release(sysdig-deploy,kspm-collector): kspm-collector v1.39.12 (#2255)

Author: mech-pig

charts/kspm-collector/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: kspm-collector
 description: Sysdig KSPM collector
-version: 0.17.9
-appVersion: 1.39.11
+version: 0.18.0
+appVersion: 1.39.12
 keywords:
   - monitoring
   - security

charts/kspm-collector/README.md

@@ -45,11 +45,13 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
 | `clusterName`                              | Sets a unique cluster name. This name will be used to identify events using the `kubernetes.cluster.name` tag.                                    | ` `                                                         |
 | `image.registry`                           | Specifies the KSPM collector image registry.                                                                                                      | `quay.io`                                                   |
 | `image.repository`                         | Specifies the image repository to pull from.                                                                                                      | `sysdig/kspm-collector`                                     |
-| `image.tag`                                | Specifies the image tag to pull from the image repository.                                                                                        | `1.39.11`                                                   |
+| `image.tag`                                | Specifies the image tag to pull from the image repository.                                                                                        | `1.39.12`                                                   |
 | `image.digest`                             | Specifies the image digest to pull from the image repository.                                                                                     | ` `                                                         |
 | `image.pullPolicy`                         | Specifies theImage pull policy.                                                                                                                   | `""`                                                        |
 | `imagePullSecrets`                         | Specifies the Image pull secret.                                                                                                                  | `[]`                                                        |
 | `replicas`                                 | Specifies the KSPM collector deployment replicas.                                                                                                 | `1`                                                         |
+| `transportLayer`                                 |  Determine the transport used by the collector to receive tasks from the backend and send results back to it. Valid values are "nats" and "http".                                                                                              | `http`                                                         |
+| `leaderElection.lockName`                                 |  Name of the k8s leader election lease lock. Applicable only if the transport layer is `http`.                                                                                               | `kspm-collector-leader-election`                                                         |
 | `namespaces.included`                      | Specifies the namespaces to include in the KSPM collector scans. If left empty, all the namesapces will be scanned.                               | ``                                                          |
 | `namespaces.excluded`                      | Specifies the namespaces to exclude in the KSPM collector scans.                                                                                  | ``                                                          |
 | `nodeSelector`                             | Specifies the Node Selector.                                                                                                                      | `{}`                                                        |
@@ -70,6 +72,7 @@ The following table lists the configurable parameters of the Sysdig KSPM Collect
 | `sslVerifyCertificate`                     | Sets `NATS_INSECURE` env variable on the KSPM collector containers.                                                                               |                                                             |
 | `arch`                                     | Specifies the allowed architectures for scheduling.                                                                                               | `[ amd64, arm64 ]`                                          |
 | `os`                                       | Specifies the allowed operating systems for scheduling.                                                                                           | `[ linux ]`                                                 |
+| `env`                                     | Specifies the Extra environment variables that will be passed onto pods.                                                                                                                    | `{}`                                                                                                                                                                  |
 | `affinity`                                 | Specifies the node affinities. Overrides `arch` and `os` values.                                                                                  | `{}`                                                        |
 | `labels`                                   | Specifies the KSPM collector specific labels as a multi-line templated string map or as YAML.                                                     | `{}`                                                        |
 | `annotations`                              | Specifies the deployment annotations as a multi-line templated string map or as YAML.                                                             | `{}`                                                        |

charts/kspm-collector/templates/_helpers.tpl

@@ -141,6 +141,12 @@ Sysdig NATS service URL
 {{- end -}}
 {{- end -}}
 
+{{/*
+Returns the transport layer
+*/}}
+{{- define "kspmCollector.transportLayer" -}}
+    {{ .Values.transportLayer | default "http" }}
+{{- end -}}
 
 {{/*
 Returns the namespace for installing components
@@ -149,6 +155,17 @@ Returns the namespace for installing components
     {{- coalesce .Values.namespace .Release.Namespace -}}
 {{- end -}}
 
+{{/*
+Returns the name of the lock for the leader election lease
+*/}}
+{{- define "kspmCollector.leaderElectionLeaseLockName" -}}
+    {{- if eq (.Values.transportLayer | default "") "http" -}}
+        {{- required "A valid lock name for the leader election is required when transport is http" .Values.leaderElection.lockName -}}
+    {{- else -}}
+        {{- .Values.leaderElection.lockName -}}
+    {{- end -}}
+{{- end -}}
+
 {{/*
 KSPM Collector nodeSelector
 */}}

charts/kspm-collector/templates/configmap.yaml

@@ -11,6 +11,7 @@ data:
   {{- $env = "DEVELOPMENT" -}}
 {{ end}}
   environment: {{ $env }}
+  api_endpoint: {{ include "kspmCollector.apiEndpoint" . }}
   included_namespaces: {{ .Values.namespaces.included | quote}}
   excluded_namespaces: {{ .Values.namespaces.excluded | quote }}
   included_workloads: {{ .Values.workloads.included | quote }}
@@ -21,6 +22,9 @@ data:
   nats_max_reconnect_failures: {{ .Values.natsMaxReconnectFailures | default 60 | quote }}
   cluster_name: {{ required "A valid clusterName is required" (include "kspmCollector.clusterName" .) }}
   nats_insecure: {{ include "kspmCollector.natsInsecure" . }}
+  transport_layer: {{ include "kspmCollector.transportLayer" . }}
+  leader_election_lease_lock_name: {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
+  leader_election_lease_lock_namespace: {{ include "kspmCollector.namespace" . }}
   {{- if (.Values.httpProxy | default .Values.global.proxy.httpProxy) }}
   http_proxy: {{ .Values.httpProxy | default .Values.global.proxy.httpProxy }}
   {{- end -}}

charts/kspm-collector/templates/deployment.yaml

@@ -94,6 +94,11 @@ spec:
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         env:
+          - name: API_ENDPOINT
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: api_endpoint
           - name: ACCESS_KEY
             valueFrom:
               secretKeyRef:
@@ -103,11 +108,32 @@ spec:
                 name: {{ ( include "kspmCollector.accessKeySecret" .) }}
                 {{- end }}
                 key: access-key
+          - name: KUBE_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
           - name: CLUSTER_NAME
             valueFrom:
               configMapKeyRef:
                 name: {{ template "kspmCollector.fullname" . }}
                 key: cluster_name
+          - name: TRANSPORT_LAYER
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: transport_layer
+          - name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAME
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: leader_election_lease_lock_name
+                optional: true
+          - name: KUBE_LEADER_ELECTION_LEASE_LOCK_NAMESPACE
+            valueFrom:
+              configMapKeyRef:
+                name: {{ template "kspmCollector.fullname" . }}
+                key: leader_election_lease_lock_namespace
+                optional: true
           - name: INCLUDED_NAMESPACES
             valueFrom:
               configMapKeyRef:
@@ -203,12 +229,18 @@ spec:
           - name: TLS_CA_PATHS
             value: /ca-certs/{{- include "sysdig.custom_ca.keyName"  (dict "global" .Values.global.ssl "component" .Values.ssl) -}}
           {{- end }}
+          {{- range $key, $value := .Values.env }}
+          - name: "{{ $key }}"
+            value: "{{ $value }}"
+          {{- end }}
         volumeMounts:
           {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
           - mountPath: /ca-certs
             name: ca-cert
             readOnly: true
           {{- end }}
+          - mountPath: /tmp
+            name: tmp-dir
       volumes:
         {{- if eq (include "sysdig.custom_ca.useValues"  (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
         - name: ca-cert
@@ -223,3 +255,5 @@ spec:
           configMap:
             name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
         {{- end }}
+        - name: tmp-dir
+          emptyDir: {}

charts/kspm-collector/templates/role.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kspmCollector.fullname" . }}
+  namespace: {{ include "kspmCollector.namespace" . }}
+  labels:
+{{ include "kspmCollector.labels" . | indent 4 }}
+rules:
+{{- if eq (include "kspmCollector.transportLayer" .) "http" }}
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  resourceNames:
+    - {{ include "kspmCollector.leaderElectionLeaseLockName" . }}
+  verbs: ["*"]
+- apiGroups: ["", "coordination.k8s.io"]
+  resources:
+    - "leases"
+  verbs: ["create"]
+{{- end }}
+{{- end }}

charts/kspm-collector/templates/rolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kspmCollector.fullname" .}}
+  labels:
+{{ include "kspmCollector.labels" . | indent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kspmCollector.serviceAccountName" .}}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ template "kspmCollector.fullname" .}}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/kspm-collector/tests/ca_cert_test.yaml

@@ -21,11 +21,19 @@ tests:
             name: SSL_CERT_FILE
             value: "/ca-certs/global_root_ca.crt"
         template: deployment.yaml
-      - isEmpty:
+      - notContains:
           path: spec.template.spec.volumes
+          content:
+            name: ca-cert
+            secret:
+              secretName: release-name-kspm-collector-ca
         template: deployment.yaml
-      - isEmpty:
+      - notContains:
           path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: ca-cert
+            mountPath: /ca-certs
+            readOnly: true
         template: deployment.yaml
 
   - it: Check Custom CA Cert defined with Values

charts/kspm-collector/tests/configmap_test.yaml

@@ -0,0 +1,85 @@
+suite: KSPM Collector ConfigMap Tests
+templates:
+  - configmap.yaml
+tests:
+  - it: check that transport_layer is set with default value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: http
+
+  - it: check that transport_layer is set with overridden value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: nats
+    asserts:
+      - equal:
+          path: data.transport_layer
+          value: nats
+
+  - it: check that leader_election_lease_lock_name is set with default value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_name
+          value: kspm-collector-leader-election
+
+  - it: check that leader_election_lease_lock_name is set with overridden value
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      leaderElection:
+        lockName: test-lock
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_name
+          value: test-lock
+
+  - it: check that leader_election_lease_lock_name is required when transport is http
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+      leaderElection:
+        lockName: ""
+    asserts:
+      - failedTemplate:
+          errorMessage: A valid lock name for the leader election is required when transport is http
+
+  - it: check that leader_election_lease_lock_namespace is equal to release namespace
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+    release:
+      namespace: test-namespace-release
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_namespace
+          value: test-namespace-release
+
+  - it: check that leader_election_lease_lock_namespace is equal to namespace value if set
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      clusterName: test-cluster
+      transportLayer: http
+      namespace: test-namespace-value
+    release:
+      namespace: test-namespace-release
+    asserts:
+      - equal:
+          path: data.leader_election_lease_lock_namespace
+          value: test-namespace-value

charts/kspm-collector/tests/deployment_envvars_test.yaml

@@ -0,0 +1,16 @@
+suite: KSPM Collector Deployment Env Var Tests
+templates:
+  - deployment.yaml
+tests:
+  - it: check that KUBE_POD_NAME is set with the name of the pod
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[?(@.name=="kspm-collector")].env
+          content:
+            name: KUBE_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name

charts/kspm-collector/tests/global_overrides_test.yaml

@@ -54,7 +54,7 @@ tests:
         existingAccessKeySecret: standard_key
     asserts:
       - equal:
-          path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
+          path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
           value: standard_key
         template: deployment.yaml
 
@@ -67,7 +67,7 @@ tests:
           accessKeySecret: standard_key
     asserts:
       - equal:
-          path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
+          path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
           value: standard_key
         template: deployment.yaml
 
@@ -82,7 +82,7 @@ tests:
         existingAccessKeySecret: override_key
     asserts:
       - equal:
-          path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
+          path: spec.template.spec.containers[0].env[?(@.name=="ACCESS_KEY")].valueFrom.secretKeyRef.name
           value: override_key
         template: deployment.yaml
 

charts/kspm-collector/tests/role_test.yaml

@@ -0,0 +1,48 @@
+suite: KSPM Collector Role Tests
+templates:
+  - templates/role.yaml
+tests:
+  - it: Should not create document if rbac.create is false
+    set:
+      rbac:
+        create: false
+    asserts:
+      - containsDocument:
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: Role
+        not: true
+
+  - it: Should not create rules if transportLayer is not http
+    set:
+      transportLayer: nats
+    asserts:
+      - isNullOrEmpty:
+          path: rules
+
+  - it: Should grant permissions to create lease if transport is http
+    set:
+      transportLayer: http
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            verbs: ["create"]
+
+  - it: Should grant all permissions on specific lease if transport is http
+    set:
+      transportLayer: http
+      leaderElection:
+        lockName: test-lock-name
+    asserts:
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["", "coordination.k8s.io"]
+            resources:
+              - "leases"
+            resourceNames:
+              - "test-lock-name"
+            verbs: ["*"]