diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index 1cec40efc..462ee2594 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.16.7 +version: 0.16.8 appVersion: 3.9.47 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index e05d285f7..1d1650973 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -68,7 +68,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.16.7 \ + --create-namespace -n sysdig-admission-controller --version=0.16.8 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -80,7 +80,7 @@ For example: ```bash helm upgrade --install admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.16.7 \ + --create-namespace -n sysdig-admission-controller --version=0.16.8 \ --values values.yaml ``` @@ -134,14 +134,17 @@ The following table lists the configurable parameters of the `admission-controll | podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics. | false | | podMonitors.scanner.labels | Specifies the labels on the scanner PodMonitor. | {} | | podMonitors.scanner.annotations | The annotatons on the scanner PodMonitor | {} | +| webhook.v2.transportLayer | Allow to connect from ac to acprovider via: "nats"/"http" | nats | +| webhook.v2.http.url | Sysdig api endpoint | "" | +| webhook.v2.http.insecure | Allow insecure TLS certificates in backend connection to HTTP service | false | +| webhook.v2.http.port | HTTP serve port where the requests will be served from | 6443 | | webhook.v2.nats.insecure | Allow insecure TLS certificates in backend connection to NATS service | false | | webhook.v2.nats.url | Override the NATS service connection URL | "" | | webhook.v2.service.type | Use this type as webhook service | ClusterIP | | webhook.v2.service.port | Configure port for the V2 webhook service | 6443 | -| webhook.v2.http.port | HTTP serve port where the requests will be served from | 6443 | | webhook.v2.image.registry | The KSPM Admission Controller image registry | quay.io | | webhook.v2.image.repository | The KSPM Admission Controller image repository | sysdig/secure-admission-controller | -| webhook.v2.image.tag | The KSPM Admission Controller image tag | 1.27.5 | +| webhook.v2.image.tag | The KSPM Admission Controller image tag | 1.27.6 | | webhook.v2.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | | | webhook.v2.image.pullPolicy | The PullPolicy for KSPM Admission Controller image | | | webhook.name | The service name for Webhook deployment | webhook | diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 0bf82ddb3..98a39ba56 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -132,6 +132,16 @@ Sysdig NATS service URL {{- end -}} {{- end -}} +{{/* +Sysdig http service URL +*/}} +{{- define "admissionController.httpUrl" -}} +{{- if .Values.webhook.v2.http.url -}} + {{- .Values.webhook.v2.http.url -}} +{{- else -}} + https://{{ include "admissionController.apiEndpoint" . }} +{{- end -}} +{{- end -}} {{/* Common labels diff --git a/charts/admission-controller/templates/webhook/configmap.yaml b/charts/admission-controller/templates/webhook/configmap.yaml index e2fd8cb2f..38049f935 100644 --- a/charts/admission-controller/templates/webhook/configmap.yaml +++ b/charts/admission-controller/templates/webhook/configmap.yaml @@ -22,9 +22,14 @@ data: {{- if .Values.features.kspmAdmissionController}} SERVICE_PORT: "{{ .Values.webhook.v2.http.port }}" CERT_LOCATION: /cert + {{- if eq .Values.webhook.v2.transportLayer "nats"}} EXTERNAL_NATS_URL: {{ include "admissionController.natsUrl" . }} NATS_INSECURE: "{{.Values.webhook.v2.nats.insecure}}" - BACKEND_URL: "{{ .Values.sysdig.url | default (printf "https://%s" (include "admissionController.apiEndpoint" .)) }}" + {{- end}} + {{- if eq .Values.webhook.v2.transportLayer "http"}} + BACKEND_URL: {{ include "admissionController.httpUrl" . }} + VERIFY_SSL: "{{.Values.webhook.v2.http.insecure}}" + {{- end}} {{- end}} {{- if .Values.webhook.acConfig }} CACHE_FLUSH_PERIOD: "{{ .Values.webhook.cacheFlushPeriod | default "24h" }}" diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index 8ef0d1a60..4020225bf 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -168,6 +168,15 @@ podMonitors: webhook: v2: + # Allow to connect from ac to acprovider via: "nats"/"http" + transportLayer: nats + http: + # Sysdig api endpoint + url: "" + # Allow insecure TLS certificates in backend connection to HTTP service + insecure: false + # HTTP serve port where the requests will be served from + port: 6443 nats: # Allow insecure TLS certificates in backend connection to NATS service insecure: false @@ -178,17 +187,14 @@ webhook: type: ClusterIP # Configure port for the V2 webhook service port: 6443 - http: - # HTTP serve port where the requests will be served from - port: 6443 - # KSPM Admission Controller container image + # KSPM Admission Controller container image image: # The KSPM Admission Controller image registry registry: quay.io # The KSPM Admission Controller image repository repository: sysdig/secure-admission-controller # The KSPM Admission Controller image tag - tag: 1.27.5 + tag: 1.27.6 # Specifies the image digest value. If set, this value is used instead of the tag value digest: # The PullPolicy for KSPM Admission Controller image