chore(cluster-shield): Automatic bump to version 1.3.0 (#1909)

Co-authored-by: AlbertoBarba <[email protected]>
sysdiglabs · Sep 3, 2024 · b8b2721 · b8b2721
1 parent 82f83c0
commit b8b2721
Show file tree

Hide file tree

Showing 14 changed files with 523 additions and 111 deletions.
diff --git a/charts/cluster-shield/Chart.yaml b/charts/cluster-shield/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: cluster-shield
 description: Cluster Shield Helm Chart for Kubernetes
 type: application
-version: 1.2.0
-appVersion: "1.2.0"
+version: 1.3.0
+appVersion: "1.3.0"
 maintainers:
   - name: AlbertoBarba
     email: [email protected]

diff --git a/charts/cluster-shield/README.md b/charts/cluster-shield/README.md
@@ -14,7 +14,7 @@ $ pre-commit run -a
 
 # Cluster Shield
 
-[Sysdig Cluster Shield](https://docs.sysdig.com/en/docs/installation/cluster-shield).
+[Sysdig Cluster Shield](https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/cluster-shield/).
 <br/>This chart deploys the Sysdig Cluster Shield in your Kubernetes cluster.
 
 ## TL;DR;
@@ -23,7 +23,7 @@ $ pre-commit run -a
 $ helm repo add sysdig https://charts.sysdig.com
 $ helm repo update
 $ helm upgrade --install sysdig-sysdig-cluster-shield sysdig/cluster-shield \
-    --create-namespace -n sysdig-agent --version=1.2.0  \
+    --create-namespace -n sysdig-agent --version=1.3.0  \
     --set global.clusterConfig.name=CLUSTER_NAME \
     --set global.sysdig.region=SYSDIG_REGION \
     --set global.sysdig.accessKey=YOUR-KEY-HERE
@@ -189,6 +189,10 @@ The following table lists the configurable parameters of the `cluster-shield` ch
 | onPremCompatibilityVersion                                                                | Optional parameter used to check the compatibility of cluster-shield component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. | <code></code>                                     |
 | hostNetwork                                                                               | Specifies if Cluster Shield should be started in hostNetwork mode. This field is required if you are using a custom CNI where the control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS.                                                                          | <code>false</code>                                |
 | dnsPolicy                                                                                 | Define Cluster Shield Pods DNS Policy                                                                                                                                                                                                                                                                                               | <code></code>                                     |
+| existingTLSSecret.name                                                                    | Provide the name of an existing Secret that contains the TLS certificate required                                                                                                                                                                                                                                                   | <code></code>                                     |
+| existingTLSSecret.tlsCertName                                                             | Provide the certificate filename that is defined inside the existing Secret (default tls.crt)                                                                                                                                                                                                                                       | <code></code>                                     |
+| existingTLSSecret.tlsCertKeyName                                                          | Provide the certificate key filename that is defined inside the existing Secret (default tls.key)                                                                                                                                                                                                                                   | <code></code>                                     |
+| existingTLSSecret.caCertName                                                              | Provide the certificate authority filename that is defined inside the existing Secret (default ca.crt)                                                                                                                                                                                                                              | <code></code>                                     |
 
 
 ## Running helm unit tests

diff --git a/charts/cluster-shield/doc.yaml b/charts/cluster-shield/doc.yaml
@@ -1,7 +1,7 @@
 project:
   name: Sysdig Cluster Shield
   shortName: Cluster Shield
-  url: https://docs.sysdig.com/en/docs/installation/cluster-shield
+  url: https://docs.sysdig.com/en/docs/installation/sysdig-secure/install-agent-components/kubernetes/cluster-shield/
   description: This chart deploys the Sysdig Cluster Shield in your Kubernetes cluster.
   app: the Sysdig Cluster Shield
 repository:

diff --git a/charts/cluster-shield/templates/_helpers.tpl b/charts/cluster-shield/templates/_helpers.tpl
@@ -53,7 +53,7 @@ Adds kubernetes related keys to the configuration.
 {{- $_ := set $conf "kubernetes" (include "cluster-shield.configurationKubernetes" . | fromYaml) -}}
 {{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) -}}
 {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.onPremCompatibilityVersion | default "") -}}
-{{- if semverCompare "< 7.0.0" .Values.onPremCompatibilityVersion -}}
+{{- if semverCompare "< 6.12.0" .Values.onPremCompatibilityVersion -}}
 {{- $_ := set $conf.features.container_vulnerability_management "platform_services_enabled" false -}}
 {{- end -}}
 {{- end -}}
@@ -108,31 +108,30 @@ Adds kubernetes related keys to the configuration.
 {{- end -}}
 
 {{/*
-Adds kubernetes related keys to the configuration.
+Generate Secret
 */}}
 {{- define "cluster-shield.secret" -}}
-{{- $secret := dict "sysdig_endpoint" (dict) }}
-{{- $_ := set $secret.sysdig_endpoint "access_key" .Values.cluster_shield.sysdig_endpoint.access_key }}
-{{- if .Values.cluster_shield.sysdig_endpoint.secure_api_token }}
-{{- $_ := set $secret.sysdig_endpoint "secure_api_token" .Values.cluster_shield.sysdig_endpoint.secure_api_token }}
-{{- end }}
-{{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) }}
-{{- $_ := set $secret "cluster_scanner" (include "cluster-shield.secretClusterScanner" . | fromYaml) }}
-{{- end }}
-{{- /* sysdig-deploy support start */}}
-{{- if not .Values.cluster_shield.sysdig_endpoint.access_key }}
-{{- if .Values.global.sysdig.accessKey }}
-{{- $_ := set $secret.sysdig_endpoint "access_key" .Values.global.sysdig.accessKey }}
-{{- else if not .Values.global.sysdig.accessKeySecret }}
-{{- fail "One of global.sysdig.accessKey and cluster_shield.sysdig_endpoint.access_key must be defined." -}}
-{{- end }}
-{{- end }}
-{{- if not .Values.cluster_shield.sysdig_endpoint.secure_api_token }}
-{{- if .Values.global.sysdig.secureAPIToken }}
-{{- $_ := set $secret.sysdig_endpoint "secure_api_token" .Values.global.sysdig.secureAPIToken }}
-{{- end }}
-{{- end }}
-{{- /* sysdig-deploy support end */}}
+{{- $secret := dict -}}
+{{- if not .Values.global.sysdig.accessKeySecret -}}
+    {{- $accessKey := coalesce .Values.cluster_shield.sysdig_endpoint.access_key .Values.global.sysdig.accessKey -}}
+    {{- if not $accessKey -}}
+        {{- fail "One of global.sysdig.accessKey and cluster_shield.sysdig_endpoint.access_key must be defined." -}}
+    {{- end -}}
+    {{- $_ := set $secret "sysdig-access-key" $accessKey -}}
+{{- end -}}
+{{- if not .Values.global.sysdig.secureAPITokenSecret -}}
+    {{- $secureApiToken := coalesce .Values.cluster_shield.sysdig_endpoint.secure_api_token .Values.global.sysdig.secureAPIToken -}}
+    {{- if $secureApiToken -}}
+        {{- $_ := set $secret "sysdig-secure-api-token" $secureApiToken -}}
+    {{- end -}}
+{{- end -}}
+{{- if eq "true" (include "cluster-shield.containerVulnerabilityManagementEnabled" .) -}}
+    {{- $userDefinedNatsPassword := dig "cluster_scanner" "runtime_status_integrator" "nats_server" "password" nil .Values.cluster_shield -}}
+    {{- $_ := set $secret "sysdig-cluster-nats-password" (default (randAlphaNum 32) $userDefinedNatsPassword) -}}
+{{- end -}}
+{{- range $index, $value := $secret }}
+    {{- $_ := set $secret $index (b64enc $value) -}}
+{{- end -}}
 {{- $secret | toYaml -}}
 {{- end }}
 
@@ -171,15 +170,6 @@ image_sbom_extractor:
     nats_url: nats://{{ include "cluster-shield.clusterScannerServiceName" . }}:4222
 {{- end }}
 
-{{/*
-Cluster Scanner Configuration
-*/}}
-{{- define "cluster-shield.secretClusterScanner" -}}
-runtime_status_integrator:
-    nats_server:
-        password: {{ randAlphaNum 32 }}
-{{- end }}
-
 {{/*
 Admission Controller Secure Configuration
 */}}
@@ -259,8 +249,11 @@ Generate certificates for aggregated api server
 {{- define "cluster-shield.tlsGenCerts" -}}
     {{- $secret := lookup "v1" "Secret" .Release.Namespace (include "cluster-shield.tlsCertsSecretName" .) -}}
     {{- if $secret -}}
-        {{- printf "%s$%s$%s" (index $secret.data "tls.crt") (index $secret.data "tls.key") (index $secret.data "ca.crt") -}}
+        {{- printf "%s$%s$%s" (index $secret.data (include "cluster-shield.tlsCertFileName" .)) (index $secret.data (include "cluster-shield.tlsCertPrivateKeyFileName" .)) (index $secret.data (include "cluster-shield.caCertFileName" .)) -}}
     {{- else -}}
+        {{- if .Values.existingTLSSecret.name }}
+            {{- fail (printf "The TLS Secret '%s' does not exist" .Values.existingTLSSecret.name) -}}
+        {{- end }}
         {{- $svcName := include "cluster-shield.fullname" . -}}
         {{- $clusterScannerSvcName := include "cluster-shield.clusterScannerServiceName" . -}}
 
@@ -292,7 +285,7 @@ Generate certificates for aggregated api server
 TLS Secret Name
 */}}
 {{- define "cluster-shield.tlsCertsSecretName" -}}
-    {{- include "cluster-shield.secretName" . -}}-tls-certs
+    {{- .Values.existingTLSSecret.name | default (printf "%s-tls-certs" (include "cluster-shield.secretName" .)) -}}
 {{- end -}}
 
 {{/*
@@ -321,22 +314,22 @@ CA Cert File Path
 Audit Cert File
 */}}
 {{- define "cluster-shield.tlsCertFileName" -}}
-tls.crt
+{{- .Values.existingTLSSecret.tlsCertName | default "tls.crt" -}}
 {{- end }}
 
 
 {{/*
 Audit Cert Private Key File
 */}}
 {{- define "cluster-shield.tlsCertPrivateKeyFileName" -}}
-tls.key
+{{- .Values.existingTLSSecret.tlsCertKeyName | default "tls.key" -}}
 {{- end }}
 
 {{/*
 CA Cert File Name
 */}}
 {{- define "cluster-shield.caCertFileName" -}}
-ca.crt
+{{- .Values.existingTLSSecret.caCertName | default "ca.crt" -}}
 {{- end }}
 
 {{/*
@@ -427,3 +420,8 @@ run-all
 run-all-namespaced
 {{- end -}}
 {{- end -}}
+
+{{- define "cluster-shield.secret_mounts" -}}
+{{- $secrets := list (include "cluster-shield.secretName" .) .Values.global.sysdig.accessKeySecret .Values.global.sysdig.secureAPITokenSecret}}
+{{- (uniq (compact $secrets)) | toYaml -}}
+{{- end -}}
diff --git a/charts/cluster-shield/templates/deployment.yaml b/charts/cluster-shield/templates/deployment.yaml
@@ -1,3 +1,4 @@
+{{- $secrets := (include "cluster-shield.secret_mounts" .) | fromYamlArray }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -89,8 +90,10 @@ spec:
           volumeMounts:
             - mountPath: /etc/sysdig/config/
               name: cluster-shield
-            - mountPath: /etc/sysdig/secrets/
-              name: cluster-shield-secret
+            {{- range $secretName :=  $secrets }}
+            - mountPath: {{ printf "/etc/sysdig/secret-files/%s" $secretName }}
+              name: {{ printf "secret-%s" $secretName }}
+            {{- end }}
             {{- if eq (include "cluster-shield.needCerts" .) "true" }}
             - name: cert
               mountPath: /cert
@@ -112,20 +115,6 @@ spec:
                   fieldPath: status.podIP
             - name: KUBE_SERVICE_NAME
               value: {{ include "cluster-shield.clusterScannerServiceName" . }}
-            {{- if .Values.global.sysdig.accessKeySecret }}
-            - name: SYSDIG_CLUSTER_SHIELD_SYSDIG_ENDPOINT__ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.global.sysdig.accessKeySecret }}
-                  key: "access-key"
-            {{- end }}
-            {{- if .Values.global.sysdig.secureAPITokenSecret }}
-            - name: SYSDIG_CLUSTER_SHIELD_SYSDIG_ENDPOINT__SECURE_API_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.global.sysdig.secureAPITokenSecret }}
-                  key: "SECURE_API_TOKEN"
-            {{- end }}
             {{- if eq (include "cluster-shield.custom_ca.enabled" .) "true" }}
             - name: SSL_CERT_FILE
               value: /ca-certs/{{- include "cluster-shield.custom_ca.keyName" . -}}
@@ -154,9 +143,11 @@ spec:
         - name: cluster-shield
           configMap:
             name: {{ include "cluster-shield.configmapName" . }}
-        - name: cluster-shield-secret
+        {{- range $secretName :=  $secrets }}
+        - name: {{ printf "secret-%s" $secretName }}
           secret:
-            secretName: {{ include "cluster-shield.secretName" . }}
+            secretName: {{ $secretName }}
+        {{- end }}
         {{- if eq (include "cluster-shield.needCerts" .) "true" }}
         - name: cert
           secret:

diff --git a/charts/cluster-shield/templates/secrets.yaml b/charts/cluster-shield/templates/secrets.yaml
@@ -7,7 +7,7 @@ metadata:
     {{- include "cluster-shield.labels" . | nindent 4 }}
 type: Opaque
 data:
-  cluster-shield.secrets.yaml: {{ include "cluster-shield.secret" . | b64enc }}
+  {{ include "cluster-shield.secret" . | nindent 2 }}
 ---
 {{- if eq (include "cluster-shield.custom_ca.useValues" .) "true" }}
 apiVersion: v1

diff --git a/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml b/charts/cluster-shield/templates/validatingwebhookconfiguration.yaml
@@ -87,6 +87,7 @@ webhooks:
   {{- end }}
 {{- end }}
 ---
+{{- if not .Values.existingTLSSecret.name }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -98,5 +99,5 @@ data:
   {{ include "cluster-shield.tlsCertFileName" . }}: {{ $certList._0 }}
   {{ include "cluster-shield.tlsCertPrivateKeyFileName" . }}: {{ $certList._1 }}
   {{ include "cluster-shield.caCertFileName" .}}: {{ $certList._2 }}
-
 {{- end }}
+{{- end}}
diff --git a/charts/cluster-shield/tests/configmap_test.yaml b/charts/cluster-shield/tests/configmap_test.yaml
@@ -187,7 +187,6 @@ tests:
             ssl:
               verify: true
 
-
   - it: Local custom region requires Collector when kubernetes_metadata feature is enabled
     set:
       cluster_shield:
@@ -260,3 +259,66 @@ tests:
               api_url: https://www.example.com
               collector: collector.example.com:6443
               region: custom
+
+  - it: Default TLS configuration
+    set:
+      cluster_shield:
+        features:
+          admission_control:
+            enabled: true
+          audit:
+            enabled: true
+          container_vulnerability_management:
+            enabled: true
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: data
+      - isNotEmpty:
+          path: data["cluster-shield.yaml"]
+      - matchRegex:
+          path: data['cluster-shield.yaml']
+          pattern: |
+            kubernetes:
+              ca_cert_file: /cert/ca.crt
+              running_namespace: NAMESPACE
+              tls_cert_file: /cert/tls.crt
+              tls_private_key_file: /cert/tls.key
+
+  - it: Custom TLS filenames
+    set:
+      existingTLSSecret:
+        name: my-tls-secret
+        tlsCertName: custom_tls.crt
+        tlsCertKeyName: custom_tls.key
+        caCertName: custom_ca.crt
+      cluster_shield:
+        features:
+          admission_control:
+            enabled: true
+          audit:
+            enabled: true
+          container_vulnerability_management:
+            enabled: true
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: data
+      - isNotEmpty:
+          path: data["cluster-shield.yaml"]
+      - matchRegex:
+          path: data['cluster-shield.yaml']
+          pattern: |
+            kubernetes:
+              ca_cert_file: /cert/custom_ca.crt
+              running_namespace: NAMESPACE
+              tls_cert_file: /cert/custom_tls.crt
+              tls_private_key_file: /cert/custom_tls.key