From 2e0e836c826d7dd01cb58eb5d4637940c22d30f8 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 12:05:30 +0100 Subject: [PATCH 1/9] feat: define agent.httpProxyCredentials --- charts/agent/templates/_helpers.tpl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl index bcf0c54c4..6dc9820c4 100644 --- a/charts/agent/templates/_helpers.tpl +++ b/charts/agent/templates/_helpers.tpl @@ -183,6 +183,16 @@ Return the default only if the value is not defined in sysdig.settings. Date: Tue, 5 Dec 2023 12:09:03 +0100 Subject: [PATCH 2/9] feat: generate secret for agent httpProxy --- charts/agent/templates/secrets.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/agent/templates/secrets.yaml b/charts/agent/templates/secrets.yaml index a1d26cf48..6c8d40d79 100644 --- a/charts/agent/templates/secrets.yaml +++ b/charts/agent/templates/secrets.yaml @@ -36,3 +36,16 @@ metadata: data: {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} {{- end }} +{{- if ( include "agent.httpProxyCredentials" . ) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "agent.fullname" . }}-proxy + namespace: {{ include "agent.namespace" $ }} + labels: +{{ include "agent.labels" $ | indent 4 }} +type: Opaque +data: +{{ include "agent.httpProxyCredentials" . | indent 2 }} +{{- end }} From 63d987783e5f0e63ff365ae476ead9d551006ca9 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 12:11:44 +0100 Subject: [PATCH 3/9] feat: mount the httpProxy secret to the daemonset and remove the creds from the dragent configmap --- charts/agent/templates/configmap.yaml | 7 +++++++ charts/agent/templates/daemonset.yaml | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index 151f973ac..0a909cab8 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -26,6 +26,13 @@ data: {{- if .Values.global.sysdig.tags }} tags: {{ include "agent.tags" . }} {{- end }} +{{/* + Unset proxy_user and proxy_password if present in the settings block. +*/}} +{{- if hasKey .Values.sysdig.settings "http_proxy" }} + {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}} + {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}} +{{- end }} {{/* Checking here the user is using Custom CA and if http_proxy.ssl = true If these conditions are true, then we use the agent.sslCaFileName for the http_proxy.ca_certificate diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index baa3e26d8..517b9a3f9 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -249,6 +249,10 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets + {{- if (include "agent.httpProxyCredentials" .) }} + - mountPath: /opt/draios/etc/secrets/http_proxy + name: sysdig-agent-http-proxy-secrets + {{- end }} - mountPath: /etc/podinfo name: podinfo @@ -369,6 +373,11 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} + {{- if (include "agent.httpProxyCredentials" .) }} + - name: sysdig-agent-http-proxy-secrets + secret: + secretName: {{ template "agent.fullname" . }}-proxy + {{- end }} - name: podinfo downwardAPI: defaultMode: 420 From 4d217a312189443a8d90845df9de73325aee9268 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 14:34:28 +0100 Subject: [PATCH 4/9] test: add agent http proxy tests --- .../agent/tests/api_endpoint_region_test.yaml | 15 +++++++++ charts/agent/tests/secrets_test.yaml | 20 ++++++++++++ charts/agent/tests/volumes_test.yaml | 31 +++++++++++++++++++ 3 files changed, 66 insertions(+) diff --git a/charts/agent/tests/api_endpoint_region_test.yaml b/charts/agent/tests/api_endpoint_region_test.yaml index 4aa7db18a..2678e1a5c 100644 --- a/charts/agent/tests/api_endpoint_region_test.yaml +++ b/charts/agent/tests/api_endpoint_region_test.yaml @@ -510,3 +510,18 @@ tests: asserts: - failedTemplate: errorMessage: "global.sysdig.region=us7 provided is not recognized." + + - it: Checking proxy_user and proxy_password are not set + set: + sysdig: + settings: + http_proxy: + proxy_user: "user" + proxy_password: "password" + asserts: + - notMatchRegex: + path: data['dragent.yaml'] + pattern: .*username.* + - notMatchRegex: + path: data['dragent.yaml'] + pattern: .*password.* diff --git a/charts/agent/tests/secrets_test.yaml b/charts/agent/tests/secrets_test.yaml index 4274bdfd5..bf896e0c1 100644 --- a/charts/agent/tests/secrets_test.yaml +++ b/charts/agent/tests/secrets_test.yaml @@ -53,3 +53,23 @@ tests: path: data.sysdig-new-password-key1 value: bXlwYXNzd29yZA== documentIndex: 2 + + - it: Check proxy secret + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + asserts: + - isKind: + of: Secret + - equal: + path: data.proxy_user + value: dXNlcm5hbWU= + documentIndex: 1 + - equal: + path: data.proxy_password + value: cGFzc3dvcmQ= + documentIndex: 1 diff --git a/charts/agent/tests/volumes_test.yaml b/charts/agent/tests/volumes_test.yaml index 85624b6aa..3b688567c 100644 --- a/charts/agent/tests/volumes_test.yaml +++ b/charts/agent/tests/volumes_test.yaml @@ -37,3 +37,34 @@ tests: path: spec.template.spec.containers[*].volumeMounts[?(@.name == "varlib-vol")] - isNull: path: spec.template.spec.volumes[?(@.name == "varlib-vol")] + + - it: Ensure agent http proxy volume is not mounted when http_proxy settings is not set + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + asserts: + - isNull: + path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")] + template: daemonset.yaml + - isNull: + path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")] + template: daemonset.yaml + + - it: Ensure agent http proxy volume is mounted when http_proxy settings is set + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + asserts: + - equal: + path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")].secret + value: + secretName: RELEASE-NAME-agent-proxy + template: daemonset.yaml + - equal: + path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")].mountPath + value: /opt/draios/etc/secrets/http_proxy + template: daemonset.yaml From e1a5e8927b61e0f40f799b87e3a4cd101d0c18be Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 14:55:19 +0100 Subject: [PATCH 5/9] chore: bump chart --- charts/agent/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index d8441fb73..2672abe3a 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.17.3 +version: 1.17.4 From cceb67fe647e3757034e3e4d98e05ba3c7de94be Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 17:26:32 +0100 Subject: [PATCH 6/9] chore: add http-proxy credentials also to agent deployment --- charts/agent/templates/deployment.yaml | 9 +++++++++ charts/agent/tests/volumes_test.yaml | 28 +++++++++++++++++++++----- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index c4f084a9f..be6176a77 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -128,6 +128,10 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets + {{- if (include "agent.httpProxyCredentials" .) }} + - mountPath: /opt/draios/etc/secrets/http_proxy + name: sysdig-agent-http-proxy-secrets + {{- end }} - mountPath: /etc/podinfo name: podinfo {{- if eq (include "sysdig.custom_ca.enabled" (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }} @@ -252,6 +256,11 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} + {{- if (include "agent.httpProxyCredentials" .) }} + - name: sysdig-agent-http-proxy-secrets + secret: + secretName: {{ template "agent.fullname" . }}-proxy + {{- end }} - name: podinfo downwardAPI: defaultMode: 420 diff --git a/charts/agent/tests/volumes_test.yaml b/charts/agent/tests/volumes_test.yaml index 3b688567c..126decbac 100644 --- a/charts/agent/tests/volumes_test.yaml +++ b/charts/agent/tests/volumes_test.yaml @@ -1,6 +1,7 @@ suite: Host volumes are available for agent templates: - - templates/daemonset.yaml + - daemonset.yaml + - deployment.yaml tests: - it: Ensure /var/run host volume is mounted as /host/var/run in container asserts: @@ -10,6 +11,9 @@ tests: - equal: path: spec.template.spec.volumes[?(@.name == "varrun-vol")].hostPath.path value: /var/run + templates: + - daemonset.yaml + - it: Ensure /var/lib host volume is mounted as /host/var/lib in container asserts: - equal: @@ -18,6 +22,9 @@ tests: - equal: path: spec.template.spec.volumes[?(@.name == "varlib-vol")].hostPath.path value: /var/lib + templates: + - daemonset.yaml + - it: Ensure /var/lib host volume is not mounted as /host/var/lib in container when running on gke.autopilot set: gke: @@ -27,6 +34,9 @@ tests: path: spec.template.spec.containers[*].volumeMounts[?(@.name == "varlib-vol")] - isNull: path: spec.template.spec.volumes[?(@.name == "varlib-vol")] + templates: + - daemonset.yaml + - it: Ensure /var/lib host volume is not mounted as /host/var/lib in container when running on global.gke.autopilot set: global: @@ -37,21 +47,28 @@ tests: path: spec.template.spec.containers[*].volumeMounts[?(@.name == "varlib-vol")] - isNull: path: spec.template.spec.volumes[?(@.name == "varlib-vol")] + templates: + - daemonset.yaml - it: Ensure agent http proxy volume is not mounted when http_proxy settings is not set set: sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + delegatedAgentDeployment: + enabled: true asserts: - isNull: path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")] - template: daemonset.yaml - isNull: path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")] - template: daemonset.yaml + templates: + - deployment.yaml + - daemonset.yaml - it: Ensure agent http proxy volume is mounted when http_proxy settings is set set: + delegatedAgentDeployment: + enabled: true sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE settings: @@ -63,8 +80,9 @@ tests: path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")].secret value: secretName: RELEASE-NAME-agent-proxy - template: daemonset.yaml - equal: path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")].mountPath value: /opt/draios/etc/secrets/http_proxy - template: daemonset.yaml + templates: + - deployment.yaml + - daemonset.yaml From 899536c2cf0651a5cda2187e6dd9903d4ef2f676 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 17:46:11 +0100 Subject: [PATCH 7/9] chore: disable http_proxy secrets when gke autopilot is enabled --- charts/agent/templates/configmap.yaml | 2 +- charts/agent/templates/daemonset.yaml | 4 ++-- charts/agent/templates/deployment.yaml | 4 ++-- charts/agent/templates/secrets.yaml | 2 +- charts/agent/tests/secrets_test.yaml | 18 +++++++++++++++++- charts/agent/tests/volumes_test.yaml | 21 +++++++++++++++++++++ 6 files changed, 44 insertions(+), 7 deletions(-) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index 0a909cab8..73353a898 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -29,7 +29,7 @@ data: {{/* Unset proxy_user and proxy_password if present in the settings block. */}} -{{- if hasKey .Values.sysdig.settings "http_proxy" }} +{{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }} {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}} {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}} {{- end }} diff --git a/charts/agent/templates/daemonset.yaml b/charts/agent/templates/daemonset.yaml index 517b9a3f9..5025feea7 100644 --- a/charts/agent/templates/daemonset.yaml +++ b/charts/agent/templates/daemonset.yaml @@ -249,7 +249,7 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - mountPath: /opt/draios/etc/secrets/http_proxy name: sysdig-agent-http-proxy-secrets {{- end }} @@ -373,7 +373,7 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - name: sysdig-agent-http-proxy-secrets secret: secretName: {{ template "agent.fullname" . }}-proxy diff --git a/charts/agent/templates/deployment.yaml b/charts/agent/templates/deployment.yaml index be6176a77..9f485bf2a 100644 --- a/charts/agent/templates/deployment.yaml +++ b/charts/agent/templates/deployment.yaml @@ -128,7 +128,7 @@ spec: name: sysdig-agent-config - mountPath: /opt/draios/etc/kubernetes/secrets name: sysdig-agent-secrets - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - mountPath: /opt/draios/etc/secrets/http_proxy name: sysdig-agent-http-proxy-secrets {{- end }} @@ -256,7 +256,7 @@ spec: {{- else }} secretName: {{ include "agent.accessKeySecret" . }} {{- end }} - {{- if (include "agent.httpProxyCredentials" .) }} + {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} - name: sysdig-agent-http-proxy-secrets secret: secretName: {{ template "agent.fullname" . }}-proxy diff --git a/charts/agent/templates/secrets.yaml b/charts/agent/templates/secrets.yaml index 6c8d40d79..da2a56ed6 100644 --- a/charts/agent/templates/secrets.yaml +++ b/charts/agent/templates/secrets.yaml @@ -36,7 +36,7 @@ metadata: data: {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }} {{- end }} -{{- if ( include "agent.httpProxyCredentials" . ) }} +{{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }} --- apiVersion: v1 kind: Secret diff --git a/charts/agent/tests/secrets_test.yaml b/charts/agent/tests/secrets_test.yaml index bf896e0c1..8dc6a66c8 100644 --- a/charts/agent/tests/secrets_test.yaml +++ b/charts/agent/tests/secrets_test.yaml @@ -54,7 +54,7 @@ tests: value: bXlwYXNzd29yZA== documentIndex: 2 - - it: Check proxy secret + - it: Should create proxy secret with http_proxy settings set: sysdig: accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE @@ -73,3 +73,19 @@ tests: path: data.proxy_password value: cGFzc3dvcmQ= documentIndex: 1 + + - it: Should not create proxy secret with http_proxy settings and autopilot enabled + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + gke: + autopilot: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Secret diff --git a/charts/agent/tests/volumes_test.yaml b/charts/agent/tests/volumes_test.yaml index 126decbac..032297f42 100644 --- a/charts/agent/tests/volumes_test.yaml +++ b/charts/agent/tests/volumes_test.yaml @@ -65,6 +65,27 @@ tests: - deployment.yaml - daemonset.yaml + - it: Ensure agent http proxy volume is not mounted when http_proxy settings is set and autopilot is enabled + set: + sysdig: + accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE + settings: + http_proxy: + proxy_user: username + proxy_password: password + delegatedAgentDeployment: + enabled: true + gke: + autopilot: true + asserts: + - isNull: + path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")] + - isNull: + path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")] + templates: + - deployment.yaml + - daemonset.yaml + - it: Ensure agent http proxy volume is mounted when http_proxy settings is set set: delegatedAgentDeployment: From 27015f34b8d726628c675687e0456c58a54c2e01 Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 18:13:19 +0100 Subject: [PATCH 8/9] docs: update comment --- charts/agent/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/agent/templates/configmap.yaml b/charts/agent/templates/configmap.yaml index 73353a898..288cfa883 100644 --- a/charts/agent/templates/configmap.yaml +++ b/charts/agent/templates/configmap.yaml @@ -27,7 +27,7 @@ data: tags: {{ include "agent.tags" . }} {{- end }} {{/* - Unset proxy_user and proxy_password if present in the settings block. + Unset proxy_user and proxy_password if present and gke autopilot is disabled. */}} {{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }} {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}} From 48349aa5fe707bbb66d9c251557a9e731c63ad4a Mon Sep 17 00:00:00 2001 From: Francesco Furlan Date: Tue, 5 Dec 2023 21:23:22 +0100 Subject: [PATCH 9/9] chore: bump chart version --- charts/agent/Chart.yaml | 2 +- charts/sysdig-deploy/Chart.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml index 2672abe3a..281156994 100644 --- a/charts/agent/Chart.yaml +++ b/charts/agent/Chart.yaml @@ -30,4 +30,4 @@ sources: - https://app.sysdigcloud.com/#/settings/user - https://github.com/draios/sysdig type: application -version: 1.17.4 +version: 1.18.0 diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 3777ae502..214379550 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.32.1 +version: 1.33.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -26,7 +26,7 @@ dependencies: - name: agent # repository: https://charts.sysdig.com repository: file://../agent - version: ~1.17.3 + version: ~1.18.0 alias: agent condition: agent.enabled - name: common