644 --- a/charts/sysdig-deploy/values.yaml +++ b/charts/sysdig-deploy/values.yaml @@ -21,17 +21,24 @@ global: ssl: ca: # For outbound connections (secure backend, proxy,...) - # A PEM-encoded x509 certificate authority. - cert: - - # Example of a certificate - # cert: | - # -----BEGIN CERTIFICATE----- - # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU - # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 - # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB - # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= - # -----END CERTIFICATE----- + # A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. + certs: [] + # Example of certificate + # certs: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYR5SR13E= + # -----END CERTIFICATE----- + # - | + # -----BEGIN CERTIFICATE----- + # MIIDEzCCAfugAwIBAgIQKiv9U+KxPJzu1adXwC06RzANBgkqhkiG9w0BAQsFADAU + # MRIwEAYDVQQDEwloYXJib3ItY2EwHhcNMjIwMjIzMDY1NjExWhcNMjMwMjIzMDY1 + # NjExWjAUMRIwEAYDVQQDEwloYXJib3ItY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + # MMNlTAQ9fvdNOTzZntye0PQYRTTS34D= + # -----END CERTIFICATE----- # Filename that is used when creating the secret. Required if cert is provided. keyName: