From 658c845c63e09efa3bf0b19e9964c2f15fadc288 Mon Sep 17 00:00:00 2001
From: Adam Roberts <adam.roberts@sysdig.com>
Date: Fri, 26 Jan 2024 11:36:53 -0500
Subject: [PATCH] fix(agent): properly render security block content

There had been an issue where if the user set the
agent.secure.enabled flag to true in the charts, any
custom data in agent.sysdig.settings.security would
not be properly rendered. This change addresses the issue
by inspecting agent.sysdig.settings for any security block
content when the rest of the Sysdig Secure items are being
computed.
---
 charts/agent/Chart.yaml                    |  2 +-
 charts/agent/templates/_helpers.tpl        | 10 ++++++++--
 charts/agent/tests/secure_enable_test.yaml | 23 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/charts/agent/Chart.yaml b/charts/agent/Chart.yaml
index dab4a26cb..4c1af9f92 100644
--- a/charts/agent/Chart.yaml
+++ b/charts/agent/Chart.yaml
@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.19.2
+version: 1.19.3
diff --git a/charts/agent/templates/_helpers.tpl b/charts/agent/templates/_helpers.tpl
index 9bd2349d7..fc90c0ed4 100644
--- a/charts/agent/templates/_helpers.tpl
+++ b/charts/agent/templates/_helpers.tpl
@@ -339,10 +339,8 @@ and set the agent chart parameters accordingly
     {{- if and (not .Values.secure.enabled) $secureFeatProvided }}
         {{ fail "Set secure.enabled=true when specifying sysdig.settings.feature.mode is `secure` or `secure_light`" }}
     {{- end }}
-
 {{ include "agent.monitorFeatures" . }}
 {{ include "agent.secureFeatures" . }}
-
 {{- end -}}
 
 {{/*
@@ -431,6 +429,14 @@ agent config to prevent a backend push from enabling them after installation.
         {{- $_ := set $secureConfig "drift_control" (dict "enabled" false) }}
         {{- $_ := set $secureConfig "drift_killer" (dict "enabled" false) }}
     {{- end }}
+
+    {{/* Finally, check sysdig.settings for any additional security block confiugration.
+         If so, merge it with $secureConfig and unset .Values.sysdig.settings.security */}}
+    {{- if hasKey .Values.sysdig.settings "security" }}
+        {{- $secureConfig := merge $secureConfig.security .Values.sysdig.settings.security }}
+        {{- $_ := unset .Values.sysdig.settings "security"}}
+    {{- end }}
+
 {{ toYaml $secureConfig }}
 {{- end }}
 
diff --git a/charts/agent/tests/secure_enable_test.yaml b/charts/agent/tests/secure_enable_test.yaml
index ff646ada9..1e8a38633 100644
--- a/charts/agent/tests/secure_enable_test.yaml
+++ b/charts/agent/tests/secure_enable_test.yaml
@@ -170,3 +170,26 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: 'Set secure.enabled=true when specifying sysdig.settings.feature.mode is `secure` or `secure_light`'
+
+  - it: Test secure.enabled=true when manually specifying security block content
+    set:
+      secure:
+        enabled: true
+      sysdig:
+        settings:
+          security:
+            goodFeatureEnabled: true
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |-
+            security:
+              enabled: true
+              goodFeatureEnabled: true
+      - notMatchRegex:  # Catch the case of duplications due to sysdig.settings.security being specified
+          path: data['dragent.yaml']
+          pattern: |-
+            security:
+              goodFeatureEnabled: true