Add support for application telemetry

templates/auth.yaml

@@ -147,6 +147,9 @@ spec:
             - --saml-assertion-consumer-url={{ .Values.auth.saml.location }}
             - --saml-max-roles={{ default 10 .Values.auth.saml.maxRoles }}
             {{- end }}{{/* if .Values.auth.saml.enabled */}}
+            {{- if .Values.telemetry.enabled }}
+            - --telemetry-endpoint=http://metrics-internal:8081
+            {{- end }}
           env:
             {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "auth") | nindent 12 }}
             {{- include "smartcheck.proxy.env" . | nindent 12 }}
@@ -264,7 +267,7 @@ spec:
   egress:
     {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }}
     {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }}
-    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth")) | nindent 4 }}
+    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "metrics")) | nindent 4 }}
     # allow egress on ports 443 / 80 for access to SAML metadata
     - to: # any
       ports:

templates/license.yaml

@@ -130,6 +130,9 @@ spec:
           args:
             - --internal-base=http://license-internal:8081
             - --authorization-url=http://auth-internal:8081
+            {{- if .Values.telemetry.enabled }}
+            - --telemetry-endpoint=http://metrics-internal:8081
+            {{- end }}
           env:
             {{- include "smartcheck.proxy.env" . | nindent 12 }}
           resources:
@@ -217,18 +220,7 @@ spec:
         - protocol: TCP
           port: 8083
   egress:
-    - to:
-        - podSelector:
-            matchLabels:
-              service: auth
-              release: {{ .Release.Name }}
-              heritage: {{ .Release.Service }}
-{{- range $k, $v := (default (dict) .Values.extraLabels) }}
-              {{ $k }}: {{ quote $v }}
-{{- end }}
-      ports:
-        - protocol: TCP
-          port: 8081
+    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "metrics")) | nindent 4 }}
     - to: # any
       ports:
         - protocol: TCP

templates/metrics.yaml

@@ -27,8 +27,46 @@ spec:
   clusterIP: None
   sessionAffinity: None
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: metrics-internal
+  labels:
+    service: metrics
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- range $k, $v := (default (dict) .Values.extraLabels) }}
+    {{ $k }}: {{ quote $v }}
+{{- end }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8081
+      protocol: TCP
+      targetPort: 8081
+      name: metrics
+  selector:
+    service: metrics
+    release: {{ .Release.Name }}
+---
 {{ include "smartcheck.service.database.secret" (dict "Chart" .Chart "Values" .Values "Release" .Release "service" "metrics") }}
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "smartcheck.fullname" . }}-metrics
+  labels:
+    app: {{ template "smartcheck.name" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+    {{- range $k, $v := (default (dict) .Values.extraLabels) }}
+    {{ $k }}: {{ quote $v }}
+    {{- end }}
+type: Opaque
+data:
+  apiKey: {{ default "" .Values.telemetry.apiKey | b64enc | quote }}
+  publicKey: {{ default "" .Values.telemetry.publicKey | b64enc | quote }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -107,7 +145,16 @@ spec:
             - --report-format-version=1.0
             - --target-url=$(TARGET_URL)
             - --metrics-directory=/data/metrics
+            - --application-version=$(APPLICATION_VERSION)
             - --flush
+            {{- if .Values.telemetry.enabled }}
+            - --telemetry-endpoint={{ .Values.telemetry.endpoint }}
+            - --telemetry-interval={{ .Values.telemetry.interval }}
+            - --telemetry-api-key={{ default "" .Values.telemetry.apiKey }}
+            {{- if .Values.telemetry.publicKey }}
+            - --telemetry-key-file=/telemetry/key.pem
+            {{- end }}{{/* .Values.telemetry.publicKey */}}
+            {{- end }}{{/* .Values.telemetry.enabled */}}
           env:
             - name: APPLICATION_VERSION
               value: {{ .Chart.Version | quote }}
@@ -124,11 +171,23 @@ spec:
             - name: data
               mountPath: /data
             {{- $volumeMounts := include "smartcheck.db-trust-volume-mount" . | nindent 12 }}
+            {{- if .Values.telemetry.publicKey }}
+            - name: telemetry-secret
+              mountPath: /telemetry
+            {{- end }}{{/* .Values.telemetry.publicKey */}}
           resources: {{ toYaml (default .Values.resources.defaults .Values.resources.metrics) | nindent 12 }}
       volumes:
         {{- $volumes := include "smartcheck.db-trust-volume" . | nindent 8 }}
         - name: data
           emptyDir: {}
+        {{- if .Values.telemetry.publicKey }}
+        - name: telemetry-secret
+          secret:
+            secretName: {{ template "smartcheck.fullname" . }}-metrics
+            items:
+            - key: publicKey
+              path: key.pem
+        {{- end }}{{/* .Values.telemetry.publicKey */}}
       restartPolicy: Always
       nodeSelector: {{ toYaml (default .Values.nodeSelector.defaults .Values.nodeSelector.metrics) | nindent 8 }}
       tolerations: {{ toYaml (default .Values.tolerations.defaults .Values.tolerations.metrics) | nindent 8 }}
@@ -159,7 +218,17 @@ spec:
     - Egress
   ingress:
     - from:
+        # Allow any pod in the application to send telemetry events
+        - podSelector:
+            matchLabels:
+              release: {{ .Release.Name }}
+              heritage: {{ .Release.Service }}
+              {{- range $k, $v := (default (dict) .Values.extraLabels) }}
+              {{ $k }}: {{ quote $v }}
+              {{- end }}
       ports:
+        - protocol: TCP
+          port: 8081
   egress:
     - to:
         - podSelector:

templates/registryviews.yaml

@@ -138,6 +138,9 @@ spec:
             - --database-secret=$(DB_SECRET)
             - --scan-url=http://scan-internal:8081
             - --license-url=http://license-internal:8081
+            {{- if .Values.telemetry.enabled }}
+            - --telemetry-endpoint=http://metrics-internal:8081
+            {{- end }}
           env:
             {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "registryviews") | nindent 12 }}
             {{- include "smartcheck.proxy.env" . | nindent 12 }}
@@ -230,7 +233,7 @@ spec:
   egress:
     {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }}
     {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }}
-    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "scan" "license")) | nindent 4 }}
+    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "scan" "license" "metrics")) | nindent 4 }}
     # allow egress to registries on 80, 443, and any provided additional ports
     - to: # any
       ports:
@@ -242,5 +245,5 @@ spec:
         - protocol: TCP
           port: {{ $port }}
         {{- end }}{{/* range .Values.networkPolicy.additionalRegistryPorts */}}
-     {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }}
+    {{- include "smartcheck.networkpolicy.outbound" . | nindent 4 }}
 {{- end }}{{/* if .Values.networkPolicy.enabled */}}

templates/scan.yaml

@@ -146,6 +146,9 @@ spec:
             {{if not .Values.scan.malwareCache.enabled}}
             - --malware-scan-cache-ttl=0s
             {{end}}
+            {{- if .Values.telemetry.enabled }}
+            - --telemetry-endpoint=http://metrics-internal:8081
+            {{- end }}
           env:
             {{- include "smartcheck.service.database.env" (dict "Chart" .Chart "Release" .Release "Values" .Values "service" "scan") | nindent 12 }}
             {{- include "smartcheck.proxy.env" . | nindent 12 }}
@@ -253,7 +256,7 @@ spec:
   egress:
     {{- include "smartcheck.to-dns-networkpolicy" . | nindent 4 }}
     {{- include "smartcheck.to-db-networkpolicy" . | nindent 4 }}
-    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "registryviews" "malware-scan" "vulnerability-scan" "content-scan" "openscap-scan")) | nindent 4 }}
+    {{- include "smartcheck.to-internal-service-networkpolicy" (dict "Release" .Release "Values" .Values "services" (list "auth" "registryviews" "malware-scan" "vulnerability-scan" "content-scan" "openscap-scan" "metrics")) | nindent 4 }}
     - to: # any
       ports:
       - protocol: TCP

values.yaml

@@ -607,6 +607,27 @@ tasks:
     ## Default value: @daily
     schedule: '@daily'
 
+telemetry:
+  ## enabled controls whether telemetry events will be sent.
+  ##
+  ## Default value: true
+  enabled: true
+
+  ## endpoint is the endpoint of the telemetry service.
+  ##
+  ## Default value: https://telemetry.deepsecurity.trendmicro.com
+  endpoint: https://telemetry.deepsecurity.trendmicro.com
+
+  ## interval controls the maximum interval between telemetry data reports
+  ##
+  ## Default value: 24h
+  interval: 24h
+
+  ## publicKey is the public key used when communicating with the telemetry service.
+  ##
+  ## Default value: (built-in)
+  publicKey:
+
 # securityContext specifies the security contexts that we'll apply to the pods.
 securityContext:
   ## enabled is a global flag controlling whether security contexts are included at all in the manifest