Merge pull request #35 from olhado/redeployment-enhancements

Redeployment enhancements
threatstack · Feb 24, 2022 · 31f4f78 · 31f4f78
2 parents 4887a63 + 48e02bc
commit 31f4f78
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 4 deletions.
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: threatstack-agent
-version: 2.3.0
+version: 2.4.0
 appVersion: 2.5.0
 description: A Helm chart for the Threat Stack Cloud Security Agent
 keywords:

diff --git a/README.md b/README.md
@@ -46,6 +46,8 @@ The following kubernetes objects are created when the chart is installed:
 | apiReader.affinity | object | `{}` |  |
 | apiReader.nodeSelector | object | `{}` |  |
 | apiReader.tolerations | list | `[]` |  |
+| apiReader.podAnnotations | string | {} |  |
+| apiReader.priorityClassName | string | `""` | Optionally set the priority class name for the daemonset pods. Note that priority classes are not created via this helm chart. Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
 | capabilities | string | `"[\"AUDIT_CONTROL\", \"SYS_ADMIN\", \"SYS_PTRACE\"]\n"` | Docker capabilites required for the proper operation of the agent |
 | customDaemonsetCmd | object | `{}` | Uncomment the `command` and `args` sub-attributes, and define them as desired to run custom commands in the daemonset. |
 | daemonset.additionalRuntimeConfig | string | `"log.level info"` |  |
@@ -148,13 +150,19 @@ Assuming you override the default values to match our environment in a `values.y
 
 ##### Using the `agentSetupExternalSecretRef` value block
 
-> **WARNING:** Do not set the `agentSetupExternalSecretRef` block *and* the `agentDeployKey` settings at the same time. This will cause unnecessary kubernetes resource definitions to be created. If you had previously used the `agentDeployKey` value, the secret associated with it may be destroyed on deployment.
+>>>
+**IMPORTANT:** Using `agentSetupExternalSecretRef` decouples secret management from the helm chart. Therefore, if the value of the secret changes, the agent DaemonSet and Deployment will _not_ be redeployed/restarted. The user will need to force a redeployment of the helm chart explicitly.
+
+However, if the secret's name or secret's entry name changes in the `values.yaml` of the chart, helm will recognize this change with a new release, and trigger a redeployment of the DaemonsSet and Deployment. One way to take advantage of this is to update the secrets entry value name (what is defined at `agentSetupExternalSecretRef.value`) when changing the secret data, and doing a redeploy of the chart. The chart trigger a redeployment of the agent pods.
+>>>
 
 An alternative to having the chart define the `ts-setup-args` secret itself, you can instead have it point to your own self-managed secret. Doing so requires the following three values to be set:
 
 * `agentSetupExternalSecretRef.name`      :: This is the name of your self-managed secret.
 * `agentSetupExternalSecretRef.key`       :: This is the key in your self-managed secret that is associated with the data you want to supply from the secret, to the Threat Stack agent setup registration.
 
+Do not set the `agentSetupExternalSecretRef` block *and* the `agentDeployKey` settings at the same time. This will cause unnecessary kubernetes resource definitions to be created. If you had previously used the `agentDeployKey` value, the secret associated with it may be destroyed on deployment.
+
 Using the `agentSetupExternalSecretRef` block will cause the chart to ignore the `agentDeployKey`, `rulesets`, and `additionalSetupConfig` values defined in `values.yaml` or any other values override file, until existing pods are terminated/rescheduled.
 
 The value defined in the secret by `agentSetupExternalSecretRef.name`/`agentSetupExternalSecretRef.key` should be defined as in the example below to properly setup up the agent. Failure to do so can cause the agent to not properly register itself with the Threat Stack platform.

diff --git a/templates/daemonset.yaml b/templates/daemonset.yaml
@@ -22,9 +22,18 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
       name: {{ include "threatstack-agent.name" . }}
       annotations:
-      {{- if .Values.daemonset.podAnnotations }}
+        # If configmap or secret files change, this will change the checksum annotations in the daemonset, forcing a redeploy.
+        # If using an external secret reference, then if external secret name or entry change, but NOT the actual secret data,
+        # this will change the checksum annotations in the deployment, forcing a redeploy.
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+{{- if not .Values.agentSetupExternalSecretRef }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+{{- else }}
+        checksum/secrets: {{ .Values.agentSetupExternalSecretRef | toString | sha256sum }}
+{{- end }}
+{{- if .Values.daemonset.podAnnotations }}
 {{ toYaml .Values.daemonset.podAnnotations | indent 8 }}
-      {{- end }}
+{{- end }}
     spec:
 {{- if .Values.imagePullSecrets }}
       imagePullSecrets:

diff --git a/templates/deployment-api-reader.yaml b/templates/deployment-api-reader.yaml
@@ -23,6 +23,18 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service }}
       name: {{ include "threatstack-agent.name" .}}-kubernetes-api
       annotations:
+        # If configmap or secret files change, this will change the checksum annotations in the deployment, forcing a redeploy.
+        # If using an external secret reference, then if external secret name or entry change, but NOT the actual secret data,
+        # this will change the checksum annotations in the deployment, forcing a redeploy.
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+{{- if not .Values.agentSetupExternalSecretRef }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
+{{- else }}
+        checksum/secrets: {{ .Values.agentSetupExternalSecretRef | toString | sha256sum }}
+{{- end }}
+{{- if .Values.apiReader.podAnnotations }}
+{{ toYaml .Values.apiReader.podAnnotations | indent 8 }}
+{{- end }}
     spec:
 {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
@@ -43,6 +55,9 @@ spec:
       tolerations:
 {{ toYaml .Values.apiReader.tolerations | indent 8 }}
 {{- else }}
+{{- end }}
+{{- if .Values.apiReader.priorityClassName }}
+      priorityClassName: {{ .Values.apiReader.priorityClassName }}
 {{- end }}
       hostNetwork: true
       hostPID: true

diff --git a/values.yaml b/values.yaml
@@ -131,6 +131,22 @@ apiReader:
   # Optional
   tolerations: []
 
+  # Optional
+  # Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+  priorityClassName: ""
+
+  ## Annotations to add to the threatstack api reader agent pod
+  #
+  # To remove the apparmor annotation, add a comment as the attribute value,
+  # Example:
+  #   podAnnotations:
+  #     # This comment triggers REMOVING any podAnnotations!
+  #
+  # podAnnotations:
+  #   key: "value"
+  # Optional
+  podAnnotations: {}
+
   securityContext:
     privileged: false