From 8098d413d52f3833e2839dcd9af811694b15cfcf Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 17:46:11 +0100 Subject: [PATCH] chore: disable http_proxy secrets when gke autopilot is enabled --- charts/agent/templates/configmap.yaml | 2 +- charts/agent/templates/daemonset.yaml | 4 ++-- charts/agent/templates/deployment.yaml | 4 ++-- charts/agent/templates/secrets.yaml | 2 +- charts/agent/tests/secrets_test.yaml | 18 +++++++++++++++++- charts/agent/tests/volumes_test.yaml | 21 +++++++++++++++++++++ 6 files changed, 44 insertions(+), 7 deletions(-) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index 0a909cab8..73353a898 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -29,7 +29,7 @@ data: {{/* Unset proxy_user and proxy_password if present in the settings block. */}} -{{- if hasKey .Values.sysdig.settings "http_proxy" }} +{{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }} {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}} {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}} {{- end }} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 517b9a3f9..5025feea7 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -249,7 +249,7 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - mountPath: /opt/draios/etc/secrets/http_proxy name: sysdig-agent-http-proxy-secrets {{- end }} @@ -373,7 +373,7 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - name: sysdig-agent-http-proxy-secrets secret: secretName: {{ template "agent.fullname" . }}-proxy diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index be6176a77..9f485bf2a 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -128,7 +128,7 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - mountPath: /opt/draios/etc/secrets/http_proxy name: sysdig-agent-http-proxy-secrets {{- end }} @@ -256,7 +256,7 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - name: sysdig-agent-http-proxy-secrets secret: secretName: {{ template "agent.fullname" . }}-proxy diff --git a/charts/agent/templates/secrets.yaml b/charts/agent/templates/secrets.yaml index 6c8d40d79..da2a56ed6 100644 --- a/charts/agent/templates/secrets.yaml +++ b/charts/agent/templates/secrets.yaml @@ -36,7 +36,7 @@ metadata: data: {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} {{- end }} -{{- if ( include "agent.httpProxyCredentials" . ) }} +{{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} --- apiVersion: v1 kind: Secret diff --git a/charts/agent/tests/secrets_test.yaml b/charts/agent/tests/secrets_test.yaml index bf896e0c1..8dc6a66c8 100644 --- a/charts/agent/tests/secrets_test.yaml +++ b/charts/agent/tests/secrets_test.yaml @@ -54,7 +54,7 @@ tests: value: bXlwYXNzd29yZA== documentIndex: 2 - - it: Check proxy secret + - it: Should create proxy secret with http_proxy settings set: sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -73,3 +73,19 @@ tests: path: data.proxy_password value: cGFzc3dvcmQ= documentIndex: 1 + + - it: Should not create proxy secret with http_proxy settings and autopilot enabled + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + gke: + autopilot: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret diff --git a/charts/agent/tests/volumes_test.yaml b/charts/agent/tests/volumes_test.yaml index 126decbac..032297f42 100644 --- a/charts/agent/tests/volumes_test.yaml +++ b/charts/agent/tests/volumes_test.yaml @@ -65,6 +65,27 @@ tests: - deployment.yaml - daemonset.yaml + - it: Ensure agent http proxy volume is not mounted when http_proxy settings is set and autopilot is enabled + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + delegatedAgentDeployment: + enabled: true + gke: + autopilot: true + asserts: + - isNull: + path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")] + - isNull: + path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")] + templates: + - deployment.yaml + - daemonset.yaml + - it: Ensure agent http proxy volume is mounted when http_proxy settings is set set: delegatedAgentDeployment: