diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 61e68feb7..6834b7edb 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner type: application -version: 0.5.6 +version: 0.6.0 appVersion: "0.1.0" home: https://www.sysdig.com/ diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index d4855f0f9..519fb5723 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.5.6 \ + --create-namespace -n sysdig --version=0.6.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.5.6 \ + --create-namespace -n sysdig --version=0.6.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -86,82 +86,81 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `cluster-scanner` chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------| -| global.clusterConfig.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | "" | -| global.sysdig.accessKey | Your Sysdig Agent Access Key | "" | -| global.sysdig.region | Region name for Sysdig. Valid options: `us1`, `us2`, `us3`, `us4`, `eu1`, `au1`. When no region is suitable (e.g. on-premise installations) set the `global.sysdig.apiHost: ""` parameter. | "us1" | -| global.image.pullSecrets | The pull secrets for Cluster Scanner | [] | -| global.image.pullPolicy | The pull policy for Cluster Scanner | IfNotPresent | -| global.proxy | Global HTTP Proxy settings. | {} | -| global.loggingLevel | Set the logging level to use, useful for troubleshooting. Valid values, sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`. | "INFO" | -| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | -| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | -| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | -| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | false | -| eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | false | -| rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | -| replicaCount | | 2 | -| scannerMode | The scannerMode of the Cluster Scanner. Supported values are `local` or `multi`. Please refer to docs.sysdig.com for further documentation. | "local" | -| onPremCompatibilityVersion | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, set this parameter with the version of Sysdig backend you are using. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 1.0.0 for both the Runtime Status Integrator and the Image SBOM Extractor. | "6.2" | -| sslVerifyCertificate | Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | true | -| runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | quay.io | -| runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | sysdig/runtime-status-integrator | -| runtimeStatusIntegrator.image.tag | | "0.4.4" | -| runtimeStatusIntegrator.multiCluster | When the Cluster Scanner is running in `multi` mode, set the secret name to be used to retrieve the kubeconfig configuration to connect to the clusters to inspect. | | -| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running in `local` mode. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | | -| runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | 25000 | -| runtimeStatusIntegrator.ports.probes | The port to be used for healthcheck probes for the Runtime Status Integrator | 7000 | -| runtimeStatusIntegrator.resources.limits.cpu | Runtime Status Integrator CPU limit per replica | "1" | -| runtimeStatusIntegrator.resources.limits.memory | Runtime Status Integrator Memory limit per replica | 350Mi | -| runtimeStatusIntegrator.resources.requests.cpu | Runtime Status Integrator CPU requests per replica | "350m" | -| runtimeStatusIntegrator.resources.requests.memory | Runtime Status Integrator Memory requests per replica | 350Mi | -| runtimeStatusIntegrator.env | Runtime Status Integrator env allows the definition of environment variables | {} | -| runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | "default-user" | -| imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | quay.io | -| imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | sysdig/image-sbom-extractor | -| imageSbomExtractor.image.tag | | "0.4.4" | -| imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | 25001 | -| imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | 7001 | -| imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | "1" | -| imageSbomExtractor.resources.limits.memory | Image SBOM Extractor Memory limit per replica | 350Mi | -| imageSbomExtractor.resources.requests.cpu | Image SBOM Extractor CPU requests per replica | "350m" | -| imageSbomExtractor.resources.requests.memory | Image SBOM Extractor Memory requests per replica | 350Mi | -| imageSbomExtractor.env | Image SBOM Extractor env allows the definition of environment variables | {} | -| imageSbomExtractor.cache.type | The type of cache to use. Allowed values are `local`, `distributed` and `distributed,local`. When specified more than one, the cache precedence will be applied from right to left. Eg: `distributed,local` will try to hit the local one first, than fallback to distributed one (redis) When setting `distributed`, you should also setup redis settings below accordingly with your redis installation. | "local" | -| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | -| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | -| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | -| nameOverride | Chart name override | "" | -| fullnameOverride | Chart full name override | "" | -| serviceAccount.create | Specifies whether a service account should be created | true | -| serviceAccount.annotations | Annotations to add to the service account | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | -| podAnnotations.prometheus.io/scrape | | "true" | -| podAnnotations.prometheus.io/path | | "/metrics" | -| podAnnotations.prometheus.io/port | | "25000" | -| podSecurityContext | Set Cluster Scanner pod security context | {} | -| securityContext | Set Cluster Scanner security context | {} | -| selectorLabels | Set Cluster Scanner Selector Labels | {} | -| nodeSelector.kubernetes.io/arch | Cluster Scanner is only supported on nodes with amd64 architecture | amd64 | -| tolerations | Set Cluster Scanner scheduling tolerations | [] | -| affinity | Set Cluster Scanner affinity | {} | -| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | -| ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | -| ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | -| ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | -| ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | -| ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | +| Parameter | Description | Default | +|----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------| +| global.clusterConfig.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | "" | +| global.sysdig.accessKey | Your Sysdig Agent Access Key | "" | +| global.sysdig.region | Region name for Sysdig. Valid options: `us1`, `us2`, `us3`, `us4`, `eu1`, `au1`. When no region is suitable (e.g. on-premise installations) set the `global.sysdig.apiHost: ""` parameter. | "us1" | +| global.image.pullSecrets | The pull secrets for Cluster Scanner | [] | +| global.image.pullPolicy | The pull policy for Cluster Scanner | IfNotPresent | +| global.proxy | Global HTTP Proxy settings. | {} | +| global.loggingLevel | Set the logging level to use, useful for troubleshooting. Valid values, sorted by increasing level of verbosity are: `PANIC`, `FATAL`, `ERROR`, `WARN`, `INFO`, `DEBUG`, `TRACE`. | "INFO" | +| global.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | +| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | false | +| eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | false | +| rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | +| replicaCount | | 2 | +| scannerMode | The scannerMode of the Cluster Scanner. Supported values are `local` or `multi`. Please refer to docs.sysdig.com for further documentation. | "local" | +| sslVerifyCertificate | Optional parameter used to check the compatibility of cluster-scanner component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM Extractor. onPremCompatibilityVersion: "6.2" Can be set to false to allow insecure connections to the Sysdig backend, such as for on-premise installs that use self-signed certificates. By default, certificates are always verified. | true | +| runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | quay.io | +| runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | sysdig/runtime-status-integrator | +| runtimeStatusIntegrator.image.tag | | "0.5.0" | +| runtimeStatusIntegrator.multiCluster | When the Cluster Scanner is running in `multi` mode, set the secret name to be used to retrieve the kubeconfig configuration to connect to the clusters to inspect. | | +| runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running in `local` mode. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | | +| runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | 25000 | +| runtimeStatusIntegrator.ports.probes | The port to be used for healthcheck probes for the Runtime Status Integrator | 7000 | +| runtimeStatusIntegrator.resources.limits.cpu | Runtime Status Integrator CPU limit per replica | "1" | +| runtimeStatusIntegrator.resources.limits.memory | Runtime Status Integrator Memory limit per replica | 350Mi | +| runtimeStatusIntegrator.resources.requests.cpu | Runtime Status Integrator CPU requests per replica | "350m" | +| runtimeStatusIntegrator.resources.requests.memory | Runtime Status Integrator Memory requests per replica | 350Mi | +| runtimeStatusIntegrator.env | Runtime Status Integrator env allows the definition of environment variables | {} | +| runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | "default-user" | +| imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | quay.io | +| imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | sysdig/image-sbom-extractor | +| imageSbomExtractor.image.tag | | "0.5.0" | +| imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | 25001 | +| imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | 7001 | +| imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | "1" | +| imageSbomExtractor.resources.limits.memory | Image SBOM Extractor Memory limit per replica | 350Mi | +| imageSbomExtractor.resources.requests.cpu | Image SBOM Extractor CPU requests per replica | "350m" | +| imageSbomExtractor.resources.requests.memory | Image SBOM Extractor Memory requests per replica | 350Mi | +| imageSbomExtractor.env | Image SBOM Extractor env allows the definition of environment variables | {} | +| imageSbomExtractor.cache.type | The type of cache to use. Allowed values are `local`, `distributed` and `distributed,local`. When specified more than one, the cache precedence will be applied from right to left. Eg: `distributed,local` will try to hit the local one first, than fallback to distributed one (redis) When setting `distributed`, you should also setup redis settings below accordingly with your redis installation. | "local" | +| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" | +| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" | +| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" | +| nameOverride | Chart name override | "" | +| fullnameOverride | Chart full name override | "" | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| podAnnotations.prometheus.io/scrape | | "true" | +| podAnnotations.prometheus.io/path | | "/metrics" | +| podAnnotations.prometheus.io/port | | "25000" | +| podSecurityContext | Set Cluster Scanner pod security context | {} | +| securityContext | Set Cluster Scanner security context | {} | +| selectorLabels | Set Cluster Scanner Selector Labels | {} | +| nodeSelector.kubernetes.io/arch | Cluster Scanner is only supported on nodes with amd64 architecture | amd64 | +| tolerations | Set Cluster Scanner scheduling tolerations | [] | +| affinity | Set Cluster Scanner affinity | {} | +| ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | +| ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | | +| ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | | +| ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | +| ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | +| ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.5.6 \ + --create-namespace -n sysdig --version=0.6.0 \ --set global.sysdig.region="us1" ``` @@ -170,7 +169,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.5.6 \ + --create-namespace -n sysdig --version=0.6.0 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/templates/_helpers.tpl b/charts/cluster-scanner/templates/_helpers.tpl index 9836c057c..c7a59f7be 100644 --- a/charts/cluster-scanner/templates/_helpers.tpl +++ b/charts/cluster-scanner/templates/_helpers.tpl @@ -208,28 +208,37 @@ Define the proper imageRegistry to use for imageSbomExtractor {{/* Cluster scanner version compatibility check. -If .Values.onPremCompatibilityVersion is set to 6.5.0 or below, it checks whether -the provided tag is < 1.0.0 . +If .Values.onPremCompatibilityVersion is set to a version below 6.6.0, it checks whether +the provided tag is < 0.5.0 . -Otherwise, it checks if the provided tag is >= 1.0.0 . +Otherwise, it checks if the provided tag is >= 0.5.0 . Version tags must be semver2-compatible otherwise no check will be performed. */}} {{- define "cluster-scanner.checkVersionCompatibility" -}} {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+.*" .Tag -}} {{- $version := semver .Tag -}} - {{- if and (hasKey (default .Values dict) "onPremCompatibilityVersion") (eq (semver .Values.onPremCompatibilityVersion | (semver "6.5.0").Compare) 1) -}} - {{- if ne ($version | (semver "1.0.0").Compare) 1 -}} - {{- fail (printf "incompatible version for %s, set %s expected < 1.0.0" .Component .Tag) -}} + {{- if and (hasKey (default .Values dict) "onPremCompatibilityVersion") (eq (semver .Values.onPremCompatibilityVersion | (semver "6.6.0").Compare) 1) -}} + {{- if ne ($version | (semver "0.5.0").Compare) 1 -}} + {{- fail (printf "incompatible version for %s, set %s expected < 0.5.0" .Component .Tag) -}} {{- end -}} {{- else -}} - {{- if eq ($version | (semver "1.0.0").Compare) 1 -}} - {{- fail (printf "incompatible version for %s, set %s expected >= 1.0.0" .Component .Tag) -}} + {{- if eq ($version | (semver "0.5.0").Compare) 1 -}} + {{- fail (printf "incompatible version for %s, set %s expected >= 0.5.0" .Component .Tag) -}} {{- end -}} {{- end -}} {{- end -}} {{- end -}} +{{/* +Generates configmap data to enable platform services if onPremCompatibility version is not set, or it is greater than 6.6.0 +*/}} +{{- define "cluster-scanner.enablePlatformServicesConfig" -}} +{{- if not ( and (hasKey (default .Values dict) "onPremCompatibilityVersion") (eq (semver .Values.onPremCompatibilityVersion | (semver "6.6.0").Compare) 1)) -}} +enable_platform_services: "true" +{{- end }} +{{- end }} + {{/* Return the proper image name for the Runtime Status Integrator */}} diff --git a/charts/cluster-scanner/templates/configmap.yaml b/charts/cluster-scanner/templates/configmap.yaml index ee75a8ea6..84bafc55b 100644 --- a/charts/cluster-scanner/templates/configmap.yaml +++ b/charts/cluster-scanner/templates/configmap.yaml @@ -39,3 +39,4 @@ data: ise_cache_type: {{ .Values.imageSbomExtractor.cache.type }} {{- include "cluster-scanner.redisCacheConfig" . | nindent 2 }} {{- include "cluster-scanner.localCacheConfig" . | nindent 2 }} +{{- include "cluster-scanner.enablePlatformServicesConfig" . | nindent 2 }} diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index 0ce6a527e..f7c907d1e 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -282,6 +282,12 @@ spec: name: {{ include "cluster-scanner.fullname" . }} key: rsi_js_server_metrics_port optional: true + - name: CLUSTERSCANNER_PLATFORM_ENABLED + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: enable_platform_services + optional: true {{- range $key, $value := .Values.runtimeStatusIntegrator.env }} - name: "{{ $key }}" value: "{{ $value }}" @@ -550,6 +556,12 @@ spec: key: cache_redis_ttl optional: true {{- end }} + - name: CLUSTERSCANNER_PLATFORM_ENABLED + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: enable_platform_services + optional: true {{- range $key, $value := .Values.imageSbomExtractor.env }} - name: "{{ $key }}" value: "{{ $value }}" diff --git a/charts/cluster-scanner/tests/configmap_test.yaml b/charts/cluster-scanner/tests/configmap_test.yaml index e1399ae66..4f6a98f62 100644 --- a/charts/cluster-scanner/tests/configmap_test.yaml +++ b/charts/cluster-scanner/tests/configmap_test.yaml @@ -341,3 +341,37 @@ tests: - equal: path: data.no_proxy value: "fake-no-proxy" + + - it: "has correct platform services value when onPremCompatibilityVersion is NOT provided" + set: + global.sysdig.apiHost: "http://test.com" + asserts: + - equal: + path: data.enable_platform_services + value: "true" + + - it: "has correct platform services value when onPremCompatibilityVersion is < 6.6" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.5.99" + asserts: + - isNull: + path: data.enable_platform_services + + - it: "has correct platform services value when onPremCompatibilityVersion is = 6.6.0" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.6.0" + asserts: + - equal: + path: data.enable_platform_services + value: "true" + + - it: "has correct platform services value when onPremCompatibilityVersion is > 6.6.0" + set: + global.sysdig.apiHost: "http://test.com" + onPremCompatibilityVersion: "6.6.1" + asserts: + - equal: + path: data.enable_platform_services + value: "true" diff --git a/charts/cluster-scanner/tests/deployment_test.yaml b/charts/cluster-scanner/tests/deployment_test.yaml index 3489b5795..fc3d07c58 100644 --- a/charts/cluster-scanner/tests/deployment_test.yaml +++ b/charts/cluster-scanner/tests/deployment_test.yaml @@ -71,17 +71,17 @@ tests: set: runtimeStatusIntegrator.image.registry: registry-rsi.io runtimeStatusIntegrator.image.repository: test.com/repo - runtimeStatusIntegrator.image.tag: "0.3.4" + runtimeStatusIntegrator.image.tag: "0.5.4" imageSbomExtractor.image.registry: registry-ise.io imageSbomExtractor.image.repository: test-ise.com/repo - imageSbomExtractor.image.tag: "0.0.1" + imageSbomExtractor.image.tag: "9.0.1" asserts: - equal: path: spec.template.spec.containers[0].image - value: registry-rsi.io/test.com/repo:0.3.4 + value: registry-rsi.io/test.com/repo:0.5.4 - equal: path: spec.template.spec.containers[1].image - value: registry-ise.io/test-ise.com/repo:0.0.1 + value: registry-ise.io/test-ise.com/repo:9.0.1 - it: "sets kubeconfig env var if set" templates: @@ -185,23 +185,21 @@ tests: templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: null runtimeStatusIntegrator.image.tag: "0.3.4" imageSbomExtractor.image.tag: "1.3.4" asserts: - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 1.0.0" + errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - it: "fails if the onPremCompatibilityVersion is not set and the imageSbomExtractor version is incorrect" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: null runtimeStatusIntegrator.image.tag: "1.3.4" imageSbomExtractor.image.tag: "0.1.0" asserts: - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 1.0.0" + errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - it: "fails if the onPremCompatibilityVersion is set to 6.2 and the runtimeStatusIntegrator version is incorrect" templates: @@ -212,7 +210,7 @@ tests: imageSbomExtractor.image.tag: "0.3.4" asserts: - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 1.0.0" + errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 0.5.0" - it: "fails if the onPremCompatibilityVersion is set to 6.2 and the imageSbomExtractor version is incorrect" templates: @@ -223,7 +221,7 @@ tests: imageSbomExtractor.image.tag: "6.1.0" asserts: - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 1.0.0" + errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 0.5.0" - it: "fails if the onPremCompatibilityVersion is set to 6.3 and the runtimeStatusIntegrator version is incorrect" templates: @@ -234,7 +232,7 @@ tests: imageSbomExtractor.image.tag: "0.3.4" asserts: - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 1.0.0" + errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 4.3.4 expected < 0.5.0" - it: "fails if the onPremCompatibilityVersion is set to 6.3 and the imageSbomExtractor version is incorrect" templates: @@ -245,66 +243,65 @@ tests: imageSbomExtractor.image.tag: "6.1.0" asserts: - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 1.0.0" + errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 6.1.0 expected < 0.5.0" - - it: "fails if the onPremCompatibilityVersion is set to 6.5 and the runtimeStatusIntegrator version is incorrect" + - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator version is incorrect" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.5" + onPremCompatibilityVersion: "6.6" runtimeStatusIntegrator.image.tag: "0.3.4" imageSbomExtractor.image.tag: "1.3.4" asserts: - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 1.0.0" + errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - - it: "fails if the onPremCompatibilityVersion is set to 6.5 and the imageSbomExtractor version is incorrect" + - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the imageSbomExtractor version is incorrect" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.5" + onPremCompatibilityVersion: "6.6" runtimeStatusIntegrator.image.tag: "1.3.4" imageSbomExtractor.image.tag: "0.1.0" asserts: - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 1.0.0" + errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator version is incorrect" + - it: "fails if the onPremCompatibilityVersion is set to 6.7 and the runtimeStatusIntegrator version is incorrect" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.6" + onPremCompatibilityVersion: "6.7" runtimeStatusIntegrator.image.tag: "0.3.4" imageSbomExtractor.image.tag: "1.3.4" asserts: - failedTemplate: - errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 1.0.0" + errorMessage: "incompatible version for runtimeStatusIntegrator.image.tag, set 0.3.4 expected >= 0.5.0" - - it: "fails if the onPremCompatibilityVersion is set to 6.6 and the imageSbomExtractor version is incorrect" + - it: "fails if the onPremCompatibilityVersion is set to 6.7 and the imageSbomExtractor version is incorrect" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.6" + onPremCompatibilityVersion: "6.7" runtimeStatusIntegrator.image.tag: "1.3.4" imageSbomExtractor.image.tag: "0.1.0" asserts: - failedTemplate: - errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 1.0.0" + errorMessage: "incompatible version for imageSbomExtractor.image.tag, set 0.1.0 expected >= 0.5.0" - it: "succeeds if the onPremCompatibilityVersion is not set and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: null runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "1.0.0" + imageSbomExtractor.image.tag: "0.5.0" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:2.3.4 - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:1.0.0 + value: quay.io/sysdig/image-sbom-extractor:0.5.0 - it: "succeeds if the onPremCompatibilityVersion is set to 6.2 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" templates: @@ -312,14 +309,14 @@ tests: set: onPremCompatibilityVersion: "6.2" runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "0.9.10" + imageSbomExtractor.image.tag: "0.4.10" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:0.3.4 - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.9.10 + value: quay.io/sysdig/image-sbom-extractor:0.4.10 - it: "succeeds if the onPremCompatibilityVersion is set to 6.3 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" templates: @@ -327,44 +324,44 @@ tests: set: onPremCompatibilityVersion: "6.3" runtimeStatusIntegrator.image.tag: "0.3.4" - imageSbomExtractor.image.tag: "0.9.10" + imageSbomExtractor.image.tag: "0.4.10" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:0.3.4 - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.9.10 + value: quay.io/sysdig/image-sbom-extractor:0.4.10 - - it: "succeeds if the onPremCompatibilityVersion is set to 6.5 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" + - it: "succeeds if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.5" + onPremCompatibilityVersion: "6.6" runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "1.0.0" + imageSbomExtractor.image.tag: "0.5.0" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:2.3.4 - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:1.0.0 + value: quay.io/sysdig/image-sbom-extractor:0.5.0 - - it: "succeeds if the onPremCompatibilityVersion is set to 6.6 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" + - it: "succeeds if the onPremCompatibilityVersion is set to 6.7 and the runtimeStatusIntegrator and imageSbomExtractor versions are correct" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.6" + onPremCompatibilityVersion: "6.7" runtimeStatusIntegrator.image.tag: "2.3.4" - imageSbomExtractor.image.tag: "1.0.0" + imageSbomExtractor.image.tag: "0.5.0" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:2.3.4 - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:1.0.0 + value: quay.io/sysdig/image-sbom-extractor:0.5.0 - it: "succeeds if the runtimeStatusIntegrator version is not a semver and the onPremCompatibilityVersion is 6.4" templates: @@ -372,20 +369,20 @@ tests: set: onPremCompatibilityVersion: "6.4" runtimeStatusIntegrator.image.tag: "unstable-rc" - imageSbomExtractor.image.tag: "0.9.0" + imageSbomExtractor.image.tag: "0.4.9" asserts: - equal: path: spec.template.spec.containers[0].image value: quay.io/sysdig/runtime-status-integrator:unstable-rc - equal: path: spec.template.spec.containers[1].image - value: quay.io/sysdig/image-sbom-extractor:0.9.0 + value: quay.io/sysdig/image-sbom-extractor:0.4.9 - - it: "succeeds if the imageSbomExtractor version is not a semver and the onPremCompatibilityVersion is 6.5" + - it: "succeeds if the imageSbomExtractor version is not a semver and the onPremCompatibilityVersion is 6.6" templates: - ../templates/deployment.yaml set: - onPremCompatibilityVersion: "6.5" + onPremCompatibilityVersion: "6.6" runtimeStatusIntegrator.image.tag: "1.3.5" imageSbomExtractor.image.tag: "3bc59a4958d15dfa6afed20dfd2459e268b4cda8" asserts: @@ -396,6 +393,29 @@ tests: path: spec.template.spec.containers[1].image value: quay.io/sysdig/image-sbom-extractor:3bc59a4958d15dfa6afed20dfd2459e268b4cda8 + - it: "correctly sets the CLUSTERSCANNER_PLATFORM_ENABLED env var" + templates: + - ../templates/deployment.yaml + asserts: + - isSubset: + path: spec.template.spec.containers[0].env[?(@.name == "CLUSTERSCANNER_PLATFORM_ENABLED")] + content: + name: CLUSTERSCANNER_PLATFORM_ENABLED + valueFrom: + configMapKeyRef: + name: test-release-cluster-scanner + key: enable_platform_services + optional: true + - isSubset: + path: spec.template.spec.containers[1].env[?(@.name == "CLUSTERSCANNER_PLATFORM_ENABLED")] + content: + name: CLUSTERSCANNER_PLATFORM_ENABLED + valueFrom: + configMapKeyRef: + name: test-release-cluster-scanner + key: enable_platform_services + optional: true + - it: "has default RSI and ISE pprof ports" templates: - ../templates/deployment.yaml diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 174666131..714d6c220 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -81,13 +81,15 @@ scannerMode: "local" # Optional parameter used to check the compatibility of cluster-scanner # component versions with the on-premised backend version. # -# If you are running an on-prem version of the Sysdig backend, set +# If you are running an on-prem version of the Sysdig backend, you MUST set # this parameter with the version of Sysdig backend you are using. # +# If you are runinng on SaaS, do NOT provide this parameter. +# # E.g. if `onPremCompatibilityVersion=6.2`, we ensure that the image -# tag is < 1.0.0 for both the Runtime Status Integrator and the Image SBOM +# tag is < 0.5.0 for both the Runtime Status Integrator and the Image SBOM # Extractor. -onPremCompatibilityVersion: "6.2" +# onPremCompatibilityVersion: "6.2" # Can be set to false to allow insecure connections to the Sysdig backend, # such as for on-premise installs that use self-signed certificates. @@ -102,7 +104,7 @@ runtimeStatusIntegrator: # The image repository to use for pulling the Runtime Status Integrator # image repository: sysdig/runtime-status-integrator - tag: "0.4.4" + tag: "0.5.0" # Params to manage leader election # Leader election is implemented leveraging the native capabilities of # Kubernetes see: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/ @@ -164,7 +166,7 @@ imageSbomExtractor: registry: quay.io # The image repository to use for pulling the Image SBOM Extractor image repository: sysdig/image-sbom-extractor - tag: "0.4.4" + tag: "0.5.0" ports: # The port to be used to expose prometheus metrics for the Image SBOM # Extractor diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 76b3af6eb..386ca1c9d 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.22.11 +version: 1.23.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -42,7 +42,7 @@ dependencies: - name: cluster-scanner # repository: https://charts.sysdig.com repository: file://../cluster-scanner - version: ~0.5.6 + version: ~0.6.0 alias: clusterScanner condition: clusterScanner.enabled - name: kspm-collector