-
Notifications
You must be signed in to change notification settings - Fork 41
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #486 from smalinet/standard-labels
Standard labels
- Loading branch information
Showing
121 changed files
with
4,021 additions
and
1,020 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| {{/* validate alertCRD.scopeClustered and alertCRD.scopeNamespaced are mutual exclusive */}} | ||
| {{- if and .Values.alertCRD.scopeClustered .Values.alertCRD.scopeNamespaced }} | ||
| {{- fail "alertCRD.scopeClustered and alertCRD.scopeNamespaced cannot both be true" }} | ||
| {{- end }} | ||
|
|
||
| {{- define "checksums" -}} | ||
| capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | sha256sum }} | ||
| cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | sha256sum }} | ||
| cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | sha256sum }} | ||
| hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | sha256sum }} | ||
| matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | sha256sum }} | ||
| nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| otelConfig: {{ include (printf "%s/otel-collector/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| proxySecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory "proxy-secret.yaml") . | sha256sum }} | ||
| synchronizerConfig: {{ include (printf "%s/synchronizer/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| {{- end -}} | ||
|
|
||
|
|
||
| {{- define "configurations" -}} | ||
| {{- $createCloudSecret := (empty .Values.credentials.cloudSecret) -}} | ||
| {{- $ksOtel := empty .Values.otelCollector.disable -}} | ||
| {{- $otel := not (empty .Values.configurations.otelUrl) -}} | ||
| {{- $submit := not (empty .Values.server) -}} | ||
| continuousScan: {{ and (eq .Values.capabilities.continuousScan "enable") (not $submit) }} | ||
| createCloudSecret: {{ $createCloudSecret }} | ||
| ksOtel: {{ and $ksOtel $submit }} | ||
| otel: {{ $otel }} | ||
| otelPort : {{ if $otel }}{{ splitList ":" .Values.configurations.otelUrl | last }}{{ else }}""{{ end }} | ||
| runtimeObservability: {{ eq .Values.capabilities.runtimeObservability "enable" }} | ||
| submit: {{ $submit }} | ||
| {{- if $submit -}} | ||
| {{- if and (empty .Values.account) $createCloudSecret -}} | ||
| {{- fail "submitting is enabled but value for account is not defined: please register at https://cloud.armosec.io to get yours and re-run with --set account=<your Guid>" }} | ||
| {{- end -}} | ||
| {{- if and (empty .Values.accessKey) $createCloudSecret -}} | ||
| {{- fail "submitting is enabled but value for accessKey is not defined: To obtain an access key, go to 'Settings' -> 'Agent Access Keys' at https://cloud.armosec.io and re-run with --set accessKey=<your key>" }} | ||
| {{- end -}} | ||
| {{- if empty .Values.clusterName -}} | ||
| {{- fail "value for clusterName is not defined: re-run with --set clusterName=<your cluster name>" }} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
|
|
||
| {{- define "components" -}} | ||
| {{- $configurations := fromYaml (include "configurations" .) }} | ||
| gateway: | ||
| enabled: {{ $configurations.submit }} | ||
| hostScanner: | ||
| enabled: {{ eq .Values.capabilities.nodeScan "enable" }} | ||
| kollector: | ||
| enabled: {{ $configurations.submit }} | ||
| kubescape: | ||
| enabled: {{ or (eq .Values.capabilities.configurationScan "enable") (eq .Values.capabilities.continuousScan "enable") }} | ||
| kubescapeScheduler: | ||
| enabled: {{ and $configurations.submit (eq .Values.capabilities.configurationScan "enable") }} | ||
| kubevuln: | ||
| enabled: {{ eq .Values.capabilities.vulnerabilityScan "enable" }} | ||
| kubevulnScheduler: | ||
| enabled: {{ and $configurations.submit (eq .Values.capabilities.vulnerabilityScan "enable") }} | ||
| nodeAgent: | ||
| enabled: {{ or (eq .Values.capabilities.relevancy "enable") (eq .Values.capabilities.runtimeObservability "enable") (eq .Values.capabilities.networkPolicyService "enable") }} | ||
| operator: | ||
| enabled: true | ||
| otelCollector: | ||
| enabled: {{ or $configurations.ksOtel $configurations.otel }} | ||
| serviceDiscovery: | ||
| enabled: {{ $configurations.submit }} | ||
| storage: | ||
| enabled: true | ||
| prometheusExporter: | ||
| enabled: {{ eq .Values.capabilities.prometheusExporter "enable" }} | ||
| cloudSecret: | ||
| create: {{ $configurations.createCloudSecret }} | ||
| name: {{ if $configurations.createCloudSecret }}"cloud-secret"{{ else }}{{ .Values.credentials.cloudSecret }}{{ end }} | ||
| synchronizer: | ||
| enabled: {{ or (and $configurations.submit (eq .Values.capabilities.networkPolicyService "enable")) (and $configurations.submit (eq .Values.capabilities.runtimeObservability "enable")) }} | ||
| clamAV: | ||
| enabled: {{ eq .Values.capabilities.malwareDetection "enable" }} | ||
| customCaCertificates: | ||
| name: custom-ca-certificates | ||
| autoUpdater: | ||
| enabled: {{ eq .Values.capabilities.autoUpgrading "enable" }} | ||
| {{- end -}} | ||
|
|
||
| {{- define "admission-certificates" -}} | ||
| {{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Release.Namespace) -}} | ||
| {{- $ca := dict "Key" "mock-ca-key" "Cert" "mock-ca-cert" -}} | ||
| {{- $cert := dict "Key" "mock-cert-key" "Cert" "mock-cert-cert" -}} | ||
| {{- if not .Values.unittest }} | ||
| {{- $generatedCA := genCA (printf "*.%s.svc" .Release.Namespace) 1024 -}} | ||
| {{- $generatedCert := genSignedCert $svcName nil (list $svcName) 1024 $generatedCA -}} | ||
| {{- $_ := set $ca "Key" $generatedCA.Key -}} | ||
| {{- $_ := set $ca "Cert" $generatedCA.Cert -}} | ||
| {{- $_ := set $cert "Key" $generatedCert.Key -}} | ||
| {{- $_ := set $cert "Cert" $generatedCert.Cert -}} | ||
| {{- end -}} | ||
| {{- $certData := dict "ca" $ca "cert" $cert -}} | ||
| {{- toYaml $certData -}} | ||
| {{- end -}} | ||
|
|
||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,103 +1,55 @@ | ||
| {{/* validate alertCRD.scopeClustered and alertCRD.scopeNamespaced are mutual exclusive */}} | ||
| {{- if and .Values.alertCRD.scopeClustered .Values.alertCRD.scopeNamespaced }} | ||
| {{- fail "alertCRD.scopeClustered and alertCRD.scopeNamespaced cannot both be true" }} | ||
| {{/* | ||
| Expand the name of the chart. | ||
| */}} | ||
| {{- define "kubescape-operator.name" -}} | ||
| {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
| {{- end }} | ||
|
|
||
| {{- define "checksums" -}} | ||
| capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | sha256sum }} | ||
| cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | sha256sum }} | ||
| cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | sha256sum }} | ||
| hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | sha256sum }} | ||
| matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | sha256sum }} | ||
| nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| otelConfig: {{ include (printf "%s/otel-collector/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| proxySecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.proxySecretDirectory "proxy-secret.yaml") . | sha256sum }} | ||
| synchronizerConfig: {{ include (printf "%s/synchronizer/configmap.yaml" $.Template.BasePath) . | sha256sum }} | ||
| {{- end -}} | ||
|
|
||
|
|
||
| {{- define "configurations" -}} | ||
| {{- $createCloudSecret := (empty .Values.credentials.cloudSecret) -}} | ||
| {{- $ksOtel := empty .Values.otelCollector.disable -}} | ||
| {{- $otel := not (empty .Values.configurations.otelUrl) -}} | ||
| {{- $submit := not (empty .Values.server) -}} | ||
| continuousScan: {{ and (eq .Values.capabilities.continuousScan "enable") (not $submit) }} | ||
| createCloudSecret: {{ $createCloudSecret }} | ||
| ksOtel: {{ and $ksOtel $submit }} | ||
| otel: {{ $otel }} | ||
| otelPort : {{ if $otel }}{{ splitList ":" .Values.configurations.otelUrl | last }}{{ else }}""{{ end }} | ||
| runtimeObservability: {{ eq .Values.capabilities.runtimeObservability "enable" }} | ||
| submit: {{ $submit }} | ||
| {{- if $submit -}} | ||
| {{- if and (empty .Values.account) $createCloudSecret -}} | ||
| {{- fail "submitting is enabled but value for account is not defined: please register at https://cloud.armosec.io to get yours and re-run with --set account=<your Guid>" }} | ||
| {{- end -}} | ||
| {{- if and (empty .Values.accessKey) $createCloudSecret -}} | ||
| {{- fail "submitting is enabled but value for accessKey is not defined: To obtain an access key, go to 'Settings' -> 'Agent Access Keys' at https://cloud.armosec.io and re-run with --set accessKey=<your key>" }} | ||
| {{- end -}} | ||
| {{- if empty .Values.clusterName -}} | ||
| {{- fail "value for clusterName is not defined: re-run with --set clusterName=<your cluster name>" }} | ||
| {{- end -}} | ||
| {{- end -}} | ||
| {{- end -}} | ||
|
|
||
| {{- define "components" -}} | ||
| {{- $configurations := fromYaml (include "configurations" .) }} | ||
| gateway: | ||
| enabled: {{ $configurations.submit }} | ||
| hostScanner: | ||
| enabled: {{ eq .Values.capabilities.nodeScan "enable" }} | ||
| kollector: | ||
| enabled: {{ $configurations.submit }} | ||
| kubescape: | ||
| enabled: {{ or (eq .Values.capabilities.configurationScan "enable") (eq .Values.capabilities.continuousScan "enable") }} | ||
| kubescapeScheduler: | ||
| enabled: {{ and $configurations.submit (eq .Values.capabilities.configurationScan "enable") }} | ||
| kubevuln: | ||
| enabled: {{ eq .Values.capabilities.vulnerabilityScan "enable" }} | ||
| kubevulnScheduler: | ||
| enabled: {{ and $configurations.submit (eq .Values.capabilities.vulnerabilityScan "enable") }} | ||
| nodeAgent: | ||
| enabled: {{ or (eq .Values.capabilities.relevancy "enable") (eq .Values.capabilities.runtimeObservability "enable") (eq .Values.capabilities.networkPolicyService "enable") }} | ||
| operator: | ||
| enabled: true | ||
| otelCollector: | ||
| enabled: {{ or $configurations.ksOtel $configurations.otel }} | ||
| serviceDiscovery: | ||
| enabled: {{ $configurations.submit }} | ||
| storage: | ||
| enabled: true | ||
| prometheusExporter: | ||
| enabled: {{ eq .Values.capabilities.prometheusExporter "enable" }} | ||
| cloudSecret: | ||
| create: {{ $configurations.createCloudSecret }} | ||
| name: {{ if $configurations.createCloudSecret }}"cloud-secret"{{ else }}{{ .Values.credentials.cloudSecret }}{{ end }} | ||
| synchronizer: | ||
| enabled: {{ or (and $configurations.submit (eq .Values.capabilities.networkPolicyService "enable")) (and $configurations.submit (eq .Values.capabilities.runtimeObservability "enable")) }} | ||
| clamAV: | ||
| enabled: {{ eq .Values.capabilities.malwareDetection "enable" }} | ||
| customCaCertificates: | ||
| name: custom-ca-certificates | ||
| autoUpdater: | ||
| enabled: {{ eq .Values.capabilities.autoUpgrading "enable" }} | ||
| {{- end -}} | ||
|
|
||
| {{- define "admission-certificates" -}} | ||
| {{- $svcName := (printf "kubescape-admission-webhook.%s.svc" .Release.Namespace) -}} | ||
| {{- $ca := dict "Key" "mock-ca-key" "Cert" "mock-ca-cert" -}} | ||
| {{- $cert := dict "Key" "mock-cert-key" "Cert" "mock-cert-cert" -}} | ||
| {{- if not .Values.unittest }} | ||
| {{- $generatedCA := genCA (printf "*.%s.svc" .Release.Namespace) 1024 -}} | ||
| {{- $generatedCert := genSignedCert $svcName nil (list $svcName) 1024 $generatedCA -}} | ||
| {{- $_ := set $ca "Key" $generatedCA.Key -}} | ||
| {{- $_ := set $ca "Cert" $generatedCA.Cert -}} | ||
| {{- $_ := set $cert "Key" $generatedCert.Key -}} | ||
| {{- $_ := set $cert "Cert" $generatedCert.Cert -}} | ||
| {{- end -}} | ||
| {{- $certData := dict "ca" $ca "cert" $cert -}} | ||
| {{- toYaml $certData -}} | ||
| {{- end -}} | ||
| {{/* | ||
| Create a default fully qualified app name. | ||
| We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
| If release name contains chart name it will be used as a full name. | ||
| */}} | ||
| {{- define "kubescape-operator.fullname" -}} | ||
| {{- if .Values.fullnameOverride }} | ||
| {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
| {{- else }} | ||
| {{- $name := default .Chart.Name .Values.nameOverride }} | ||
| {{- if contains $name .Release.Name }} | ||
| {{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
| {{- else }} | ||
| {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
| {{- end }} | ||
| {{- end }} | ||
| {{- end }} | ||
|
|
||
| {{/* | ||
| Create chart name and version as used by the chart label. | ||
| */}} | ||
| {{- define "kubescape-operator.chart" -}} | ||
| {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
| {{- end }} | ||
|
|
||
| {{/* | ||
| Common labels | ||
| */}} | ||
| {{- define "kubescape-operator.labels" -}} | ||
| helm.sh/chart: {{ include "kubescape-operator.chart" . }} | ||
| {{ include "kubescape-operator.selectorLabels" . }} | ||
| {{- if .Chart.AppVersion }} | ||
| app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
| {{- end }} | ||
| app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
| app: {{ .app }} | ||
| tier: {{ .tier }} | ||
| kubescape.io/ignore: "true" | ||
| {{- end }} | ||
|
|
||
| {{/* | ||
| Selector labels | ||
| */}} | ||
| {{- define "kubescape-operator.selectorLabels" -}} | ||
| app.kubernetes.io/name: {{ include "kubescape-operator.name" . }} | ||
| app.kubernetes.io/instance: {{ .Release.Name }} | ||
| app.kubernetes.io/component: {{ .app }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.