diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml
index 32b2d7cab..7a106f005 100644
--- a/charts/cluster-scanner/Chart.yaml
+++ b/charts/cluster-scanner/Chart.yaml
@@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner
type: application
-version: 0.6.1
+version: 0.7.0
appVersion: "0.1.0"
home: https://www.sysdig.com/
diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md
index 8f8315d8b..6373702b6 100644
--- a/charts/cluster-scanner/README.md
+++ b/charts/cluster-scanner/README.md
@@ -25,7 +25,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
- --create-namespace -n sysdig --version=0.6.1 \
+ --create-namespace -n sysdig --version=0.7.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
@@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run:
```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
- --create-namespace -n sysdig --version=0.6.1 \
+ --create-namespace -n sysdig --version=0.7.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
@@ -134,6 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c
| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | "36700160" |
| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | "102400" |
| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | "168h" |
+| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
Example:
`mirrors:`
`registryMirrors:`
`- insecure.mirror.acme.com`
`- secure.mirror.acme.com`
`insecureRegistries:`
`- insecure.mirror.acme.com` | {} |
| nameOverride | Chart name override | "" |
| fullnameOverride | Chart full name override | "" |
| serviceAccount.create | Specifies whether a service account should be created | true |
@@ -160,7 +161,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `
```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
- --create-namespace -n sysdig --version=0.6.1 \
+ --create-namespace -n sysdig --version=0.7.0 \
--set global.sysdig.region="us1"
```
@@ -169,7 +170,7 @@ installing the chart. For example:
```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
- --create-namespace -n sysdig --version=0.6.1 \
+ --create-namespace -n sysdig --version=0.7.0 \
--values values.yaml
```
diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml
index f7c907d1e..2c3806913 100644
--- a/charts/cluster-scanner/templates/deployment.yaml
+++ b/charts/cluster-scanner/templates/deployment.yaml
@@ -48,6 +48,11 @@ spec:
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
{{- end }}
+ {{- if .Values.imageSbomExtractor.mirrors }}
+ - name: registry-mirrors-config
+ configMap:
+ name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
+ {{- end }}
containers:
- name: rsi
securityContext:
@@ -315,6 +320,12 @@ spec:
mountPath: /ca-certs
readOnly: true
{{- end }}
+ {{- if .Values.imageSbomExtractor.mirrors }}
+ - name: registry-mirrors-config
+ mountPath: /etc/docker/daemon.json
+ subPath: daemon.json
+ readOnly: true
+ {{- end }}
{{- with .Values.imageSbomExtractor }}
ports:
- name: metrics
diff --git a/charts/cluster-scanner/templates/registrymirror.yaml b/charts/cluster-scanner/templates/registrymirror.yaml
new file mode 100644
index 000000000..f28af3423
--- /dev/null
+++ b/charts/cluster-scanner/templates/registrymirror.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.imageSbomExtractor.mirrors -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
+ namespace: {{ include "cluster-scanner.namespace" . }}
+ labels:
+ {{- include "cluster-scanner.labels" . | nindent 4 }}
+data:
+ daemon.json: |-
+ {
+ "registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }},
+ "insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }}
+ }
+{{- end -}}
diff --git a/charts/cluster-scanner/tests/deployment_test.yaml b/charts/cluster-scanner/tests/deployment_test.yaml
index fc3d07c58..2eab8b338 100644
--- a/charts/cluster-scanner/tests/deployment_test.yaml
+++ b/charts/cluster-scanner/tests/deployment_test.yaml
@@ -492,3 +492,34 @@ tests:
content:
name: ENV_VAR_BOOL
value: "true"
+
+ - it: "does not have registry volume nor volumeMounts if mirrors is empty"
+ templates:
+ - ../templates/deployment.yaml
+ asserts:
+ - isEmpty:
+ path: spec.template.spec.volumes
+ - isEmpty:
+ path: spec.template.spec.containers[1].volumeMounts
+
+ - it: "has registry volume mount if mirrors are configured"
+ set:
+ imageSbomExtractor.mirrors:
+ registryMirrors:
+ - "foobar"
+ templates:
+ - ../templates/deployment.yaml
+ asserts:
+ - contains:
+ path: spec.template.spec.volumes
+ content:
+ name: registry-mirrors-config
+ configMap:
+ name: test-release-cluster-scanner-registry-mirrors
+ - contains:
+ path: spec.template.spec.containers[1].volumeMounts
+ content:
+ name: registry-mirrors-config
+ mountPath: /etc/docker/daemon.json
+ subPath: daemon.json
+ readOnly: true
diff --git a/charts/cluster-scanner/tests/notes_test.yaml b/charts/cluster-scanner/tests/notes_test.yaml
index 6983ef5e8..0461c01cc 100644
--- a/charts/cluster-scanner/tests/notes_test.yaml
+++ b/charts/cluster-scanner/tests/notes_test.yaml
@@ -1,6 +1,8 @@
suite: Test links in the notes section for regions
templates:
- templates/NOTES.txt
+values:
+ - ../values.yaml
tests:
- it: Checking default value no region specified (us1)
asserts:
diff --git a/charts/cluster-scanner/tests/registrymirror_test.yaml b/charts/cluster-scanner/tests/registrymirror_test.yaml
new file mode 100644
index 000000000..496f81c11
--- /dev/null
+++ b/charts/cluster-scanner/tests/registrymirror_test.yaml
@@ -0,0 +1,120 @@
+suite: registrymirror
+templates:
+ - ../templates/registrymirror.yaml
+values:
+ - ../values.yaml
+release:
+ name: test-release
+ namespace: test-ns
+
+tests:
+ - it: "does not have mirrors, if they are not provided"
+ set:
+ imageSbomExtractor.mirrors: {}
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: "has mirrors ConfigMap, when mirrors are set"
+ set:
+ imageSbomExtractor.mirrors:
+ registryMirrors:
+ - "insecure.mirror.acme.com"
+ - "secure.mirror.acme.com"
+ insecureRegistries:
+ - "insecure.mirror.acme.com"
+ asserts:
+ - hasDocuments:
+ count: 1
+ - containsDocument:
+ kind: ConfigMap
+ apiVersion: v1
+ name: test-release-cluster-scanner-registry-mirrors
+ namespace: test-ns
+ - equal:
+ path: data["daemon.json"]
+ value: |-
+ {
+ "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"],
+ "insecure-registries": ["insecure.mirror.acme.com"]
+ }
+
+ - it: "has correct empty registry mirrors"
+ set:
+ imageSbomExtractor.mirrors:
+ insecureRegistries:
+ - "insecure.mirror.acme.com"
+ asserts:
+ - hasDocuments:
+ count: 1
+ - containsDocument:
+ kind: ConfigMap
+ apiVersion: v1
+ name: test-release-cluster-scanner-registry-mirrors
+ namespace: test-ns
+ - equal:
+ path: data["daemon.json"]
+ value: |-
+ {
+ "registry-mirrors": [],
+ "insecure-registries": ["insecure.mirror.acme.com"]
+ }
+
+ - it: "has correct empty insecure registries mirrors"
+ set:
+ imageSbomExtractor.mirrors:
+ registryMirrors:
+ - "insecure.mirror.acme.com"
+ - "secure.mirror.acme.com"
+ - "one more mirror"
+ asserts:
+ - hasDocuments:
+ count: 1
+ - containsDocument:
+ kind: ConfigMap
+ apiVersion: v1
+ name: test-release-cluster-scanner-registry-mirrors
+ namespace: test-ns
+ - equal:
+ path: data["daemon.json"]
+ value: |-
+ {
+ "registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"],
+ "insecure-registries": []
+ }
+
+ - it: "fails if format of registry mirrors is wrong"
+ set:
+ imageSbomExtractor.mirrors:
+ registryMirrors:
+ nested: "object"
+ asserts:
+ - failedTemplate:
+ errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n"
+
+ - it: "fails if format of insecure registries is wrong"
+ set:
+ imageSbomExtractor.mirrors:
+ insecureRegistries: 18
+ asserts:
+ - failedTemplate:
+ errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n"
+
+ - it: "fails if format of mirrors is wrong"
+ set:
+ imageSbomExtractor.mirrors: 18
+ asserts:
+ - failedTemplate:
+ errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n"
+
+ - it: "fails if mirrors contains unexpeceted property"
+ set:
+ imageSbomExtractor.mirrors:
+ gigi:
+ - "insecure.mirror.acme.com"
+ - "secure.mirror.acme.com"
+ insecureRegistries:
+ - "insecure.mirror.acme.com"
+ asserts:
+ - failedTemplate:
+ errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n"
diff --git a/charts/cluster-scanner/values.schema.json b/charts/cluster-scanner/values.schema.json
index 528627434..b27e18f49 100644
--- a/charts/cluster-scanner/values.schema.json
+++ b/charts/cluster-scanner/values.schema.json
@@ -43,6 +43,29 @@
}
}
}
+ },
+ "imageSbomExtractor": {
+ "type": "object",
+ "properties": {
+ "mirrors": {
+ "type": "object",
+ "additionalProperties": false,
+ "properties": {
+ "registryMirrors": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "insecureRegistries": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
}
}
}
diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml
index 714d6c220..14b520bf9 100644
--- a/charts/cluster-scanner/values.yaml
+++ b/charts/cluster-scanner/values.yaml
@@ -218,6 +218,25 @@ imageSbomExtractor:
# sentinelAddress: ""
# ttl: "168h" # Default ttl is 7 days
+ # Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images.
+ # [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from
+ # the provided mirrors.
+ #
+ # The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors
+ # (potentially insecure), can be specified.
+ #
+ # See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
+ #
+ # Example:
+ #
+ # mirrors:
+ # registryMirrors:
+ # - insecure.mirror.acme.com
+ # - secure.mirror.acme.com
+ # insecureRegistries:
+ # - insecure.mirror.acme.com
+ mirrors: {}
+
# Chart name override
nameOverride: ""
# Chart full name override
diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
index d709c170c..4489603c2 100644
--- a/charts/sysdig-deploy/Chart.yaml
+++ b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
-version: 1.23.10
+version: 1.24.0
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
@@ -42,7 +42,7 @@ dependencies:
- name: cluster-scanner
# repository: https://charts.sysdig.com
repository: file://../cluster-scanner
- version: ~0.6.1
+ version: ~0.7.0
alias: clusterScanner
condition: clusterScanner.enabled
- name: kspm-collector