Merge pull request #91 from armosec/dev

Minor changes

README.md

@@ -1,9 +1,9 @@
 # ARMO cluster components
 ARMO Vulnerability Scanning
 
-![Version: 1.7.12](https://img.shields.io/badge/Version-1.7.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.12](https://img.shields.io/badge/AppVersion-v1.7.12-informational?style=flat-square)
+![Version: 1.7.16](https://img.shields.io/badge/Version-1.7.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.16](https://img.shields.io/badge/AppVersion-v1.7.16-informational?style=flat-square)
 
-## [Docs](https://hub.armo.cloud/docs/installation-of-armo-in-cluster)
+## [Docs](https://hub.armosec.io/docs/installation-of-armo-in-cluster)
 
 ## Installing ARMO cluster components in a Kubernetes cluster Using Helm:
 
@@ -23,69 +23,79 @@ if you ran kubescape cli tool and submitted, you can get your Account ID from th
 ```
 kubescape config view | grep -i accountID
 ```
-Otherwise, get the account ID from the [kubescape SaaS](https://hub.armo.cloud/docs/installation-of-armo-in-cluster#install-a-pre-registered-cluster)
+Otherwise, get the account ID from the [kubescape SaaS](https://hub.armosec.io/docs/installation-of-armo-in-cluster#install-a-pre-registered-cluster)
 
 Run the install command:
 ```
 helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context` 
 ```
 
-> Add `--set clientID=<generated client id> --set secretKey=<generated secret key>` if you have [generated an auth key](https://hub.armo.cloud/docs/authentication)
+> Add `--set clientID=<generated client id> --set secretKey=<generated secret key>` if you have [generated an auth key](https://hub.armosec.io/docs/authentication)
 
-> Add `--set armoKubescape.serviceMonitor.enabled=true` for installing the Prometheus service monitor, [read more about Prometheus integration](https://hub.armo.cloud/docs/prometheus-exporter)
+> Add `--set armoKubescape.serviceMonitor.enabled=true` for installing the Prometheus service monitor, [read more about Prometheus integration](https://hub.armosec.io/docs/prometheus-exporter)
  
 ## Chart support
 
 ### Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| armoCollector.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the StatefulSet |
 | armoCollector.enabled | bool | `true` | enable/disable the armoCollector |
 | armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) |
 | armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) |
+| armoCollector.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoCollector.volumes | object | `[]` | Additional volumes for the collector |
 | armoCollector.volumeMounts | object | `[]` | Additional volumeMounts for the collector |
+| armoKubescape.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoKubescape.downloadArtifacts | bool | `true` | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
-| armoKubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armo.cloud/docs/host-sensor) |
+| armoKubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armosec.io/docs/host-sensor) |
 | armoKubescape.enabled | bool | `true` | enable/disable kubescape scanning |
 | armoKubescape.image.repository | string | `"quay.io/armosec/kubescape"` | [source code](https://github.com/armosec/kubescape/tree/master/httphandler) (public repo) |
+| armoKubescape.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoKubescape.serviceMonitor.enabled | bool | `false` | enable/disable service monitor for prometheus (operator) integration |
 | armoKubescape.skipUpdateCheck | bool | `false` | skip check for a newer version  |
-| armoKubescape.submit | bool | `true` | submit results to ARMO SaaS: https://portal.armo.cloud/ |
+| armoKubescape.submit | bool | `true` | submit results to ARMO SaaS: https://cloud.armosec.io/ |
 | armoKubescape.volumes | object | `[]` | Additional volumes for Kubescape |
 | armoKubescape.volumeMounts | object | `[]` | Additional volumeMounts for Kubescape |
 | armoKubescapeScanScheduler.enabled | bool | `true` | enable/disable a kubescape scheduled scan using a CronJob |
 | armoKubescapeScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) |
 | armoKubescapeScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
 | armoKubescapeScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
 | armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
+| armoNotificationService.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
 | armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) |
+| armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service |
 | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service |
 | armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob |
 | armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl |
 | armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
 | armoKubescapeScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
 | armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
+| armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning |
 | armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) |
+| armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning |
 | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning |
+| armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning |
 | armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) |
+| armoWebsocket.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoWebsocket.volumes | object | `[]` | Additional volumes for the web socket |
 | armoWebsocket.volumeMounts | object | `[]` | Additional volumeMounts for the web socket |
 | armoKubescapeHostScanner.volumes | object | `[]` | Additional volumes for the host scanner |
 | armoKubescapeHostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner |
 | aws_iam_role_arn | string | `nil` | AWS IAM arn role |
-| clientID | string | `""` | client ID, [read more](https://hub.armo.cloud/docs/authentication) |
+| clientID | string | `""` | client ID, [read more](https://hub.armosec.io/docs/authentication) |
 | cloudRegion | string | `nil` | cloud region |
 | cloud_provider_engine | string | `nil` | cloud provider engine |
 | gkeProject | string | `nil` | GKE project |
 | gke_service_account | string | `nil` | GKE service account |
-| secretKey | string | `""` | secret key, [read more](https://hub.armo.cloud/docs/authentication) |
-| triggerNewImageScan | string | `"disable"` | enable/disable trigger image scan for new images |
+| secretKey | string | `""` | secret key, [read more](https://hub.armosec.io/docs/authentication) |
+| triggerNewImageScan | bool | `false` | enable/disable trigger image scan for new images |
 | volumes | object | `[]` | Additional volumes for all containers |
 | volumeMounts | object | `[]` | Additional volumeMounts for all containers |
 

charts/armo-components/Chart.yaml

@@ -8,13 +8,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.15
+version: 1.7.16
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.7.15"
+appVersion: "v1.7.16"
 
 maintainers:
 - name: Ben Hirschberg

charts/armo-components/templates/_helpers.tpl

@@ -14,7 +14,7 @@ gke
   {{- if .Values.armoKubescape.submit }}
     {{- if .Values.accountGuid -}}
     {{- else -}}
-      {{- fail "submitting is enabled but value for accountGuid is not defined: please register at https://portal.armo.cloud to get yours and re-run with  --set accountGuid=<your Guid>" }}
+      {{- fail "submitting is enabled but value for accountGuid is not defined: please register at https://cloud.armosec.io to get yours and re-run with  --set accountGuid=<your Guid>" }}
     {{- end -}}
   {{- end }}
 {{- end }}

charts/armo-components/templates/armo-collector-statefulset.yaml

@@ -51,7 +51,7 @@ spec:
 {{ toYaml .Values.armoCollector.resources | indent 12 }}
           env:
             - name: ACTIVATE_CVE_SCAN_ON_NEW_IMAGE_FEATURE
-              value: {{ .Values.triggerNewImageScan }}
+              value: "{{ .Values.triggerNewImageScan }}"
             {{- range .Values.armoCollector.env }}
             - name: {{ .name  }}
               value: "{{ .value }}"
@@ -84,16 +84,16 @@ spec:
 {{- end }}
       serviceAccountName: {{ .Values.global.armoServiceAccountName }}
       automountServiceAccountToken: true
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.armoCollector.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- with .Values.affinity }}
+      {{- with .Values.armoCollector.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/armo-components/templates/armo-configmap.yaml

@@ -17,6 +17,7 @@ data:
       "vulnScanURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}",
       "kubescapeURL": "{{ .Values.armoKubescape.name }}:{{ .Values.armoKubescape.service.port }}",
       "oracleURL": "",
+      "triggerNewImageScan": "{{ .Values.armoTriggerNewImageScan }}",
 {{- if eq .Values.environment "dev" }} 
       "backendOpenAPI": "{{ .Values.devBackendOpenAPI }}",
       "dashboard": "{{ .Values.devBackendOpenAPI }}",

charts/armo-components/templates/armo-kubescape-deployment.yaml

@@ -116,4 +116,12 @@ spec:
 {{- if .Values.armoKubescape.volumes }}
 {{ toYaml .Values.armoKubescape.volumes | indent 6 }}
 {{- end }}
-{{- end }}
+      {{- with .Values.armoKubescape.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+      {{- with .Values.armoKubescape.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8}}
+      {{- end }}
+{{- end }}

charts/armo-components/templates/armo-notification-service-deployment.yaml

@@ -87,16 +87,16 @@ spec:
 {{ toYaml .Values.armoNotificationService.volumes | indent 8 }}
 {{- end }}
       automountServiceAccountToken: false
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.armoNotificationService.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- with .Values.affinity }}
+      {{- with .Values.armoNotificationService.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/armo-components/templates/armo-vuln-scanner-deployment.yaml

@@ -105,16 +105,16 @@ spec:
 {{- end }}
       serviceAccountName: {{ .Values.global.armoServiceAccountName }}
       automountServiceAccountToken: true
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.armoVulnScanner.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- with .Values.affinity }}
+      {{- with .Values.armoVulnScanner.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/armo-components/templates/armo-websocket-deployment.yaml

@@ -91,16 +91,16 @@ spec:
 {{- end }}
       serviceAccountName: {{ .Values.global.armoServiceAccountName }}
       automountServiceAccountToken: true
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.armoWebsocket.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- with .Values.affinity }}
+      {{- with .Values.armoWebsocket.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
-    {{- end }}
+      {{- end }}
     {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
     {{- end }}
-{{- end }}
+{{- end }}

charts/armo-components/values.yaml

@@ -15,31 +15,30 @@ eventReceiverHttpUrl: "https://report.armo.cloud"
 k8sReportUrl: "wss://report.armo.cloud"
 postmanUrl: "postman.euprod1.cyberarmorsoft.com"
 masterNotificationService: "ens.euprod1.cyberarmorsoft.com"
-backendOpenAPI: "https://api.armo.cloud/api"
+backendOpenAPI: "https://api.armosec.io/api"
 # ARMO DEV BE URLs
 devEventReceiverHttpUrl: "https://report.eudev3.cyberarmorsoft.com"
 devPostmanUrl: "postman.eudev3.cyberarmorsoft.com"
 devK8sReportUrl: "wss://report.eudev3.cyberarmorsoft.com"
 devMasterNotificationService: "ens.eudev3.cyberarmorsoft.com"
-devBackendOpenAPI: "https://api-dev.armo.cloud/api"
+devBackendOpenAPI: "https://api-dev.armosec.io/api"
 # ARMO STAGING BE URLs
-stagingEventReceiverHttpUrl: "https://report.eustage2.cyberarmorsoft.com"
+stagingEventReceiverHttpUrl: "https://report-ks.eustage2.cyberarmorsoft.com"
 stagingPostmanUrl: "postman.eustage2.cyberarmorsoft.com"
 stagingK8sReportUrl: "wss://report.eustage2.cyberarmorsoft.com"
 stagingMasterNotificationService: "ens.eustage2.cyberarmorsoft.com"
-stagingBackendOpenAPI: "https://api-stage.armo.cloud/api"
+stagingBackendOpenAPI: "https://api-stage.armosec.io/api"
 
 # Customer Specific Data
 # accountGuid is deliberately not defined here and it should be defined by the user
 # clusterName: "" // cluster name must be defined by the user
 
-# -- client ID - https://hub.armo.cloud/docs/authentication
+# -- client ID - https://hub.armosec.io/docs/authentication
 clientID: ""
 
-# -- secret key - https://hub.armo.cloud/docs/authentication
+# -- secret key - https://hub.armosec.io/docs/authentication
 secretKey: ""
 
-
 # cloud support
 
 # -- cloud provider engine
@@ -61,7 +60,7 @@ nameOverride: ""
 fullnameOverride: ""
 
 # -- enable/disable trigger image scan for new images
-triggerNewImageScan: "disable"  
+triggerNewImageScan: false  
 
 # Additional volumes applied to all containers
 volumes: []
@@ -170,7 +169,7 @@ armoKubescape:
        cpu: 500m
        memory: 500Mi
 
-  # -- enable host scanner feature: https://hub.armo.cloud/docs/host-sensor
+  # -- enable host scanner feature: https://hub.armosec.io/docs/host-sensor
   enableHostScan: true
 
   # -- download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus)
@@ -179,7 +178,7 @@ armoKubescape:
   # -- skip check for a newer version 
   skipUpdateCheck: false
 
-  # -- submit results to ARMO SaaS: https://portal.armo.cloud/
+  # -- submit results to ARMO SaaS: https://cloud.armosec.io/
   submit: true
 
   replicaCount: 1
@@ -217,7 +216,7 @@ armoWebsocket:
   image:
     # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo)
     repository: quay.io/armosec/action-trigger
-    tag: v0.0.39
+    tag: v0.0.40
     pullPolicy: Always
 
   service:
@@ -273,7 +272,7 @@ armoVulnScanner:
        cpu: 300m
        memory: 2500Mi
        # Consider to increase ephemeral-storage requests in order to avoid pod eviction due to huge images
-       # More details: https://hub.armo.cloud/docs/limitations
+       # More details: https://hub.armosec.io/docs/limitations
        #               https://github.com/armosec/kubescape/issues/389
        ephemeral-storage: 20Gi
     limits:
@@ -305,7 +304,7 @@ armoCollector:
   image:
     # -- source code: https://github.com/armosec/k8s-armo-collector (private repo)
     repository: quay.io/armosec/cluster-collector
-    tag: v0.0.14
+    tag: v0.0.15
     pullPolicy: Always
 
   replicaCount: 1
@@ -419,4 +418,4 @@ armoRegistryScanScheduler:
   volumes: []
 
   # Additional volumeMounts to be mounted on the scan scheduler
-  volumeMounts: []
+  volumeMounts: []