diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index bf841733c..8865b8155 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 0.1.5 +version: 0.1.6 appVersion: "1.0.0" diff --git a/charts/shield/README.md b/charts/shield/README.md index c54692cf6..27381a68d 100644 --- a/charts/shield/README.md +++ b/charts/shield/README.md @@ -163,6 +163,9 @@ The following table lists the configurable parameters of the `shield` chart and | host.probes.liveness.failureThreshold | The readiness probe failure threshold | 9 | | host.update_strategy.type | The update strategy | RollingUpdate | | host.update_strategy.rollingUpdate | | {} | +| host.env | The custom environment variables for the host shield | [] | +| host.volumes | The custom volumes for the host shield | [] | +| host.volume_mounts | The custom volume mounts for the host shield | [] | | cluster.image.registry | The registry where the cluster shield image is stored | quay.io | | cluster.image.repository | The repository where the cluster shield image is stored | sysdig/cluster-shield | | cluster.image.tag | The tag for the cluster shield image | 1.4.0 | @@ -206,6 +209,9 @@ The following table lists the configurable parameters of the `shield` chart and | cluster.update_strategy.rollingUpdate | | {} | | cluster.host_network | Specifies if Cluster Shield should be started in hostNetwork mode. This field is required if you are using a custom CNI where the control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS. | false | | cluster.dns_policy | Define Cluster Shield Pods DNS Policy | | +| cluster.env | The custom environment variables for cluster shield | [] | +| cluster.volumes | The custom volumes for cluster shield | [] | +| cluster.volume_mounts | The custom volume mounts for cluster shield | [] | | ssl.verify | Enable SSL verification | true | | ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | | ssl.ca.key_name | Filename that is used when creating the secret. Required if cert is provided. | | @@ -224,6 +230,9 @@ The following table lists the configurable parameters of the `shield` chart and | node_selector | The node selector for the all the workloads | {} | | tolerations | The tolerations for the all the workloads | [] | | affinity | The affinity for the all the workloads | {} | +| env | The environment variables for the all the workloads | [] | +| volumes | The volumes to mount for all the workloads | [] | +| volume_mounts | The volume mounts for all the workloads | [] | | name_override | | | | fullname_override | | | | on_prem_version | Optional parameter used to check the compatibility of shield component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. | | diff --git a/charts/shield/templates/cluster/_helpers.tpl b/charts/shield/templates/cluster/_helpers.tpl index 05db5c91a..6faf88c04 100644 --- a/charts/shield/templates/cluster/_helpers.tpl +++ b/charts/shield/templates/cluster/_helpers.tpl @@ -101,3 +101,24 @@ If release name contains chart name it will be used as a full name. 0 {{- end -}} {{- end -}} + +{{- define "cluster.env" -}} +{{- $env := concat (default (list) .Values.env) (default (list) .Values.cluster.env) -}} +{{- with $env -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "cluster.volumes" -}} +{{- $volumes := concat (default (list) .Values.volumes) (default (list) .Values.cluster.volumes) -}} +{{- with $volumes -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "cluster.volume_mounts" -}} +{{- $volumeMounts := concat (default (list) .Values.volume_mounts) (default (list) .Values.cluster.volume_mounts) -}} +{{- with $volumeMounts -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/shield/templates/cluster/deployment.yaml b/charts/shield/templates/cluster/deployment.yaml index 6f7ee62e7..3f6bbc0f4 100644 --- a/charts/shield/templates/cluster/deployment.yaml +++ b/charts/shield/templates/cluster/deployment.yaml @@ -119,6 +119,7 @@ spec: {{- if $customCAEnvs }} {{- $customCAEnvs | nindent 12 }} {{- end }} + {{- include "cluster.env" . | nindent 12 }} resources: {{- toYaml .Values.cluster.resources | nindent 12 }} livenessProbe: @@ -146,6 +147,7 @@ spec: - mountPath: {{ include "cluster.tls_certificates.mount_path" (merge . (dict "CACertsPath" "/etc/sysdig/ca-certs/")) }} name: cluster-shield-tls-certificates-secret {{- end }} + {{- include "cluster.volume_mounts" . | nindent 12 }} volumes: {{- $customCAVolume := (include "common.custom_ca.volume" .) }} {{- if $customCAVolume }} @@ -164,3 +166,4 @@ spec: secret: secretName: {{ include "cluster.tls_certificates.secret_name" . }} {{- end }} + {{- include "cluster.volumes" . | nindent 8 }} diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index 9080de5e8..ccc799a40 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -113,3 +113,24 @@ true {{- true -}} {{- end }} {{- end }} + +{{- define "host.env" -}} +{{- $env := concat (default (list) .Values.env) (default (list) .Values.host.env) -}} +{{- with $env -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "host.volumes" -}} +{{- $volumes := concat (default (list) .Values.volumes) (default (list) .Values.host.volumes) -}} +{{- with $volumes -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} + +{{- define "host.volume_mounts" -}} +{{- $volumeMounts := concat (default (list) .Values.volume_mounts) (default (list) .Values.host.volume_mounts) -}} +{{- with $volumeMounts -}} +{{- . | toYaml -}} +{{- end -}} +{{- end -}} diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index 543043f15..e84d2bacf 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -157,6 +157,7 @@ spec: name: {{ include "host.rapid_response_secret" . }} key: password {{- end }} + {{- include "host.env" . | nindent 12 }} readinessProbe: httpGet: host: 127.0.0.1 @@ -232,6 +233,7 @@ spec: name: host-tmp {{- end }} {{- end }} + {{- include "host.volume_mounts" . | nindent 12 }} volumes: {{- /* Always requested */}} - name: dev-vol @@ -337,3 +339,4 @@ spec: path: /tmp {{- end }} {{- end }} + {{- include "host.volumes" . | nindent 8 }} diff --git a/charts/shield/tests/cluster/deployment_test.yaml b/charts/shield/tests/cluster/deployment_test.yaml index f381a9299..b151c8f94 100644 --- a/charts/shield/tests/cluster/deployment_test.yaml +++ b/charts/shield/tests/cluster/deployment_test.yaml @@ -1176,3 +1176,153 @@ tests: - equal: path: spec.replicas value: 5 + + - it: Common custom env vars + set: + env: + - name: MY_ENV_VAR + value: my-value + asserts: + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].env + content: + name: MY_ENV_VAR + value: my-value + + - it: Common and Cluster specific custom env vars + set: + env: + - name: MY_ENV_VAR + value: my-value + cluster: + env: + - name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + asserts: + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].env + content: + name: MY_ENV_VAR + value: my-value + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].env + content: + name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + + - it: Ensure host specific env vars not present + set: + cluster: + env: + - name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + host: + env: + - name: MY_HOST_ENV_VAR + value: my-host-value + asserts: + - notContains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].env + content: + name: MY_HOST_ENV_VAR + value: my-host-value + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].env + content: + name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + + - it: Common volumes and volume mounts + set: + volumes: + - name: my-volume + emptyDir: {} + volume_mounts: + - name: my-volume + mountPath: /host/my-mount-path + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].volumeMounts + content: + name: my-volume + mountPath: /host/my-mount-path + + - it: Common and Cluster specific volumes and volume mounts + set: + volumes: + - name: my-volume + emptyDir: {} + volume_mounts: + - name: my-volume + mountPath: /host/my-mount-path + cluster: + volumes: + - name: my-cluster-volume + emptyDir: {} + volume_mounts: + - name: my-cluster-volume + mountPath: /host/my-cluster-mount-path + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-volume + emptyDir: {} + - contains: + path: spec.template.spec.volumes + content: + name: my-cluster-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].volumeMounts + content: + name: my-volume + mountPath: /host/my-mount-path + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].volumeMounts + content: + name: my-cluster-volume + mountPath: /host/my-cluster-mount-path + + - it: Ensure host specific volumes and volume mounts not present + set: + cluster: + volumes: + - name: my-cluster-volume + emptyDir: {} + volume_mounts: + - name: my-cluster-volume + mountPath: /host/my-cluster-mount-path + host: + volumes: + - name: my-host-volume + emptyDir: {} + volume_mounts: + - name: my-host-volume + mountPath: /host/my-host-mount-path + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: my-host-volume + emptyDir: {} + - notContains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].volumeMounts + content: + name: my-host-volume + mountPath: /host/my-host-mount-path + - contains: + path: spec.template.spec.volumes + content: + name: my-cluster-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "cluster-shield")].volumeMounts + content: + name: my-cluster-volume + mountPath: /host/my-cluster-mount-path diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index 663ad0d77..3550dc503 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -401,3 +401,153 @@ tests: value: - my: specialdefaulttoleration - my: specialhosttoleration + + - it: Common custom env vars + set: + env: + - name: MY_ENV_VAR + value: my-value + asserts: + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env + content: + name: MY_ENV_VAR + value: my-value + + - it: Common and Host specific custom env vars + set: + env: + - name: MY_ENV_VAR + value: my-value + host: + env: + - name: MY_HOST_ENV_VAR + value: my-host-value + asserts: + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env + content: + name: MY_ENV_VAR + value: my-value + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env + content: + name: MY_HOST_ENV_VAR + value: my-host-value + + - it: Ensure cluster specific env vars not present + set: + cluster: + env: + - name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + host: + env: + - name: MY_HOST_ENV_VAR + value: my-host-value + asserts: + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env + content: + name: MY_HOST_ENV_VAR + value: my-host-value + - notContains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].env + content: + name: MY_CLUSTER_ENV_VAR + value: my-cluster-value + + - it: Common volumes and volume mounts + set: + volumes: + - name: my-volume + emptyDir: {} + volume_mounts: + - name: my-volume + mountPath: /host/my-mount-path + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: my-volume + mountPath: /host/my-mount-path + + - it: Common and Host specific volumes and volume mounts + set: + volumes: + - name: my-volume + emptyDir: {} + volume_mounts: + - name: my-volume + mountPath: /host/my-mount-path + host: + volumes: + - name: my-host-volume + emptyDir: {} + volume_mounts: + - name: my-host-volume + mountPath: /host/my-host-mount-path + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-volume + emptyDir: {} + - contains: + path: spec.template.spec.volumes + content: + name: my-host-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: my-volume + mountPath: /host/my-mount-path + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: my-host-volume + mountPath: /host/my-host-mount-path + + - it: Ensure cluster specific volumes and volume mounts not present + set: + cluster: + volumes: + - name: my-cluster-volume + emptyDir: {} + volume_mounts: + - name: my-cluster-volume + mountPath: /host/my-cluster-mount-path + host: + volumes: + - name: my-host-volume + emptyDir: {} + volume_mounts: + - name: my-host-volume + mountPath: /host/my-host-mount-path + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-host-volume + emptyDir: {} + - contains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: my-host-volume + mountPath: /host/my-host-mount-path + - notContains: + path: spec.template.spec.volumes + content: + name: my-cluster-volume + emptyDir: {} + - notContains: + path: spec.template.spec.containers[?(@.name == "sysdig-host-shield")].volumeMounts + content: + name: my-cluster-volume + mountPath: /host/my-cluster-mount-path diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index e880fcd6f..3474f78ff 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -17,6 +17,18 @@ }, "features": { "$ref": "#/$defs/Features" + }, + "host": { + "$ref": "#/$defs/Host" + }, + "env": { + "$ref": "#/$defs/EnvVars" + }, + "volumes": { + "$ref": "#/$defs/Volumes" + }, + "volume_mounts": { + "$ref": "#/$defs/VolumeMounts" } }, "required": [ @@ -289,6 +301,15 @@ "multi-process", "single-process" ] + }, + "env": { + "$ref": "#/$defs/EnvVars" + }, + "volumes": { + "$ref": "#/$defs/Volumes" + }, + "volume_mounts": { + "$ref": "#/$defs/VolumeMounts" } }, "required": [ @@ -296,6 +317,7 @@ ] }, "Host": { + "additionalProperties": true, "type": "object", "properties": { "driver": { @@ -306,6 +328,15 @@ "legacy_ebpf", "universal_ebpf" ] + }, + "env": { + "$ref": "#/$defs/EnvVars" + }, + "volumes": { + "$ref": "#/$defs/Volumes" + }, + "volume_mounts": { + "$ref": "#/$defs/VolumeMounts" } }, "required": [ @@ -867,6 +898,75 @@ } } } + }, + "EnvVars": { + "type": "array", + "items": { + "additionalProperties": false, + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "The name of the environment variable" + }, + "value": { + "type": "string", + "description": "The value of the environment variable" + } + }, + "required": [ + "name", + "value" + ] + } + }, + "Volumes": { + "type": "array", + "description": "Additional volumes to be mounted in the containers", + "items": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "The name of the volume" + } + }, + "required": [ + "name" + ] + } + }, + "VolumeMounts": { + "type": "array", + "description": "Define additional volume mounts to be used by the Cluster Shield pods", + "items": { + "type": "object", + "additionalProperties": true, + "properties": { + "name": { + "type": "string", + "description": "The name of the volume" + }, + "mountPath": { + "type": "string", + "description": "The path where the volume will be mounted" + }, + "subPath": { + "type": "string", + "description": "The subpath of the volume to mount" + }, + "readOnly": { + "type": "boolean", + "description": "Set the volume read-only", + "default": false + } + }, + "required": [ + "name", + "mountPath" + ] + } } } } diff --git a/charts/shield/values.yaml b/charts/shield/values.yaml index 0c545f6ee..db96f4dc2 100644 --- a/charts/shield/values.yaml +++ b/charts/shield/values.yaml @@ -259,6 +259,12 @@ host: # The update strategy type: RollingUpdate rollingUpdate: {} + # The custom environment variables for the host shield + env: [] + # The custom volumes for the host shield + volumes: [] + # The custom volume mounts for the host shield + volume_mounts: [] cluster: image: @@ -362,6 +368,12 @@ cluster: # Define Cluster Shield Pods DNS Policy dns_policy: + # The custom environment variables for cluster shield + env: [] + # The custom volumes for cluster shield + volumes: [] + # The custom volume mounts for cluster shield + volume_mounts: [] ssl: # Enable SSL verification @@ -422,6 +434,12 @@ node_selector: {} tolerations: [] # The affinity for the all the workloads affinity: {} +# The environment variables for the all the workloads +env: [] +# The volumes to mount for all the workloads +volumes: [] +# The volume mounts for all the workloads +volume_mounts: [] name_override: fullname_override: