Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller): Global Custom CA Bundle Support #961

Merged
merged 2 commits into from
Aug 1, 2023
Merged

feat(sysdig-agent,node-analyzer,kspm-collector,rapid-response,admission-controller): Global Custom CA Bundle Support #961

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dee6e04
feat(admission-controller,agent,cloud-bench,cloud-connector,cloud-sca…
AlbertoBarba Jul 21, 2023
4157b07
chore(rapid-response): rename global cert in certs
AlbertoBarba Jul 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions charts/admission-controller/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
version: 0.11.9
version: 0.12.0
appVersion: 3.9.26
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
Expand All @@ -21,4 +21,4 @@ dependencies:
- name: common
# repository: https://charts.sysdig.com
repository: file://../common
version: ~1.0.1
version: ~1.1.0
26 changes: 22 additions & 4 deletions charts/admission-controller/README.md
View file
Open in desktop

Large diffs are not rendered by default.

20 changes: 14 additions & 6 deletions charts/admission-controller/templates/scanner/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,18 @@ spec:
defaultMode: 420
secretName: {{ .Values.scanner.dockerCfgSecretName }}
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.scanner.fullname" . }}-ca
{{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
- name: ca-cert
secret:
secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
- name: ca-cert
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- end }}
containers:
- name: inline-scanner
Expand All @@ -59,9 +67,9 @@ spec:
name: dockercfg
readOnly: true
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-cert
mountPath: /ca-certs
readOnly: true
{{- end }}
{{- if .Values.scanner.customEntryPoint }}
Expand All @@ -83,9 +91,9 @@ spec:
- name: NO_PROXY
value: {{ include "scanner.noProxy" . }}
{{- end }}
{{- if .Values.scanner.ssl.ca.cert }}
- name: SSL_CERT_FILE
value: /ca-cert/root_ca_file.crt # mounted from the secret
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
- name: SSL_CERT_DIR
value: /ca-certs
{{- end }}
envFrom:
- configMapRef:
Expand Down
7 changes: 6 additions & 1 deletion charts/admission-controller/templates/scanner/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,19 @@ stringData:
AUTH_BEARER_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
{{- if .Values.scanner.ssl.ca.cert }}
{{- if or .Values.scanner.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "admissionController.scanner.fullname" . }}-ca
namespace: {{ include "admissionController.namespace" . }}
labels: {{- include "admissionController.scanner.labels" . | nindent 4 }}
data:
{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
{{- end }}
{{- if or .Values.scanner.ssl.ca.cert }}
root_ca_file.crt: {{ .Values.scanner.ssl.ca.cert | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}
22 changes: 15 additions & 7 deletions charts/admission-controller/templates/webhook/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,9 +84,9 @@ spec:
- name: NO_PROXY
value: {{ include "webhook.noProxy" . }},{{ include "admissionController.scanner.fullname" . }}
{{- end }}
{{- if .Values.webhook.ssl.ca.cert }}
- name: SSL_CERT_FILE
value: /ca-cert/root_ca_file.crt # mounted from the secret
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: SSL_CERT_DIR
value: /ca-certs
{{- end }}
ports:
- name: http
Expand Down Expand Up @@ -117,9 +117,9 @@ spec:
- name: cert
mountPath: /cert
readOnly: true
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
mountPath: /ca-cert
mountPath: /ca-certs
readOnly: true
{{- end }}
resources:
Expand All @@ -128,11 +128,19 @@ spec:
- name: cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-tls
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
- name: ca-cert
secret:
secretName: {{ include "admissionController.webhook.fullname" . }}-ca
{{- end }}
{{- else if eq (include "sysdig.custom_ca.useExistingSecret" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
- name: ca-cert
secret:
secretName: {{ include "sysdig.custom_ca.existingSecret" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- else if eq (include "sysdig.custom_ca.useExistingConfigMap" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
- name: ca-cert
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.scanner.ssl) }}
{{- end }}
{{- with .Values.webhook.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
7 changes: 6 additions & 1 deletion charts/admission-controller/templates/webhook/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ stringData:
SECURE_API_TOKEN: {{ include "sysdig.secureAPIToken" . }}
{{- end }}
---
{{- if .Values.webhook.ssl.ca.cert }}
{{- if or .Values.webhook.ssl.ca.cert (eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true") }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -19,5 +19,10 @@ metadata:
labels:
{{ include "admissionController.webhook.labels" . | nindent 4 }}
data:
{{- if or .Values.webhook.ssl.ca.cert }}
root_ca_file.crt: {{ .Values.webhook.ssl.ca.cert | b64enc | quote }}
{{- end }}
{{- if eq (include "sysdig.custom_ca.useValues" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl)) "true" }}
{{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.webhook.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
{{- end }}
{{- end }}
245 changes: 245 additions & 0 deletions charts/admission-controller/tests/ca_cert_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,245 @@
suite: Test admission-controller CA cert
templates:
- scanner/serviceaccount.yaml
- scanner/deployment.yaml
- scanner/podmonitor.yaml
- scanner/secret.yaml
- scanner/service.yaml
- scanner/configmap.yaml
- webhook/serviceaccount.yaml
- webhook/deployment.yaml
- webhook/configmap.yaml
- webhook/secret.yaml
- webhook/admissionregistration.yaml
- webhook/podmonitor.yaml
tests:
- it: Check Custsom CA Cert Disabled
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-webhook-ca
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- notContains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-scanner-ca
template: scanner/deployment.yaml
- notContains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Values
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
certs:
- |
-----BEGIN CERTIFICATE-----
my-test-cert
-----END CERTIFICATE-----
keyName: "global_root_ca.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-webhook-ca
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: release-name-admission-controller-scanner-ca
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Existing Secret
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
existingCaSecret: "test-fake-ca-secret-name"
existingCaSecretKeyName: "test-fake-ca-secret-key.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: test-fake-ca-secret-name
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
secret:
secretName: test-fake-ca-secret-name
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml

- it: Check Custsom CA Cert defined with Existing ConfigMap
documentIndex: 0
set:
clusterName: "test-k8s"
scanner:
enabled: true
webhook:
enabled: true
global:
ssl:
ca:
existingCaConfigMap: "test-fake-ca-configmap-name"
existingCaConfigMapKeyName: "test-fake-ca-configmap-key.crt"
sysdig:
accessKey: standard-key
secureAPIToken: standard-token
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
configMap:
name: test-fake-ca-configmap-name
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: webhook/deployment.yaml
- contains:
path: spec.template.spec.containers[0].env
content:
name: SSL_CERT_DIR
value: "/ca-certs"
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.volumes
content:
name: ca-cert
configMap:
name: test-fake-ca-configmap-name
template: scanner/deployment.yaml
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: ca-cert
mountPath: /ca-certs
readOnly: true
template: scanner/deployment.yaml
Loading
Loading