diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml
index fe773cf0b..b4dfc99d0 100644
--- a/charts/admission-controller/Chart.yaml
+++ b/charts/admission-controller/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
-version: 0.11.8
+version: 0.11.9
appVersion: 3.9.26
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md
index 73e96d9a9..7c0e23b56 100644
--- a/charts/admission-controller/README.md
+++ b/charts/admission-controller/README.md
@@ -23,7 +23,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.8 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.9 \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN
```
@@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube
To install the chart with the release name `admission-controller`:
```console
-$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.8
+$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.9
```
The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -181,7 +181,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `
```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.8 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.9 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
```
@@ -190,7 +190,7 @@ installing the chart. For example:
```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.8 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.9 \
--values values.yaml
```
@@ -269,8 +269,6 @@ If your Proxy is served with TLS
1. Set the `verifySSL=false` parameter
2. Or set `*.ssl.ca.cert` for both components `webhook` and `scanner`
-
-
## Usages
@@ -287,38 +285,23 @@ $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller
### On Prem
-Use the following command to deploy in an on-prem:
-
-```
-$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller \
- --set clusterName=CLUSTER_NAME \
- --set sysdig.secureAPIToken=SECURE_API_TOKEN \
- --set verifySSL=false
-```
-
-Use `verifySSL=false` if you are using self signed certificates.
-
+Sysdig On-Prem installations might use a TLS self-signed server certificate or one from an untrusted CA, so it requires an extra configuration.
+#### Ignore TLS certificate verification
-### CA Provided
-
-The following command will deploy the admission controller with a custom CA:
-Note: Since the certificates are not provided, they will be autogenerated with the provided CA.
+Use the following command to deploy in an on-prem and ignore the untrusted certificate using `verifySSL=false`:
```
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
- --set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED
+ --set verifySSL=false
```
+#### Custom CA Provided
-### CA and Certificates Provided
-
-The following command will deploy the admission controller with a custom CA and valid certificates signed with this CA:
+The following command will deploy the admission controller with a custom CA. The custom CA certificate is added to the trusted certificates store.
```
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
@@ -326,9 +309,7 @@ $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED \
- --set webhook.ssl.cert=YOUR_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.key=YOUR_KEY_AS_PEM_ENCODED
+ --set scanner.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED
```
## Confirm Working Status
@@ -478,7 +459,7 @@ A: [HorizontalAutoScaller](https://github.com/sysdiglabs/charts/blob/master/char
### Q: Getting error "x509: certificate signed by unknown authority"
A: Sysdig installation is made with an unverfied certificate, such as self-signed, `SECURE_URL` being `https`
-
S: Add `--set verifySSL=false` to your installation parameters
+
S: Add `--set verifySSL=false` to your installation parameters or configure a trusted CA certificate
### Q: Why is there no support for `ka.sourceips`?
diff --git a/charts/admission-controller/README.tpl b/charts/admission-controller/README.tpl
index e330afad1..89bebdd35 100644
--- a/charts/admission-controller/README.tpl
+++ b/charts/admission-controller/README.tpl
@@ -174,8 +174,6 @@ If your Proxy is served with TLS
1. Set the `verifySSL=false` parameter
2. Or set `*.ssl.ca.cert` for both components `webhook` and `scanner`
-
-
## Usages
@@ -192,38 +190,23 @@ $ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .C
### On Prem
-Use the following command to deploy in an on-prem:
-
-```
-$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
- --create-namespace -n {{ .Release.Namespace }} \
- --set clusterName=CLUSTER_NAME \
- --set sysdig.secureAPIToken=SECURE_API_TOKEN \
- --set verifySSL=false
-```
-
-Use `verifySSL=false` if you are using self signed certificates.
-
+Sysdig On-Prem installations might use a TLS self-signed server certificate or one from an untrusted CA, so it requires an extra configuration.
+#### Ignore TLS certificate verification
-### CA Provided
-
-The following command will deploy the admission controller with a custom CA:
-Note: Since the certificates are not provided, they will be autogenerated with the provided CA.
+Use the following command to deploy in an on-prem and ignore the untrusted certificate using `verifySSL=false`:
```
$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
--create-namespace -n {{ .Release.Namespace }} \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
- --set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED
+ --set verifySSL=false
```
+#### Custom CA Provided
-### CA and Certificates Provided
-
-The following command will deploy the admission controller with a custom CA and valid certificates signed with this CA:
+The following command will deploy the admission controller with a custom CA. The custom CA certificate is added to the trusted certificates store.
```
$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
@@ -231,9 +214,7 @@ $ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .C
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED \
- --set webhook.ssl.cert=YOUR_CERT_AS_PEM_ENCODED \
- --set webhook.ssl.key=YOUR_KEY_AS_PEM_ENCODED
+ --set scanner.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED
```
## Confirm Working Status
@@ -383,7 +364,7 @@ A: [HorizontalAutoScaller](https://github.com/sysdiglabs/charts/blob/master/char
### Q: Getting error "x509: certificate signed by unknown authority"
A: Sysdig installation is made with an unverfied certificate, such as self-signed, `SECURE_URL` being `https`
-
S: Add `--set verifySSL=false` to your installation parameters
+
S: Add `--set verifySSL=false` to your installation parameters or configure a trusted CA certificate
### Q: Why is there no support for `ka.sourceips`?