Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(admission-controller): update README with latest CA certificate changes #1263

Merged
merged 4 commits into from
Jul 26, 2023
Merged

feat(admission-controller): update README with latest CA certificate changes #1263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c2341f7
feat(admission-controller): update README with latest CA certificate …
airadier Jul 25, 2023
7637d22
Merge branch 'master' into update-ac-readme-certificates
radhikapc Jul 25, 2023
7c52bc0
Bump chart version
airadier Jul 26, 2023
4ee0a1a
Merge branch 'master' into update-ac-readme-certificates
airadier Jul 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/admission-controller/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
version: 0.11.8
version: 0.11.9
appVersion: 3.9.26
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
Expand Down
43 changes: 12 additions & 31 deletions charts/admission-controller/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.11.8 \
--create-namespace -n sysdig-admission-controller --version=0.11.9 \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN
```
Expand Down Expand Up @@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube
To install the chart with the release name `admission-controller`:

```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.8
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.9
```

The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
Expand Down Expand Up @@ -181,7 +181,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `

```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.11.8 \
--create-namespace -n sysdig-admission-controller --version=0.11.9 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
```

Expand All @@ -190,7 +190,7 @@ installing the chart. For example:

```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.11.8 \
--create-namespace -n sysdig-admission-controller --version=0.11.9 \
--values values.yaml
```

Expand Down Expand Up @@ -269,8 +269,6 @@ If your Proxy is served with TLS
1. Set the `verifySSL=false` parameter
2. Or set `*.ssl.ca.cert` for both components `webhook` and `scanner`



## Usages


Expand All @@ -287,48 +285,31 @@ $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller

### On Prem

Use the following command to deploy in an on-prem:

```
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set verifySSL=false
```

Use `verifySSL=false` if you are using self signed certificates.

Sysdig On-Prem installations might use a TLS self-signed server certificate or one from an untrusted CA, so it requires an extra configuration.

#### Ignore TLS certificate verification

### CA Provided

The following command will deploy the admission controller with a custom CA:
Note: Since the certificates are not provided, they will be autogenerated with the provided CA.
Use the following command to deploy in an on-prem and ignore the untrusted certificate using `verifySSL=false`:

```
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
--set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED
--set verifySSL=false
```

#### Custom CA Provided

### CA and Certificates Provided

The following command will deploy the admission controller with a custom CA and valid certificates signed with this CA:
The following command will deploy the admission controller with a custom CA. The custom CA certificate is added to the trusted certificates store.

```
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
--set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED \
--set webhook.ssl.cert=YOUR_CERT_AS_PEM_ENCODED \
--set webhook.ssl.key=YOUR_KEY_AS_PEM_ENCODED
--set scanner.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED
```

## Confirm Working Status
Expand Down Expand Up @@ -478,7 +459,7 @@ A: [HorizontalAutoScaller](https://github.com/sysdiglabs/charts/blob/master/char
### Q: Getting error "x509: certificate signed by unknown authority"

A: Sysdig installation is made with an unverfied certificate, such as self-signed, `SECURE_URL` being `https`
<br/>S: Add `--set verifySSL=false` to your installation parameters
<br/>S: Add `--set verifySSL=false` to your installation parameters or configure a trusted CA certificate


### Q: Why is there no support for `ka.sourceips`?
Expand Down
35 changes: 8 additions & 27 deletions charts/admission-controller/README.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,6 @@ If your Proxy is served with TLS
1. Set the `verifySSL=false` parameter
2. Or set `*.ssl.ca.cert` for both components `webhook` and `scanner`



## Usages


Expand All @@ -192,48 +190,31 @@ $ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .C

### On Prem

Use the following command to deploy in an on-prem:

```
$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
--create-namespace -n {{ .Release.Namespace }} \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set verifySSL=false
```

Use `verifySSL=false` if you are using self signed certificates.

Sysdig On-Prem installations might use a TLS self-signed server certificate or one from an untrusted CA, so it requires an extra configuration.

#### Ignore TLS certificate verification

### CA Provided

The following command will deploy the admission controller with a custom CA:
Note: Since the certificates are not provided, they will be autogenerated with the provided CA.
Use the following command to deploy in an on-prem and ignore the untrusted certificate using `verifySSL=false`:

```
$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
--create-namespace -n {{ .Release.Namespace }} \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
--set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED
--set verifySSL=false
```

#### Custom CA Provided

### CA and Certificates Provided

The following command will deploy the admission controller with a custom CA and valid certificates signed with this CA:
The following command will deploy the admission controller with a custom CA. The custom CA certificate is added to the trusted certificates store.

```
$ helm upgrade --install sysdig-{{ .Release.Name }} {{ .Repository.Name }}/{{ .Chart.Name }} \
--create-namespace -n {{ .Release.Namespace }} \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN \
--set webhook.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED \
--set webhook.ssl.ca.key=YOUR_CA_KEY_AS_PEM_ENCODED \
--set webhook.ssl.cert=YOUR_CERT_AS_PEM_ENCODED \
--set webhook.ssl.key=YOUR_KEY_AS_PEM_ENCODED
--set scanner.ssl.ca.cert=YOUR_CA_CERT_AS_PEM_ENCODED
```

## Confirm Working Status
Expand Down Expand Up @@ -383,7 +364,7 @@ A: [HorizontalAutoScaller](https://github.com/sysdiglabs/charts/blob/master/char
### Q: Getting error "x509: certificate signed by unknown authority"

A: Sysdig installation is made with an unverfied certificate, such as self-signed, `SECURE_URL` being `https`
<br/>S: Add `--set verifySSL=false` to your installation parameters
<br/>S: Add `--set verifySSL=false` to your installation parameters or configure a trusted CA certificate


### Q: Why is there no support for `ka.sourceips`?
Expand Down
Loading