From 120a3676b81af7c22e21517ddca3be6039b7aa6c Mon Sep 17 00:00:00 2001 From: maratsal <33134602+maratsal@users.noreply.github.com> Date: Tue, 4 Jul 2023 04:53:13 -0400 Subject: [PATCH 01/41] feat(admission-controller, sysdig-deploy): Add logic to toggle enable/disable HPA and set replica count based on that value. (#1204) Signed-off-by: Marat Salakhutdinov --- charts/admission-controller/Chart.yaml | 2 +- charts/admission-controller/README.md | 9 ++++--- .../templates/webhook/autoscaler.yaml | 2 ++ .../templates/webhook/deployment.yaml | 2 ++ .../tests/conditional_flag_test.yaml | 26 +++++++++++++++++++ charts/admission-controller/values.yaml | 2 ++ charts/sysdig-deploy/Chart.yaml | 4 +-- 7 files changed, 40 insertions(+), 7 deletions(-) diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index abd9a17df..be647f5f1 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.9.0 +version: 0.10.0 appVersion: 3.9.22 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index da44913cb..e9ec0570c 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -23,7 +23,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.9.0 \ + --create-namespace -n sysdig-admission-controller --version=0.10.0 \ --set clusterName=CLUSTER_NAME \ --set sysdig.secureAPIToken=SECURE_API_TOKEN ``` @@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube To install the chart with the release name `admission-controller`: ```console -$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.9.0 +$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.10.0 ``` The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. @@ -130,6 +130,7 @@ The following table lists the configurable parameters of the `admission-controll | webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode.
This is required if using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example using Calico CNI plugin on EKS.
This is not required or recommended in most contexts. | false | | webhook.imagePullSecrets | The image pull secrets for webhook | [] | | webhook.resources | Resource request and limits for webhook | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}} | +| webhook.autoscaling.enabled | Enable horizontal pod autoscaling | true | | webhook.autoscaling.minReplicas | Min replicas to use while autoscaling the webhook | 2 | | webhook.autoscaling.maxReplicas | Max replicas to use while autoscaling the webhook | 5 | | webhook.autoscaling.targetCPUUtilizationPercentage | Target CPU to use when the number of replicas must be increased | 80 | @@ -183,7 +184,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.9.0 \ + --create-namespace -n sysdig-admission-controller --version=0.10.0 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -192,7 +193,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.9.0 \ + --create-namespace -n sysdig-admission-controller --version=0.10.0 \ --values values.yaml ``` diff --git a/charts/admission-controller/templates/webhook/autoscaler.yaml b/charts/admission-controller/templates/webhook/autoscaler.yaml index d69c70bd8..02a7eb162 100644 --- a/charts/admission-controller/templates/webhook/autoscaler.yaml +++ b/charts/admission-controller/templates/webhook/autoscaler.yaml @@ -1,3 +1,4 @@ +{{- if .Values.webhook.autoscaling.enabled }} apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: @@ -11,3 +12,4 @@ spec: kind: Deployment name: {{ include "admissionController.webhook.fullname" . }} targetCPUUtilizationPercentage: {{ .Values.webhook.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} diff --git a/charts/admission-controller/templates/webhook/deployment.yaml b/charts/admission-controller/templates/webhook/deployment.yaml index ca6d3775f..62d9294c2 100644 --- a/charts/admission-controller/templates/webhook/deployment.yaml +++ b/charts/admission-controller/templates/webhook/deployment.yaml @@ -6,7 +6,9 @@ metadata: labels: {{- include "admissionController.webhook.labels" . | nindent 4 }} spec: + {{- if not .Values.webhook.autoscaling.enabled }} replicas: {{ .Values.webhook.replicaCount }} + {{- end }} selector: matchLabels: {{- include "admissionController.webhook.selectorLabels" . | nindent 6 }} diff --git a/charts/admission-controller/tests/conditional_flag_test.yaml b/charts/admission-controller/tests/conditional_flag_test.yaml index e564647ef..865e9df08 100644 --- a/charts/admission-controller/tests/conditional_flag_test.yaml +++ b/charts/admission-controller/tests/conditional_flag_test.yaml @@ -65,3 +65,29 @@ tests: kind: PodMonitor apiVersion: monitoring.coreos.com/v1 template: webhook/podmonitor.yaml + + - it: Checking if replica count is not set when HPA is enabled + set: + webhook: + autoscaling: + enabled: true + clusterName: test-k8s + sysdig: + secureAPIToken: standard_token + asserts: + - isNull: + path: spec.replicas + template: webhook/deployment.yaml + + - it: Checking if replica count is set when HPA is disabled + set: + webhook: + autoscaling: + enabled: false + clusterName: test-k8s + sysdig: + secureAPIToken: standard_token + asserts: + - isNotNull: + path: spec.replicas + template: webhook/deployment.yaml diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 008c2947b..a8659473d 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -184,6 +184,8 @@ webhook: memory: 256Mi autoscaling: + # Enable horizontal pod autoscaling + enabled: true # Min replicas to use while autoscaling the webhook minReplicas: 2 # Max replicas to use while autoscaling the webhook diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 42e720327..f82f2c402 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.10.1 +version: 1.11.0 maintainers: - name: aroberts87 email: adam.roberts@sysdig.com @@ -14,7 +14,7 @@ dependencies: - name: admission-controller # repository: https://charts.sysdig.com repository: file://../admission-controller - version: ~0.9.0 + version: ~0.10.0 alias: admissionController condition: admissionController.enabled - name: agent From a7921046d88c45f33c274aef1069127abeff162f Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 4 Jul 2023 08:54:44 +0000 Subject: [PATCH 02/41] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for admission-controller-0.10.0 --- charts/admission-controller/CHANGELOG.md | 3 +++ charts/admission-controller/RELEASE-NOTES.md | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/charts/admission-controller/CHANGELOG.md b/charts/admission-controller/CHANGELOG.md index 433b5d576..9c5d890c7 100644 --- a/charts/admission-controller/CHANGELOG.md +++ b/charts/admission-controller/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.10.0 +### New Features +* **admission-controller, sysdig-deploy** [120a3676](https://github.com/sysdiglabs/charts/commit/120a3676b81af7c22e21517ddca3be6039b7aa6c): Add logic to toggle enable/disable HPA and set replica count based on that value. ([#1204](https://github.com/sysdiglabs/charts/issues/1204)) # v0.9.0 ### New Features * **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) diff --git a/charts/admission-controller/RELEASE-NOTES.md b/charts/admission-controller/RELEASE-NOTES.md index 748a0ac51..ba2e5993e 100644 --- a/charts/admission-controller/RELEASE-NOTES.md +++ b/charts/admission-controller/RELEASE-NOTES.md @@ -1,6 +1,6 @@ # What's Changed ### New Features -- **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) +- **admission-controller, sysdig-deploy** [120a3676](https://github.com/sysdiglabs/charts/commit/120a3676b81af7c22e21517ddca3be6039b7aa6c): Add logic to toggle enable/disable HPA and set replica count based on that value. ([#1204](https://github.com/sysdiglabs/charts/issues/1204)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.8.6...admission-controller-0.9.0 +#### Full diff: https://github.com/sysdiglabs/charts/compare/admission-controller-0.9.0...admission-controller-0.10.0 From 4dd02c8f487a7616b7a462a2f09230ec9761f760 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 4 Jul 2023 08:54:44 +0000 Subject: [PATCH 03/41] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for sysdig-deploy-1.11.0 --- charts/sysdig-deploy/CHANGELOG.md | 3 +++ charts/sysdig-deploy/RELEASE-NOTES.md | 6 ++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/sysdig-deploy/CHANGELOG.md b/charts/sysdig-deploy/CHANGELOG.md index bc0ebf057..697058661 100644 --- a/charts/sysdig-deploy/CHANGELOG.md +++ b/charts/sysdig-deploy/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.11.0 +### New Features +* **admission-controller, sysdig-deploy** [120a3676](https://github.com/sysdiglabs/charts/commit/120a3676b81af7c22e21517ddca3be6039b7aa6c): Add logic to toggle enable/disable HPA and set replica count based on that value. ([#1204](https://github.com/sysdiglabs/charts/issues/1204)) # v1.10.1 ### Chores * **cluster-scanner** [c952eb44](https://github.com/sysdiglabs/charts/commit/c952eb44af7a45d9a09ed447eebc7cc54b5d1f21): added missing CHANGELOG.md, improved cluster scanner chart. ([#1215](https://github.com/sysdiglabs/charts/issues/1215)) diff --git a/charts/sysdig-deploy/RELEASE-NOTES.md b/charts/sysdig-deploy/RELEASE-NOTES.md index 5ed4fa87b..d1a939144 100644 --- a/charts/sysdig-deploy/RELEASE-NOTES.md +++ b/charts/sysdig-deploy/RELEASE-NOTES.md @@ -1,8 +1,6 @@ # What's Changed -### Chores -- **cluster-scanner** [c952eb44](https://github.com/sysdiglabs/charts/commit/c952eb44af7a45d9a09ed447eebc7cc54b5d1f21): added missing CHANGELOG.md, improved cluster scanner chart. ([#1215](https://github.com/sysdiglabs/charts/issues/1215)) ### New Features -- **cluster-scanner** [f9d0dc59](https://github.com/sysdiglabs/charts/commit/f9d0dc595b6c7e926021e7be4b02e0a5c9f6a46b): init chart with minimal templates and configuration ([#1056](https://github.com/sysdiglabs/charts/issues/1056)) +- **admission-controller, sysdig-deploy** [120a3676](https://github.com/sysdiglabs/charts/commit/120a3676b81af7c22e21517ddca3be6039b7aa6c): Add logic to toggle enable/disable HPA and set replica count based on that value. ([#1204](https://github.com/sysdiglabs/charts/issues/1204)) -#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.9.7...sysdig-deploy-1.10.1 +#### Full diff: https://github.com/sysdiglabs/charts/compare/sysdig-deploy-1.10.1...sysdig-deploy-1.11.0 From 720210497940ddd2119491d28dde163f2bdcb55e Mon Sep 17 00:00:00 2001 From: Alberto Barba Date: Tue, 4 Jul 2023 17:30:01 +0200 Subject: [PATCH 04/41] fix: adjust RELEASE-NOTES template to avoid extra new lines at the end of the file (#1216) Co-authored-by: draios-jenkins --- .chglog/RELEASE.tpl.md | 10 ++++------ charts/cluster-scanner/Chart.yaml | 2 +- charts/cluster-scanner/README.md | 8 ++++---- charts/cluster-scanner/RELEASE-NOTES.md | 1 - 4 files changed, 9 insertions(+), 12 deletions(-) diff --git a/.chglog/RELEASE.tpl.md b/.chglog/RELEASE.tpl.md index 37c015945..ce19a9711 100644 --- a/.chglog/RELEASE.tpl.md +++ b/.chglog/RELEASE.tpl.md @@ -2,7 +2,7 @@ {{ if .Versions -}} {{ range .Versions }} {{ range .CommitGroups -}} -{{- if not (eq "Ignored" .Title ) -}} +{{ if not (eq "Ignored" .Title ) -}} ### {{ .Title }} {{ range .Commits -}} - {{ if .Scope }}**{{ .Scope }}** {{ end }}[{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}): {{ .Subject }} @@ -14,17 +14,15 @@ {{ end -}} {{ end -}} {{ end -}} - -{{- if .OtherCommits -}} +{{ if .OtherCommits -}} ### Others -{{ range .OtherCommits -}} +{{- range .OtherCommits -}} - [{{.Hash.Short}}]({{ $.Info.RepositoryURL }}/commit/{{ .Hash.Long }}) {{ end -}} {{ end -}} {{ end -}} - {{- if .Versions }} -{{ range .Versions -}} +{{- range .Versions -}} {{ if .Tag.Previous -}} #### Full diff: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }} {{ end -}} diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 264224945..fa4743143 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes type: application -version: 0.1.1 +version: 0.1.2 appVersion: "0.1.0" home: https://www.sysdig.com/ diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index e5d672b65..108fc9b9c 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.1.1 \ + --create-namespace -n sysdig --version=0.1.2 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.1.1 \ + --create-namespace -n sysdig --version=0.1.2 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -146,7 +146,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.1.1 \ + --create-namespace -n sysdig --version=0.1.2 \ --set global.sysdig.region="us1" ``` @@ -155,7 +155,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.1.1 \ + --create-namespace -n sysdig --version=0.1.2 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/RELEASE-NOTES.md b/charts/cluster-scanner/RELEASE-NOTES.md index 0aed73009..58e8a6d7c 100644 --- a/charts/cluster-scanner/RELEASE-NOTES.md +++ b/charts/cluster-scanner/RELEASE-NOTES.md @@ -4,4 +4,3 @@ - **cluster-scanner** [c952eb44](https://github.com/sysdiglabs/charts/commit/c952eb44af7a45d9a09ed447eebc7cc54b5d1f21): added missing CHANGELOG.md, improved cluster scanner chart. ([#1215](https://github.com/sysdiglabs/charts/issues/1215)) ### New Features - **cluster-scanner** [f9d0dc59](https://github.com/sysdiglabs/charts/commit/f9d0dc595b6c7e926021e7be4b02e0a5c9f6a46b): init chart with minimal templates and configuration ([#1056](https://github.com/sysdiglabs/charts/issues/1056)) - From 58150cafce65f1dc641f13fa95bd865d32023c00 Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Tue, 4 Jul 2023 15:31:23 +0000 Subject: [PATCH 05/41] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for cluster-scanner-0.1.2 --- charts/cluster-scanner/CHANGELOG.md | 3 +++ charts/cluster-scanner/RELEASE-NOTES.md | 7 +++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/cluster-scanner/CHANGELOG.md b/charts/cluster-scanner/CHANGELOG.md index ee4032621..ab74516e0 100644 --- a/charts/cluster-scanner/CHANGELOG.md +++ b/charts/cluster-scanner/CHANGELOG.md @@ -10,6 +10,9 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v0.1.2 +### Bug Fixes +* [72021049](https://github.com/sysdiglabs/charts/commit/720210497940ddd2119491d28dde163f2bdcb55e): adjust RELEASE-NOTES template to avoid extra new lines at the end of the file ([#1216](https://github.com/sysdiglabs/charts/issues/1216)) # v0.1.1 ### Chores * **cluster-scanner** [c952eb44](https://github.com/sysdiglabs/charts/commit/c952eb44af7a45d9a09ed447eebc7cc54b5d1f21): added missing CHANGELOG.md, improved cluster scanner chart. ([#1215](https://github.com/sysdiglabs/charts/issues/1215)) diff --git a/charts/cluster-scanner/RELEASE-NOTES.md b/charts/cluster-scanner/RELEASE-NOTES.md index 58e8a6d7c..528ff8f3a 100644 --- a/charts/cluster-scanner/RELEASE-NOTES.md +++ b/charts/cluster-scanner/RELEASE-NOTES.md @@ -1,6 +1,5 @@ # What's Changed -### Chores -- **cluster-scanner** [c952eb44](https://github.com/sysdiglabs/charts/commit/c952eb44af7a45d9a09ed447eebc7cc54b5d1f21): added missing CHANGELOG.md, improved cluster scanner chart. ([#1215](https://github.com/sysdiglabs/charts/issues/1215)) -### New Features -- **cluster-scanner** [f9d0dc59](https://github.com/sysdiglabs/charts/commit/f9d0dc595b6c7e926021e7be4b02e0a5c9f6a46b): init chart with minimal templates and configuration ([#1056](https://github.com/sysdiglabs/charts/issues/1056)) +### Bug Fixes +- [72021049](https://github.com/sysdiglabs/charts/commit/720210497940ddd2119491d28dde163f2bdcb55e): adjust RELEASE-NOTES template to avoid extra new lines at the end of the file ([#1216](https://github.com/sysdiglabs/charts/issues/1216)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/cluster-scanner-0.1.1...cluster-scanner-0.1.2 From e9ca8899ef6ed780e2171bc746c6288ca3247a83 Mon Sep 17 00:00:00 2001 From: Miguel Angel Baztan Date: Wed, 5 Jul 2023 18:09:44 +0200 Subject: [PATCH 06/41] feat(registry-scanner): add the ability to work behind a proxy (#1219) --- charts/registry-scanner/CHANGELOG.md | 4 ++++ charts/registry-scanner/Chart.yaml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/charts/registry-scanner/CHANGELOG.md b/charts/registry-scanner/CHANGELOG.md index fda020c1c..136c9ea53 100644 --- a/charts/registry-scanner/CHANGELOG.md +++ b/charts/registry-scanner/CHANGELOG.md @@ -10,9 +10,13 @@ Manual edits are supported only below '## Change Log' and should be used exclusively to fix incorrect entries and not to add new ones. ## Change Log +# v1.1.2 +* feat: Add the ability to work behind a proxy to the new VM Scanner k8s job + # v1.1.1 ### Documentation * **registry-scanner** [bafbaba2](https://github.com/sysdiglabs/charts/commit/bafbaba2d54d0f52ef965ddd3505efd439a6a2c0): DOC-3229 - update for clarity, consistency, correctness ([#1184](https://github.com/sysdiglabs/charts/issues/1184)) + # v1.1.0 ### New Features * **admission-controller,agent,cloud-bench,cloud-connector,cloud-scanning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,registry-scanner,sysdig,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge** [5d99a03d](https://github.com/sysdiglabs/charts/commit/5d99a03dced132b4771dde1ce5b90b63c518b408): use a PGP private key to sign charts on release ([#1170](https://github.com/sysdiglabs/charts/issues/1170)) diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml index c267c0432..86265e847 100644 --- a/charts/registry-scanner/Chart.yaml +++ b/charts/registry-scanner/Chart.yaml @@ -4,8 +4,8 @@ description: Sysdig Registry Scanner type: application home: https://sysdiglabs.github.io/registry-scanner/ icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png -version: 1.1.1 -appVersion: 0.2.41 +version: 1.1.2 +appVersion: 0.2.42 maintainers: - name: airadier email: alvaro.iradier@sysdig.com From 287ab2b67435b6a5c1acfb70a1039186d453405d Mon Sep 17 00:00:00 2001 From: draios-jenkins Date: Wed, 5 Jul 2023 16:11:02 +0000 Subject: [PATCH 07/41] github_actions_ci: Update CHANGELOG and RELEASE-NOTES for registry-scanner-1.1.2 --- charts/registry-scanner/RELEASE-NOTES.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/registry-scanner/RELEASE-NOTES.md b/charts/registry-scanner/RELEASE-NOTES.md index abb40ae0a..e59848796 100644 --- a/charts/registry-scanner/RELEASE-NOTES.md +++ b/charts/registry-scanner/RELEASE-NOTES.md @@ -1,6 +1,5 @@ # What's Changed -### Documentation -- **registry-scanner** [bafbaba2](https://github.com/sysdiglabs/charts/commit/bafbaba2d54d0f52ef965ddd3505efd439a6a2c0): DOC-3229 - update for clarity, consistency, correctness ([#1184](https://github.com/sysdiglabs/charts/issues/1184)) - -#### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.1.0...registry-scanner-1.1.1 +### New Features +- **registry-scanner** [e9ca8899](https://github.com/sysdiglabs/charts/commit/e9ca8899ef6ed780e2171bc746c6288ca3247a83): add the ability to work behind a proxy ([#1219](https://github.com/sysdiglabs/charts/issues/1219)) +#### Full diff: https://github.com/sysdiglabs/charts/compare/registry-scanner-1.1.1...registry-scanner-1.1.2 From 6ad0ef926ebf7600ba7730c43219036eb1d0b57c Mon Sep 17 00:00:00 2001 From: Radhika Puthiyetath Date: Fri, 7 Jul 2023 06:46:49 +0000 Subject: [PATCH 08/41] docs(cloud-connector): DOC-3215- Update Cloud connector Readme for clarity and correctness (#1172) Signed-off-by: radhikapc --- charts/cloud-connector/Chart.yaml | 2 +- charts/cloud-connector/README.md | 207 +++++++++++++++-------------- charts/cloud-connector/README.tpl | 119 +++++++++-------- charts/cloud-connector/doc.yaml | 6 +- charts/cloud-connector/values.yaml | 84 ++++++------ 5 files changed, 214 insertions(+), 204 deletions(-) diff --git a/charts/cloud-connector/Chart.yaml b/charts/cloud-connector/Chart.yaml index 17e56019d..62b4d0136 100644 --- a/charts/cloud-connector/Chart.yaml +++ b/charts/cloud-connector/Chart.yaml @@ -3,7 +3,7 @@ name: cloud-connector description: Sysdig Cloud Connector type: application -version: 0.8.1 +version: 0.8.2 appVersion: 0.16.43 home: https://sysdiglabs.github.io/cloud-connector diff --git a/charts/cloud-connector/README.md b/charts/cloud-connector/README.md index 9b20054f1..a4fe209e2 100644 --- a/charts/cloud-connector/README.md +++ b/charts/cloud-connector/README.md @@ -14,57 +14,69 @@ $ pre-commit run -a # Cloud Connector -[Cloud Connector](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/) - This chart deploys the Sysdig Cloud connector on your Kubernetes cluster to enable threat-detection and image scanning. +## Overview +This chart deploys Sysdig Cloud Connector on your Kubernetes cluster, enabling Threat Detection and Image Scanning for the AWS, GCP, and Azure Cloud providers. -## TL;DR; -``` -$ helm repo add sysdig https://charts.sysdig.com -$ helm repo update -$ helm upgrade --install cloud-connector sysdig/cloud-connector \ - --create-namespace -n cloud-connector --version=0.8.1 \ - --set sysdig.secureAPIToken=SECURE_API_TOKEN -``` - -- [Configuration](#configuration) -- [Configuration Detail](#configuration-detail) -- [Usage examples](#usage-examples) -- [Troubleshooting](#troubleshooting) - - -## Introduction +Use [Cloud Connector](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/) only if your Sysdig representative recommends it to you. For the official installation instruction, see [Install Sysdig Secure for Cloud ](https://docs.sysdig.com/en/docs/installation/sysdig-secure-for-cloud/). -This chart deploys the Sysdig Cloud Connector on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager -to enable threat-detection and image scanning capabilities for the main three providers: AWS, GCP and Azure. ### Prerequisites -- Helm 3 + +- Helm v3 - Sysdig Secure API Token -### Installing the Chart +### Installation -To install the chart with the release name `cloud-connector`: +To install the chart: ```console -$ helm upgrade --install cloud-connector sysdig/cloud-connector -n cloud-connector --version=0.8.1 +helm repo add sysdig https://charts.sysdig.com +helm repo update +helm upgrade --install cloud-connector sysdig/cloud-connector \ + --create-namespace -n cloud-connector --version=0.8.2 \ + --set sysdig.secureAPIToken= ``` -The command deploys the Sysdig Cloud Connector on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The command deploys the Sysdig Cloud Connector on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the additional parameters that can be configured during installation. -> **Tip**: List all releases using `helm list -A` +> **Tip**: Use `helm list -A` to list all the releases. -### Uninstalling the Chart +## Configuration -To uninstall/delete the `cloud-connector`: +You can use the Helm chart to update the default Cloud Connector configurations by using either of the following: -```console -$ helm uninstall cloud-connector -n cloud-connector +- Using the key-value pair: `--set sysdig.settings.key = value` +- `values.yaml` file + +### Using the Key-Value Pair + +Specify each parameter using the `--set key=value[,key=value]` argument to the `helm install`command. + +For example: + +```bash +helm upgrade --install cloud-connector sysdig/cloud-connector \ + --create-namespace -n cloud-connector --version=0.8.2 \ + --set sysdig.secureAPIToken= +``` + +### Using values.yaml + +The `values.yaml` file specifies the values for the agent configuration parameters. You can add the configuration to the `values.yaml` file, then use it in the `helm install` command. + +For example: + +```bash +helm upgrade --install cloud-connector sysdig/cloud-connector \ + --create-namespace -n cloud-connector --version=0.8.2 \ + --values values.yaml ``` -The command removes all the Kubernetes components associated with the chart and deletes the release. +See the default [`values.yaml`](./values.yaml) file for more information. ### Verify the integrity and origin Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows: @@ -80,81 +92,61 @@ $ gpg --import /tmp/sysdig_public.gpg To check the integrity and the origin of the charts you can now append the `--verify` flag to the `install`, `upgrade` and `pull` helm commands. -## Configuration +## Configuration Parameters The following table lists the configurable parameters of the `cloud-connector` chart and their default values. -| Parameter | Description | Default | -|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------| -| replicaCount | Amount of replicas for Cloud Connector | 1 | -| image.repository | The image repository to pull from. | quay.io/sysdig/cloud-connector | -| image.pullPolicy | The image pull policy. | IfNotPresent | -| image.tag | The image tag (immutable tags are recommended). Overrides the image tag whose default is the chart appVersion. | | -| imagePullSecrets | The image pull secrets | [] | -| nameOverride | Chart name override | "" | -| fullnameOverride | Chart full name override | "" | -| serviceAccount.create | Create the service account | true | -| serviceAccount.annotations | Extra annotations for serviceAccount | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | -| podAnnotations | Pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scrape":"true"} | -| podSecurityContext | Configure deployment PSP's | {} | -| securityContext | Configure securityContext | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} | -| service.type | Use this type as service | ClusterIP | -| service.port | Configure port for the service | 80 | -| service.labels | Additional labels to specify for the service | {} | -| resources | Configure resource requests and limits | {} | -| nodeSelector | Configure nodeSelector for scheduling | {} | -| tolerations | Tolerations for scheduling | [] | -| affinity | Configure affinity rules | {} | -| telemetryDeploymentMethod | Configure deployment source for inner telemetry | "helm" | -| extraEnvVars | Extra environment variables to be set | [] | -| aws.accessKeyId | AWS Credentials AccessKeyID | "" | -| aws.secretAccessKey | AWS Credentials: SecretAccessKey | "" | -| aws.region | AWS Region | "" | -| gcpCredentials | GCP Credentials JSON | "" | -| azure.eventHubConnectionString | Azure EventHub Connection String | "" | -| azure.eventGridEventHubConnectionString | Azure Event Grid EventHub Connection String | "" | -| azure.tenantId | Azure service principal tenant id | "" | -| azure.clientId | Azure service principal client id | "" | -| azure.clientSecret | Azure service principal client secret | "" | -| azure.region | Azure region | "" | -| sysdig.url | Sysdig Secure URL | "https://secure.sysdig.com" | -| sysdig.secureAPIToken | API Token to access Sysdig Secure | "" | -| sysdig.verifySSL | Verify SSL certificate | true | -| existingSecretName | Provide an existing secret name (see details in 'templates/secret.yaml') for the entries it uses. | "" | -| rules | Rules Section for Cloud Connector | [] | -| ingestors | Thread-Detection event ingestion configuration ([config](#ingestors)) | [] | -| scanners | Scanning capabilities configuration ([config](#scanners)) | [] | -| bruteForceDetection.enabled | Enable Brute Force detection | true | -| bruteForceDetection.duration | Time window for a bruteforce attack try | 24h | -| bruteForceDetection.maximumTries | Maximum number of tries for given time window | 10 | - - -Specify each parameter using the **`--set key=value[,key=value]`** argument to `helm upgrade --install`. For example: - -```console -$ helm upgrade --install cloud-connector sysdig/cloud-connector \ - --create-namespace -n cloud-connector --version=0.8.1 \ - --set sysdig.secureAPIToken=YOUR-KEY-HERE -``` - -**Alternatively, a YAML file** that specifies the values for the parameters can be provided while -installing the chart. For example: +| Parameter | Description | Default | +|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------| +| replicaCount | The number of replicas for the Cloud Connector. | 1 | +| image.repository | Sets the image repository to pull from. | quay.io/sysdig/cloud-connector | +| image.pullPolicy | Sets the image pull policy. | IfNotPresent | +| image.tag | Sets the image tag. Immutable tags are recommended. Overrides the image tag whose default is the chart appVersion. | | +| imagePullSecrets | Specifies the image pull secrets. | [] | +| nameOverride | Specifies the chart name override. | "" | +| fullnameOverride | Specifies the chart full name override. | "" | +| serviceAccount.create | Creates the service account. | true | +| serviceAccount.annotations | Specifies the additional annotations for serviceAccount. | {} | +| serviceAccount.name | Sets the name of the service account to use. If not set and create is `true`, a name is generated using the fullname template. | "" | +| podAnnotations | Pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scrape":"true"} | +| podSecurityContext | Enables deployment PSPs. | {} | +| securityContext | Enables securityContext. | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} | +| service.type | Uses this type as a service. | ClusterIP | +| service.port | Enables the port for the service. | 80 | +| service.labels | Specifies the additional labels for the service. | {} | +| resources | Enables resource requests and limits. | {} | +| nodeSelector | Enables nodeSelector for scheduling. | {} | +| tolerations | Sets tolerations for scheduling. | [] | +| affinity | Enables affinity rules. | {} | +| telemetryDeploymentMethod | Enables deployment source for inner telemetry. | "helm" | +| extraEnvVars | Specifies additional environment variables to be set. | [] | +| aws.accessKeyId | Specifies the AWS Credentials AccessKeyID. | "" | +| aws.secretAccessKey | Specifies the AWS Credentials: `SecretAccessKey`. | "" | +| aws.region | Specifies the AWS Region. | "" | +| gcpCredentials | Specifies the GCP credentials in JSON. | "" | +| azure.eventHubConnectionString | Specifies the Azure EventHub connection string. | "" | +| azure.eventGridEventHubConnectionString | Specifies the Azure Event Grid EventHub connection string. | "" | +| azure.tenantId | Specifies the Azure service principal tenant ID. | "" | +| azure.clientId | Specifies the Azure service principal client ID. | "" | +| azure.clientSecret | Specifies the Azure service principal client secret. | "" | +| azure.region | Specifies the Azure region. | "" | +| sysdig.url | Specifies the Sysdig Secure URL. | "https://secure.sysdig.com" | +| sysdig.secureAPIToken | Specifies the API Token to access Sysdig Secure. | "" | +| sysdig.verifySSL | Verifies the SSL certificate. | true | +| existingSecretName | Provides an existing secret name for the entries it uses. See `templates/secret.yaml` for more information. | "" | +| rules | Specifies the Rules Section for Cloud Connector. | [] | +| ingestors | Specifies configuration for the threat detection event ingestion. See [ingestors](#ingestors) for more information. | [] | +| scanners | Specifies configuration for scanning capabilities. See [scanners](#scanners) for more information. | [] | +| bruteForceDetection.enabled | Enables Brute Force detection. | true | +| bruteForceDetection.duration | Specifies a time window for a bruteforce attack try. | 24h | +| bruteForceDetection.maximumTries | Specifies the maximum number of tries for a given time window. | 10 | -```console -$ helm upgrade --install cloud-connector sysdig/cloud-connector \ - --create-namespace -n cloud-connector --version=0.8.1 \ - --values values.yaml -``` ## Examples -- [Default `values.yaml`](./values.yaml) - -## Configuration Detail ### Ingestors -Where to ingest events from +Specifies where to ingest the events: ```yaml ingestors: @@ -202,7 +194,7 @@ ingestors: ### Scanners -Trigger scanners when a new image is detected +Specifies the trigger scanners when a new image is detected: ```yaml scanners: @@ -236,9 +228,9 @@ scanners: # containerRegistry: sfccontainerregistry # container registry name where to run the scan ``` -### Usage examples +### Usage Examples -Check live examples present in our different Terraform Modules: +See additional examples in the Terraform modules: * [Single Account Deployment for AWS in K8s](https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/single-account-k8s/cloud-connector.tf#L27) * [Single Project Deployment for GCP in K8s](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/examples/single-project-k8s/cloud-connector.tf#L32) @@ -247,8 +239,10 @@ Check live examples present in our different Terraform Modules: ### Troubleshooting -#### Q: How do I enable `debug` logs? -A: By editing the configmap and killing pod(s)/deployment so it restart +#### Enable `debug` Logs + +To enable `debug logs`, edit the ConfigMap and terminate the pod or deployment. + ```yaml data: cloud-connector.yaml: | @@ -256,6 +250,17 @@ A: By editing the configmap and killing pod(s)/deployment so it restart > logging: debug ``` +## Uninstall the Chart + +To uninstall the `cloud-connector`: + +```console +$ helm uninstall cloud-connector -n cloud-connector +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release artifacts. + +