Skip to content

Commit

Permalink
chore(cluster-shield): Automatic bump to version 1.0.1 (#1779)
Browse files Browse the repository at this point in the history 
Co-authored-by: AlbertoBarba <[email protected]>
  • Loading branch information
@draios-jenkins @AlbertoBarba
draios-jenkins and AlbertoBarba authored Jun 17, 2024
1 parent 42c4d9a commit 0773b4c
Show file tree
Hide file tree
Showing 11 changed files with 584 additions and 61 deletions.
4 changes: 2 additions & 2 deletions charts/cluster-shield/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: cluster-shield
description: Cluster Shield Helm Chart for Kubernetes
type: application
version: 1.0.0
appVersion: "1.0.0"
version: 1.0.1
appVersion: "1.0.1"
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand Down
8 changes: 6 additions & 2 deletions charts/cluster-shield/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-sysdig-cluster-shield sysdig/cluster-shield \
--create-namespace -n sysdig-agent --version=1.0.0 \
--create-namespace -n sysdig-agent --version=1.0.1 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
Expand Down Expand Up @@ -134,8 +134,10 @@ The following table lists the configurable parameters of the `cluster-shield` ch
| cluster_shield.features.admission_control.deny_on_error | | <code>false</code> |
| cluster_shield.features.admission_control.dry_run | | <code>true</code> |
| cluster_shield.features.admission_control.timeout | | <code>5</code> |
| cluster_shield.features.admission_control.http_port | | <code>8443</code> |
| cluster_shield.features.admission_control.container_vulnerability_management.enabled | | <code>false</code> |
| cluster_shield.features.audit.enabled | | <code>false</code> |
| cluster_shield.features.audit.http_port | | <code>6443</code> |
| cluster_shield.features.audit.timeout | | <code>5</code> |
| cluster_shield.features.posture.enabled | | <code>false</code> |
| cluster_shield.features.container_vulnerability_management.enabled | | <code>false</code> |
Expand Down Expand Up @@ -167,7 +169,9 @@ The following table lists the configurable parameters of the `cluster-shield` ch
| podAnnotations | | <code>{}</code> |
| podLabels | | <code>{}</code> |
| service.type | | <code>ClusterIP</code> |
| service.port | | <code>8080</code> |
| service.monitoring_port | | <code></code> |
| service.admission_control_port | | <code></code> |
| service.audit_port | | <code></code> |
| serviceAccount.labels | | <code>{}</code> |
| serviceAccount.annotations | | <code>{}</code> |
| resources | | <code>{}</code> |
Expand Down
26 changes: 12 additions & 14 deletions charts/cluster-shield/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,20 +331,6 @@ CA Cert File Name
ca.crt
{{- end }}

{{/*
Audit Port
*/}}
{{- define "cluster-shield.admissionControllerAuditPort" -}}
6443
{{- end }}

{{/*
Audit Port
*/}}
{{- define "cluster-shield.admissionControlPort" -}}
8443
{{- end }}

{{/*
ConfigMap Name
*/}}
Expand Down Expand Up @@ -399,3 +385,15 @@ Define the proper image repository to use for cluster-shield
{{- .Values.image.repository -}}
{{- end -}}
{{- end -}}

{{- define "cluster-shield.serviceMonitoringPort" -}}
{{ .Values.service.monitoring_port | default .Values.cluster_shield.monitoring_port }}
{{- end -}}

{{- define "cluster-shield.serviceAdmissionControlPort" -}}
{{ .Values.service.admission_control_port | default .Values.cluster_shield.features.admission_control.http_port }}
{{- end -}}

{{- define "cluster-shield.serviceAuditPort" -}}
{{ .Values.service.audit_port | default .Values.cluster_shield.features.audit.http_port }}
{{- end -}}
20 changes: 10 additions & 10 deletions charts/cluster-shield/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,31 +51,31 @@ spec:
imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.global.image.pullPolicy | default "IfNotPresent" }}
args: [ {{ .Values.run_command | quote }} ]
ports:
- name: http
containerPort: {{ .Values.cluster_shield.monitoring_port | default 8080 }}
- name: monitoring
containerPort: {{ .Values.cluster_shield.monitoring_port }}
protocol: TCP
{{- if .Values.cluster_shield.features.audit.enabled }}
- name: audit
containerPort: {{ include "cluster-shield.admissionControllerAuditPort" . }}
{{- if .Values.cluster_shield.features.admission_control.enabled }}
- name: admission
containerPort: {{ .Values.cluster_shield.features.admission_control.http_port }}
protocol: TCP
{{- end }}
{{- if .Values.cluster_shield.features.admission_control.enabled }}
- name: posture-ac
containerPort: {{ include "cluster-shield.admissionControlPort" . }}
{{- if .Values.cluster_shield.features.audit.enabled }}
- name: audit
containerPort: {{ .Values.cluster_shield.features.audit.http_port }}
protocol: TCP
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: http
port: monitoring
{{- if and (.Values.probes) (.Values.probes.liveness) }}
initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
{{- end }}
readinessProbe:
httpGet:
path: /healthz
port: http
port: monitoring
{{- if and (.Values.probes) (.Values.probes.readiness) }}
initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.probes.readiness.periodSeconds }}
Expand Down
20 changes: 10 additions & 10 deletions charts/cluster-shield/templates/service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,21 +8,21 @@ metadata:
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
- port: {{ include "cluster-shield.serviceMonitoringPort" . }}
targetPort: monitoring
protocol: TCP
name: http
name: monitoring
{{- if and .Values.cluster_shield.features.admission_control.enabled }}
- port: {{ include "cluster-shield.serviceAdmissionControlPort" . }}
targetPort: admission
protocol: TCP
name: admission
{{- end }}
{{- if .Values.cluster_shield.features.audit.enabled }}
- port: {{ include "cluster-shield.admissionControllerAuditPort" . }}
- port: {{ include "cluster-shield.serviceAuditPort" . }}
targetPort: audit
protocol: TCP
name: audit
{{- end }}
{{- if and .Values.cluster_shield.features.admission_control.enabled }}
- port: {{ include "cluster-shield.admissionControlPort" . }}
targetPort: posture-ac
protocol: TCP
name: posture-ac
{{- end }}
selector:
{{- include "cluster-shield.selectorLabels" . | nindent 4 }}
4 changes: 2 additions & 2 deletions charts/cluster-shield/templates/validatingwebhookconfiguration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ webhooks:
namespace: {{ .Release.Namespace }}
name: {{ include "cluster-shield.fullname" . }}
path: /k8s-audit
port: {{ include "cluster-shield.admissionControllerAuditPort" . }}
port: {{ include "cluster-shield.serviceAuditPort" . }}
caBundle: {{ $certList._2 }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
Expand Down Expand Up @@ -71,7 +71,7 @@ webhooks:
namespace: {{ .Release.Namespace }}
name: {{ include "cluster-shield.fullname" . }}
path: /validate
port: {{ include "cluster-shield.admissionControlPort" . }}
port: {{ include "cluster-shield.serviceAdmissionControlPort" . }}
caBundle: {{ $certList._2 }}
admissionReviewVersions: [ "v1", "v1beta1" ]
sideEffects: None
Expand Down
66 changes: 62 additions & 4 deletions charts/cluster-shield/tests/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].securityContext.privileged
value: true

- it: Test run-all mode
set:
run_command: "run-all"
Expand Down Expand Up @@ -66,6 +67,7 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].env[?(@.name == "SYSDIG_CLUSTER_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY")].valueFrom.secretKeyRef.key
value: access-key

- it: Test env var is set when secureAPITokenSecret provided
set:
global:
Expand Down Expand Up @@ -98,13 +100,14 @@ tests:
value: /healthz
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.httpGet.port
value: http
value: monitoring
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.initialDelaySeconds
value: 10
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.periodSeconds
value: 5

- it: Test readinessProbe custom values
set:
probes:
Expand All @@ -117,27 +120,29 @@ tests:
value: /healthz
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.httpGet.port
value: http
value: monitoring
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.initialDelaySeconds
value: 20
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].readinessProbe.periodSeconds
value: 10

- it: Test livenessProbe default values
asserts:
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.httpGet.path
value: /healthz
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.httpGet.port
value: http
value: monitoring
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.initialDelaySeconds
value: 5
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.periodSeconds
value: 5

- it: Test livenessProbe custom values
set:
probes:
Expand All @@ -150,10 +155,63 @@ tests:
value: /healthz
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.httpGet.port
value: http
value: monitoring
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.initialDelaySeconds
value: 20
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].livenessProbe.periodSeconds
value: 10

- it: Test default container ports
set:
cluster_shield:
features:
audit:
enabled: true
admission_control:
enabled: true
asserts:
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")].containerPort
value: 8080
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")].containerPort
value: 6443
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")].containerPort
value: 8443

- it: Test custom container ports
set:
cluster_shield:
monitoring_port: 1234
features:
audit:
enabled: true
http_port: 5678
admission_control:
enabled: true
http_port: 9876
asserts:
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "monitoring")].containerPort
value: 1234
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "audit")].containerPort
value: 5678
- isNotNull:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")]
- equal:
path: spec.template.spec.containers[?(@.name == "cluster-shield")].ports[?(@.name == "admission")].containerPort
value: 9876
Loading

0 comments on commit 0773b4c

Please sign in to comment.