Skip to content

Commit

Permalink
feat(admission-controller,agent,cloud-bench,cloud-connector,cloud-sca…
Browse files Browse the repository at this point in the history 
…nning,harbor-scanner-sysdig-secure,kspm-collector,node-analyzer,rapid-response,sysdig-deploy,sysdig-mcm-navmenu,sysdig-stackdriver-bridge) Add Custom CA Support
  • Loading branch information
@AlbertoBarba
AlbertoBarba committed Jul 25, 2023
1 parent 8ab1938 commit c5c4120
Show file tree
Hide file tree
Showing 47 changed files with 2,390 additions and 111 deletions.
4 changes: 2 additions & 2 deletions charts/admission-controller/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
version: 0.11.8
version: 0.12.0
appVersion: 3.9.26
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
Expand All @@ -21,4 +21,4 @@ dependencies:
- name: common
# repository: https://charts.sysdig.com
repository: file://../common
version: ~1.0.1
version: ~1.1.0
26 changes: 22 additions & 4 deletions charts/admission-controller/README.md
View file

Large diffs are not rendered by default.

20 changes: 14 additions & 6 deletions charts/admission-controller/templates/scanner/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,18 @@ spec:
defaultMode: 420
secretName: {{ .Values.scanner.dockerCfgSecretName }}
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.scanner.fullname" . }}-ca
{{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
- name: ca-cert
secret:
secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
- name: ca-cert
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- end }}
containers:
- name: inline-scanner
Expand All @@ -59,9 +67,9 @@ spec:
name: dockercfg
readOnly: true
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-cert
mountPath: /ca-certs
readOnly: true
{{- end }}
{{- if .Values.scanner.customEntryPoint }}
Expand All @@ -83,9 +91,9 @@ spec:
- name: NO_PROXY
value: {{ include "scanner.noProxy" . }}
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
- name: SSL_CERT_FILE
value: /ca-cert/root_ca_file.crt # mounted from the secret
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: SSL_CERT_DIR
value: /ca-certs
{{- end }}
envFrom:
- configMapRef:
Expand Down
7 changes: 6 additions & 1 deletion charts/admission-controller/templates/scanner/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,19 @@ stringData:
AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "admissionController.scanner.fullname" . }}-ca
namespace: {{ include "admissionController.namespace" . }}
labels: {{- include "admissionController.scanner.labels" . | nindent 4 }}
data:
{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
{{- end }}
{{- if or .Values.scanner.ssl.ca.cert }}
root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}
22 changes: 15 additions & 7 deletions charts/admission-controller/templates/webhook/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,9 @@ spec:
- name: NO_PROXY
value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
{{- end }}
{{- if .Values.webhook.ssl.ca.cert }}
- name: SSL_CERT_FILE
value: /ca-cert/root_ca_file.crt # mounted from the secret
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: SSL_CERT_DIR
value: /ca-certs
{{- end }}
ports:
- name: http
Expand Down Expand Up @@ -117,9 +117,9 @@ spec:
- name: cert
mountPath: /cert
readOnly: true
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-cert
mountPath: /ca-certs
readOnly: true
{{- end }}
resources:
Expand All @@ -128,11 +128,19 @@ spec:
- name: cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-tls
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-ca
{{- end }}
{{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
- name: ca-cert
secret:
secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
- name: ca-cert
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- end }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
7 changes: 6 additions & 1 deletion charts/admission-controller/templates/webhook/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ stringData:
SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -19,5 +19,10 @@ metadata:
labels:
{{ include "admissionController.webhook.labels" . | nindent 4 }}
data:
{{- if or .Values.webhook.ssl.ca.cert }}
root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }}
{{- end }}
{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
{{- end }}
{{- end }}
245 changes: 245 additions & 0 deletions charts/admission-controller/tests/ca_cert_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,245 @@
suite: Test admission-controller CA cert
templates:
- scanner/serviceaccount.yaml
- scanner/deployment.yaml
- scanner/podmonitor.yaml
- scanner/secret.yaml
- scanner/service.yaml
- scanner/configmap.yaml
- webhook/serviceaccount.yaml
- webhook/deployment.yaml
- webhook/configmap.yaml
- webhook/secret.yaml
- webhook/admissionregistration.yaml
- webhook/podmonitor.yaml
tests:
- it: Check Custsom CA Cert Disabled
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-webhook-ca
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- notContains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-scanner-ca
template: scanner/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Values
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
certs:
- |
-----BEGIN CERTIFICATE-----
my-test-cert
-----END CERTIFICATE-----
keyName: "global_root_ca.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-webhook-ca
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-scanner-ca
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Existing Secret
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
existingCaSecret: "test-fake-ca-secret-name"
existingCaSecretKeyName: "test-fake-ca-secret-key.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: test-fake-ca-secret-name
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: test-fake-ca-secret-name
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Existing ConfigMap
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
existingCaConfigMap: "test-fake-ca-configmap-name"
existingCaConfigMapKeyName: "test-fake-ca-configmap-key.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
configMap:
name: test-fake-ca-configmap-name
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
configMap:
name: test-fake-ca-configmap-name
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml
Loading

0 comments on commit c5c4120

Please sign in to comment.