chore: disable http_proxy secrets when gke autopilot is enabled

sysdiglabs · Dec 5, 2023 · 8098d41 · 8098d41
1 parent 75902fd
commit 8098d41
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 7 deletions.
diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml
@@ -29,7 +29,7 @@ data:
 {{/*
   Unset proxy_user and proxy_password if present in the settings block.
 */}}
-{{- if hasKey .Values.sysdig.settings "http_proxy" }}
+{{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }}
   {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}}
   {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}}
 {{- end }}

diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml
@@ -249,7 +249,7 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
-            {{- if (include "agent.httpProxyCredentials" .) }}
+            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
             - mountPath: /opt/draios/etc/secrets/http_proxy
               name: sysdig-agent-http-proxy-secrets
             {{- end }}
@@ -373,7 +373,7 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
-        {{- if (include "agent.httpProxyCredentials" .) }}
+        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
         - name: sysdig-agent-http-proxy-secrets
           secret:
             secretName: {{ template "agent.fullname" . }}-proxy

diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml
@@ -128,7 +128,7 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
-            {{- if (include "agent.httpProxyCredentials" .) }}
+            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
             - mountPath: /opt/draios/etc/secrets/http_proxy
               name: sysdig-agent-http-proxy-secrets
             {{- end }}
@@ -256,7 +256,7 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
-        {{- if (include "agent.httpProxyCredentials" .) }}
+        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
         - name: sysdig-agent-http-proxy-secrets
           secret:
             secretName: {{ template "agent.fullname" . }}-proxy

diff --git a/charts/agent/templates/secrets.yaml b/charts/agent/templates/secrets.yaml
@@ -36,7 +36,7 @@ metadata:
 data:
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
 {{- end }}
-{{- if ( include "agent.httpProxyCredentials" . ) }}
+{{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
 ---
 apiVersion: v1
 kind: Secret

diff --git a/charts/agent/tests/secrets_test.yaml b/charts/agent/tests/secrets_test.yaml
@@ -54,7 +54,7 @@ tests:
           value: bXlwYXNzd29yZA==
         documentIndex: 2
 
-  - it: Check proxy secret
+  - it: Should create proxy secret with http_proxy settings
     set:
       sysdig:
         accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
@@ -73,3 +73,19 @@ tests:
           path: data.proxy_password
           value: cGFzc3dvcmQ=
         documentIndex: 1
+
+  - it: Should not create proxy secret with http_proxy settings and autopilot enabled
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+      gke:
+        autopilot: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Secret
diff --git a/charts/agent/tests/volumes_test.yaml b/charts/agent/tests/volumes_test.yaml
@@ -65,6 +65,27 @@ tests:
       - deployment.yaml
       - daemonset.yaml
 
+  - it: Ensure agent http proxy volume is not mounted when http_proxy settings is set and autopilot is enabled
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+      delegatedAgentDeployment:
+        enabled: true
+      gke:
+        autopilot: true
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")]
+      - isNull:
+          path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")]
+    templates:
+      - deployment.yaml
+      - daemonset.yaml
+
   - it: Ensure agent http proxy volume is mounted when http_proxy settings is set
     set:
       delegatedAgentDeployment: