sysdiglabs · AlbertoBarba · Aug 28, 2024 · Aug 29, 2024 · Aug 29, 2024 · Aug 30, 2024
@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.29.8
+version: 1.29.9
@@ -280,7 +280,7 @@ Check for all COS nodes or a flag to enable eBPF. If false, return nothing so
 it can act like a boolean
 */}}
 {{- define "agent.ebpfEnabled" -}}
-  {{- if (or (eq "true" (include "agent.isAllCos" .)) .Values.ebpf.enabled) -}}
+  {{- if (or (eq "true" (include "agent.isAllCos" .)) (include "agent.gke.autopilot" .) .Values.ebpf.enabled) -}}
     true
   {{- end -}}
 {{- end -}}
@@ -597,14 +597,6 @@ true
 {{- include "agent.configmapName" . | trunc 46 | trimSuffix "-" | printf "%s-local-forwarder" }}
 {{- end }}
 
-{{- define "agent.enableHttpProbes" }}
-{{- if not (include "agent.gke.autopilot" .) }}
-{{- if and (include "agent.isSemVer" .Values.image.tag) (semverCompare ">= 12.18.0-0" .Values.image.tag) }}
-{{- printf "true" -}}
-{{- end }}
-{{- end }}
-{{- end }}
-
 {{- define "agent.enableFalcoBaselineSecureLight" }}
 {{- if and (include "agent.isSemVer" .Values.image.tag) (semverCompare ">= 12.19.0-0" .Values.image.tag) }}
 {{- printf "true" -}}
@@ -635,7 +627,7 @@ annotations:
       - image tag not semver: go on at user's risk
 */}}
 {{- define "agent.privileged" }}
-  {{- if or .Values.privileged (include "agent.gke.autopilot" .) }}
+  {{- if .Values.privileged }}
     {{- /* OK */ -}}
     {{- print "true" }}
   {{- else }}

@@ -29,7 +29,7 @@ data:
 {{/*
   Unset proxy_user and proxy_password if present and gke autopilot is disabled.
 */}}
-{{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }}
+{{- if hasKey .Values.sysdig.settings "http_proxy" }}
   {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}}
   {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}}
 {{- end }}

@@ -65,10 +65,8 @@ spec:
             mountPath: Sysdig/Agent/certificates
             readOnly: true
           {{- end }}
-          {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
           - mountPath: Sysdig/Agent/Secrets/http_proxy
             name: sysdig-agent-http-proxy-secrets
-          {{- end }}
       terminationGracePeriodSeconds: 0
       volumes:
       - name: config
@@ -81,11 +79,10 @@ spec:
           {{- else }}
           secretName: {{ include "agent.accessKeySecret" . }}
           {{- end }}
-      {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
       - name: sysdig-agent-http-proxy-secrets
         secret:
           secretName: {{ template "agent.fullname" . }}-proxy
-      {{- end }}
+          optional: true
       {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
       - name: ca-cert
         secret:

@@ -89,7 +89,7 @@ spec:
               {{ toYaml .Values.slim.resources | nindent 12 }}
             {{- end }}
           env:
-          {{- if or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .) }}
+          {{- if (include "agent.ebpfEnabled" .) }}
             - name: SYSDIG_BPF_PROBE
               value:
           {{- end }}
@@ -195,14 +195,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            {{- if and (or (include "agent.ebpfEnabled" .) (include "agent.gke.autopilot" .)) (not (include "agent.universalEbpfEnforced" . )) }}
+            {{- if and (include "agent.ebpfEnabled" .) (not (include "agent.universalEbpfEnforced" . )) }}
             - name: SYSDIG_BPF_PROBE
               value:
             {{- end }}
-            {{- if and (include "agent.universalEbpfEnforced" .) (not (include "agent.gke.autopilot" .)) }}
+            {{- if (include "agent.universalEbpfEnforced" .) }}
             - name: SYSDIG_AGENT_DRIVER
               value: universal_ebpf
-            {{- else if and (include "agent.legacyEbpfEnforced" .) (not (include "agent.gke.autopilot" .)) }}
+            {{- else if (include "agent.legacyEbpfEnforced" .) }}
             - name: SYSDIG_AGENT_DRIVER
               value: legacy_ebpf
             {{- end }}
@@ -248,15 +248,10 @@ spec:
           {{- end }}
           {{- end }}
           readinessProbe:
-            {{- if eq (include "agent.enableHttpProbes" .) "true" }}
             httpGet:
               host: 127.0.0.1
               path: /healthz
               port: 24483
-            {{- else }}
-            exec:
-              command: [ "test", "-e", "/opt/draios/logs/running" ]
-            {{- end }}
             initialDelaySeconds: {{ .Values.daemonset.probes.initialDelay }}
             periodSeconds: {{ .Values.daemonset.probes.periodDelay }}
             failureThreshold: {{ .Values.daemonset.probes.failureThreshold }}
@@ -284,10 +279,8 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
-            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
             - mountPath: /opt/draios/etc/secrets/http_proxy
               name: sysdig-agent-http-proxy-secrets
-            {{- end }}
             - mountPath: /etc/podinfo
               name: podinfo
 
@@ -396,6 +389,10 @@ spec:
           configMap:
             name: {{ include "agent.configmapName" . }}
             optional: true
+        - name: sysdig-agent-http-proxy-secrets
+          secret:
+            secretName: {{ template "agent.fullname" . }}-proxy
+            optional: true
         {{- if .Values.localForwarder.enabled }}
         - name: local-forwarder-config
           configMap:
@@ -409,11 +406,6 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
-        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
-        - name: sysdig-agent-http-proxy-secrets
-          secret:
-            secretName: {{ template "agent.fullname" . }}-proxy
-        {{- end }}
         - name: podinfo
           downwardAPI:
             defaultMode: 420

@@ -103,15 +103,10 @@ spec:
             value: /opt/draios/certificates/{{- include "sysdig.custom_ca.keyName"  (dict "global" .Values.global.ssl "component" .Values.ssl) -}}
           {{- end }}
           readinessProbe:
-            {{- if eq (include "agent.enableHttpProbes" .) "true" }}
             httpGet:
               host: 127.0.0.1
               path: /healthz
               port: 24483
-            {{- else }}
-            exec:
-              command: [ "test", "-e", "/opt/draios/logs/running" ]
-            {{- end }}
             initialDelaySeconds: {{ .Values.delegatedAgentDeployment.deployment.probes.initialDelay }}
             periodSeconds: {{ .Values.delegatedAgentDeployment.deployment.probes.periodDelay }}
             failureThreshold: {{ .Values.delegatedAgentDeployment.deployment.probes.failureThreshold }}
@@ -131,10 +126,8 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
-            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
             - mountPath: /opt/draios/etc/secrets/http_proxy
               name: sysdig-agent-http-proxy-secrets
-            {{- end }}
             - mountPath: /etc/podinfo
               name: podinfo
             {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
@@ -263,11 +256,10 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
-        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
         - name: sysdig-agent-http-proxy-secrets
           secret:
             secretName: {{ template "agent.fullname" . }}-proxy
-        {{- end }}
+            optional: true
         - name: podinfo
           downwardAPI:
             defaultMode: 420

@@ -36,7 +36,7 @@ metadata:
 data:
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
 {{- end }}
-{{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+{{- if (include "agent.httpProxyCredentials" .) }}
 ---
 apiVersion: v1
 kind: Secret

@@ -141,13 +141,34 @@ tests:
       - isNull:
           path: spec.template.spec.volumes[?(@.hostPath.path =~ /\/.*/ && @.hostPath.path != "/usr" && @.hostPath.path != "/run" && @.hostPath.path != "/dev" && @.hostPath.path != "/proc" && @.hostPath.path != "/etc/os-release" && @.hostPath.path != "/boot" && @.hostPath.path != "/var/run/containerd/containerd.sock")]
 
-  - it: Ensure the SYSDIG_AGENT_DRIVER env var is not set
+  - it: Ensure the SYSDIG_AGENT_DRIVER env var is set to legacy_ebpf when running on GKE Autopilot (default)
     set:
       gke:
         autopilot:
           enabled: true
     asserts:
-      - isNull:
-          path: spec.template.spec.initContainer[0].env[?(@.name != "SYSDIG_BPF_PROBE")]
-      - isNull:
-          path: spec.template.spec.containers[0].env[?(@.name != "SYSDIG_BPF_PROBE" && @.name != "K8S_NODE")]
+      - exists:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_BPF_PROBE")]
+      - isNullOrEmpty:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+      - exists:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+          value: legacy_ebpf
+
+  - it: Ensure the SYSDIG_AGENT_DRIVER env var is set to universal_ebpf when running on GKE Autopilot (user defined)
+    set:
+      gke:
+        autopilot:
+          enabled: true
+      ebpf:
+        kind: universal_ebpf
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_BPF_PROBE")].value
+      - exists:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_AGENT_DRIVER")]
+      - equal:
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_AGENT_DRIVER")].value
+          value: universal_ebpf