Skip to content

feat(cluster-scanner): added configuration for docker registry mirrors #1372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 6, 2023
Merged

feat(cluster-scanner): added configuration for docker registry mirrors #1372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f69ad64
feat(cluster-scanner): added configuration for docker registry mirrors
michele-mangili Sep 22, 2023
973bbb2
fix(cluster-scanner): bumped minor cluster-scanner and sysdig-deploy …
michele-mangili Sep 26, 2023
876435c
fix(cluster-scanner): corrected the syntax of mirrors configuration a…
michele-mangili Oct 4, 2023
f7f09b2
chore(cluster-scanner): mirrors shall always be an object
michele-mangili Oct 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/cluster-scanner/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner

type: application

version: 0.6.1
version: 0.7.0

appVersion: "0.1.0"
home: https://www.sysdig.com/
Expand Down
9 changes: 5 additions & 4 deletions charts/cluster-scanner/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.6.1 \
--create-namespace -n sysdig --version=0.7.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
Expand Down Expand Up @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run:

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.6.1 \
--create-namespace -n sysdig --version=0.7.0 \
--set global.clusterConfig.name=CLUSTER_NAME \
--set global.sysdig.region=SYSDIG_REGION \
--set global.sysdig.accessKey=YOUR-KEY-HERE
Expand Down Expand Up @@ -134,6 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c
| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | <code>"36700160"</code> |
| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | <code>"102400"</code> |
| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | <code>"168h"</code> |
| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . <br> Example: <br> `mirrors:` <br> `registryMirrors:` <br> `- insecure.mirror.acme.com` <br> `- secure.mirror.acme.com` <br> `insecureRegistries:` <br> `- insecure.mirror.acme.com` | <code>{}</code> |
| nameOverride | Chart name override | <code>""</code> |
| fullnameOverride | Chart full name override | <code>""</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
Expand All @@ -160,7 +161,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.6.1 \
--create-namespace -n sysdig --version=0.7.0 \
--set global.sysdig.region="us1"
```

Expand All @@ -169,7 +170,7 @@ installing the chart. For example:

```console
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
--create-namespace -n sysdig --version=0.6.1 \
--create-namespace -n sysdig --version=0.7.0 \
--values values.yaml
```

Expand Down
11 changes: 11 additions & 0 deletions charts/cluster-scanner/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ spec:
configMap:
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
{{- end }}
{{- if .Values.imageSbomExtractor.mirrors }}
- name: registry-mirrors-config
configMap:
name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
{{- end }}
containers:
- name: rsi
securityContext:
Expand Down Expand Up @@ -315,6 +320,12 @@ spec:
mountPath: /ca-certs
readOnly: true
{{- end }}
{{- if .Values.imageSbomExtractor.mirrors }}
- name: registry-mirrors-config
mountPath: /etc/docker/daemon.json
subPath: daemon.json
readOnly: true
{{- end }}
{{- with .Values.imageSbomExtractor }}
ports:
- name: metrics
Expand Down
15 changes: 15 additions & 0 deletions charts/cluster-scanner/templates/registrymirror.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.imageSbomExtractor.mirrors -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
namespace: {{ include "cluster-scanner.namespace" . }}
labels:
{{- include "cluster-scanner.labels" . | nindent 4 }}
data:
daemon.json: |-
{
"registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }},
"insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }}
}
{{- end -}}
31 changes: 31 additions & 0 deletions charts/cluster-scanner/tests/deployment_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -492,3 +492,34 @@ tests:
content:
name: ENV_VAR_BOOL
value: "true"

- it: "does not have registry volume nor volumeMounts if mirrors is empty"
templates:
- ../templates/deployment.yaml
asserts:
- isEmpty:
path: spec.template.spec.volumes
- isEmpty:
path: spec.template.spec.containers[1].volumeMounts

- it: "has registry volume mount if mirrors are configured"
set:
imageSbomExtractor.mirrors:
registryMirrors:
- "foobar"
templates:
- ../templates/deployment.yaml
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: registry-mirrors-config
configMap:
name: test-release-cluster-scanner-registry-mirrors
- contains:
path: spec.template.spec.containers[1].volumeMounts
content:
name: registry-mirrors-config
mountPath: /etc/docker/daemon.json
subPath: daemon.json
readOnly: true
2 changes: 2 additions & 0 deletions charts/cluster-scanner/tests/notes_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
suite: Test links in the notes section for regions
templates:
- templates/NOTES.txt
values:
- ../values.yaml
tests:
- it: Checking default value no region specified (us1)
asserts:
Expand Down
120 changes: 120 additions & 0 deletions charts/cluster-scanner/tests/registrymirror_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
suite: registrymirror
templates:
- ../templates/registrymirror.yaml
values:
- ../values.yaml
release:
name: test-release
namespace: test-ns

tests:
- it: "does not have mirrors, if they are not provided"
set:
imageSbomExtractor.mirrors: {}
asserts:
- hasDocuments:
count: 0

- it: "has mirrors ConfigMap, when mirrors are set"
set:
imageSbomExtractor.mirrors:
registryMirrors:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: test-release-cluster-scanner-registry-mirrors
namespace: test-ns
- equal:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"],
"insecure-registries": ["insecure.mirror.acme.com"]
}

- it: "has correct empty registry mirrors"
set:
imageSbomExtractor.mirrors:
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: test-release-cluster-scanner-registry-mirrors
namespace: test-ns
- equal:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": [],
"insecure-registries": ["insecure.mirror.acme.com"]
}

- it: "has correct empty insecure registries mirrors"
set:
imageSbomExtractor.mirrors:
registryMirrors:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
- "one more mirror"
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: ConfigMap
apiVersion: v1
name: test-release-cluster-scanner-registry-mirrors
namespace: test-ns
- equal:
path: data["daemon.json"]
value: |-
{
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"],
"insecure-registries": []
}

- it: "fails if format of registry mirrors is wrong"
set:
imageSbomExtractor.mirrors:
registryMirrors:
nested: "object"
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n"

- it: "fails if format of insecure registries is wrong"
set:
imageSbomExtractor.mirrors:
insecureRegistries: 18
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n"

- it: "fails if format of mirrors is wrong"
set:
imageSbomExtractor.mirrors: 18
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n"

- it: "fails if mirrors contains unexpeceted property"
set:
imageSbomExtractor.mirrors:
gigi:
- "insecure.mirror.acme.com"
- "secure.mirror.acme.com"
insecureRegistries:
- "insecure.mirror.acme.com"
asserts:
- failedTemplate:
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n"
23 changes: 23 additions & 0 deletions charts/cluster-scanner/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,29 @@
}
}
}
},
"imageSbomExtractor": {
"type": "object",
"properties": {
"mirrors": {
"type": "object",
"additionalProperties": false,
"properties": {
"registryMirrors": {
"type": "array",
"items": {
"type": "string"
}
},
"insecureRegistries": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
}
}
}
}
19 changes: 19 additions & 0 deletions charts/cluster-scanner/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,25 @@ imageSbomExtractor:
# sentinelAddress: ""
# ttl: "168h" # Default ttl is 7 days

# Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images.
# [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from
# the provided mirrors.
#
# The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors
# (potentially insecure), can be specified.
#
# See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
#
# Example:
#
# mirrors:
# registryMirrors:
# - insecure.mirror.acme.com
# - secure.mirror.acme.com
# insecureRegistries:
# - insecure.mirror.acme.com
mirrors: {}

# Chart name override
nameOverride: ""
# Chart full name override
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.23.10
version: 1.24.0
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
Expand Down Expand Up @@ -42,7 +42,7 @@ dependencies:
- name: cluster-scanner
# repository: https://charts.sysdig.com
repository: file://../cluster-scanner
version: ~0.6.1
version: ~0.7.0
alias: clusterScanner
condition: clusterScanner.enabled
- name: kspm-collector
Expand Down