From eed34011854cd6a9504b3a2a972e47fdc1c0e5f3 Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Tue, 13 Feb 2024 10:16:01 +0100 Subject: [PATCH 1/2] feat(cluster-scanner): added support for handling AC requests [SSPROD-35871] --- charts/cluster-scanner/Chart.yaml | 2 +- charts/cluster-scanner/README.md | 12 ++-- charts/cluster-scanner/templates/_helpers.tpl | 13 ++++ .../cluster-scanner/templates/deployment.yaml | 67 +++++++++++++++++++ charts/cluster-scanner/templates/service.yaml | 4 ++ .../tests/existing-secret_test.yaml | 4 +- charts/cluster-scanner/tests/secret_test.yaml | 1 + charts/cluster-scanner/values.yaml | 4 +- charts/sysdig-deploy/Chart.yaml | 4 +- 9 files changed, 98 insertions(+), 13 deletions(-) diff --git a/charts/cluster-scanner/Chart.yaml b/charts/cluster-scanner/Chart.yaml index 35016813a..f8941fb5d 100644 --- a/charts/cluster-scanner/Chart.yaml +++ b/charts/cluster-scanner/Chart.yaml @@ -3,7 +3,7 @@ name: cluster-scanner description: Sysdig Cluster Scanner type: application -version: 0.9.1 +version: 0.10.0 appVersion: "0.1.0" home: https://www.sysdig.com/ diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 1f577f6e5..7702be44a 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -25,7 +25,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.9.1 \ + --create-namespace -n sysdig --version=0.10.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.9.1 \ + --create-namespace -n sysdig --version=0.10.0 \ --set global.clusterConfig.name=CLUSTER_NAME \ --set global.sysdig.region=SYSDIG_REGION \ --set global.sysdig.accessKey=YOUR-KEY-HERE @@ -110,7 +110,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | sslVerifyRegistryCertificate | Can be set to false to allow insecure connections registries, Such as for registries with self-signed or private certificates. By default, certificates are always verified. | true | | runtimeStatusIntegrator.image.registry | The image registry to use for the Runtime Status Integrator component of Cluster Scanner | quay.io | | runtimeStatusIntegrator.image.repository | The image repository to use for pulling the Runtime Status Integrator image | sysdig/runtime-status-integrator | -| runtimeStatusIntegrator.image.tag | | "0.5.9" | +| runtimeStatusIntegrator.image.tag | | "0.6.0" | | runtimeStatusIntegrator.multiCluster | When the Cluster Scanner is running in `multi` mode, set the secret name to be used to retrieve the kubeconfig configuration to connect to the clusters to inspect. | | | runtimeStatusIntegrator.localCluster | Restrict access to specific Docker secrets when Cluster Scanner is running in `local` mode. The default behavior is listing all secrets. See `values.yaml` for an example. Optional. | | | runtimeStatusIntegrator.ports.metrics | The port to be used to expose prometheus metrics for the Runtime Status Integrator | 25000 | @@ -123,7 +123,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | runtimeStatusIntegrator.natsJS.user | The username to be used in the NATS JetStream instance the Runtime Status Integrator is going to start | "default-user" | | imageSbomExtractor.image.registry | The image registry to use for the Image SBOM Extractor component of Cluster Scanner | quay.io | | imageSbomExtractor.image.repository | The image repository to use for pulling the Image SBOM Extractor image | sysdig/image-sbom-extractor | -| imageSbomExtractor.image.tag | | "0.5.9" | +| imageSbomExtractor.image.tag | | "0.6.0" | | imageSbomExtractor.ports.metrics | The port to be used to expose prometheus metrics for the Image SBOM Extractor | 25001 | | imageSbomExtractor.ports.probes | The port to be used for healthcheck probes for the Image SBOM Extractor | 7001 | | imageSbomExtractor.resources.limits.cpu | Image SBOM Extractor CPU limit per replica | "1" | @@ -163,7 +163,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.9.1 \ + --create-namespace -n sysdig --version=0.10.0 \ --set global.sysdig.region="us1" ``` @@ -172,7 +172,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \ - --create-namespace -n sysdig --version=0.9.1 \ + --create-namespace -n sysdig --version=0.10.0 \ --values values.yaml ``` diff --git a/charts/cluster-scanner/templates/_helpers.tpl b/charts/cluster-scanner/templates/_helpers.tpl index a36288fff..9da537094 100644 --- a/charts/cluster-scanner/templates/_helpers.tpl +++ b/charts/cluster-scanner/templates/_helpers.tpl @@ -92,6 +92,7 @@ rsi_js_consumer_ack_wait: "120s" rsi_js_consumer_max_deliver: "1" rsi_js_consumer_deliver_policy_all: "true" rsi_js_producer_subject_prefix: "analysis.requests" +rsi_js_priority_producer_subject_prefix: "analysis.priority.requests" rsi_js_server_metrics_enable: "true" rsi_js_server_metrics_port: "8222" {{ end }} @@ -111,6 +112,18 @@ ise_js_consumer_max_in_flight: "256" ise_js_consumer_ack_wait: "240s" ise_js_consumer_max_deliver: "1" ise_js_consumer_deliver_policy_all: "true" + +ise_js_priority_consumer_streamname: "analysis-requests" +ise_js_priority_consumer_name: "ise-priority" +ise_js_priority_consumer_durable: "ise-priority" +ise_js_priority_consumer_pull: "true" +ise_js_priority_consumer_pull_batch: "1" +ise_js_priority_consumer_subject: "analysis.priority.requests.>" +ise_js_priority_consumer_max_in_flight: "256" +ise_js_priority_consumer_ack_wait: "240s" +ise_js_priority_consumer_max_deliver: "1" +ise_js_priority_consumer_deliver_policy_all: "true" + ise_js_producer_subject: "analysis.sboms" {{ end }} diff --git a/charts/cluster-scanner/templates/deployment.yaml b/charts/cluster-scanner/templates/deployment.yaml index e023b9591..ee97a5821 100644 --- a/charts/cluster-scanner/templates/deployment.yaml +++ b/charts/cluster-scanner/templates/deployment.yaml @@ -255,6 +255,11 @@ spec: configMapKeyRef: name: {{ include "cluster-scanner.fullname" . }} key: rsi_js_producer_subject_prefix + - name: NATS_JS_PRIORITY_PRODUCER_SUBJECT_PREFIX + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: rsi_js_priority_producer_subject_prefix - name: NATS_JS_SERVER_USERNAME valueFrom: configMapKeyRef: @@ -474,6 +479,68 @@ spec: configMapKeyRef: name: {{ include "cluster-scanner.fullname" . }} key: ise_js_consumer_deliver_policy_all + - name: HIGH_PRIORITY_CONSUMER_ENABLED + value: "true" + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_STREAMNAME + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_streamname + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_NAME + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_name + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_DURABLE + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_durable + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_PULL + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_pull + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_PULL_BATCH + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_pull_batch + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_SUBJECT + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_subject + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_MAX_IN_FLIGHT + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_max_in_flight + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_ACK_WAIT + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_ack_wait + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_MAX_DELIVER + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_max_deliver + optional: true + - name: HIGH_PRIORITY_NATS_JS_CONSUMER_DELIVER_POLICY_ALL + valueFrom: + configMapKeyRef: + name: {{ include "cluster-scanner.fullname" . }} + key: ise_js_priority_consumer_deliver_policy_all + optional: true - name: NATS_JS_PRODUCER_SUBJECT valueFrom: configMapKeyRef: diff --git a/charts/cluster-scanner/templates/service.yaml b/charts/cluster-scanner/templates/service.yaml index 415dca17b..c0fd86e9b 100644 --- a/charts/cluster-scanner/templates/service.yaml +++ b/charts/cluster-scanner/templates/service.yaml @@ -12,4 +12,8 @@ spec: targetPort: 4222 protocol: TCP name: nats + - port: 9999 + targetPort: 9999 + protocol: TCP + name: grpc # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service diff --git a/charts/cluster-scanner/tests/existing-secret_test.yaml b/charts/cluster-scanner/tests/existing-secret_test.yaml index 3874a2c87..24e0fdc9f 100644 --- a/charts/cluster-scanner/tests/existing-secret_test.yaml +++ b/charts/cluster-scanner/tests/existing-secret_test.yaml @@ -21,7 +21,7 @@ tests: global.sysdig.accessKeySecret: "secret" asserts: - equal: - path: spec.template.spec.containers[0].env[35] + path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_ACCESS_KEY")] value: name: SYSDIG_ACCESS_KEY valueFrom: @@ -29,7 +29,7 @@ tests: key: access-key name: secret - equal: - path: spec.template.spec.containers[1].env[8] + path: spec.template.spec.containers[1].env[?(@.name == "SYSDIG_ACCESS_KEY")] value: name: SYSDIG_ACCESS_KEY valueFrom: diff --git a/charts/cluster-scanner/tests/secret_test.yaml b/charts/cluster-scanner/tests/secret_test.yaml index f01f7bef1..4aff055cf 100644 --- a/charts/cluster-scanner/tests/secret_test.yaml +++ b/charts/cluster-scanner/tests/secret_test.yaml @@ -53,6 +53,7 @@ tests: - equal: path: data.cache_redis_password value: "c2VjcmV0" + - it: "does not require redis password" set: global.sysdig.accessKey: "secret" diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index 02228fa84..a465cced2 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -108,7 +108,7 @@ runtimeStatusIntegrator: # The image repository to use for pulling the Runtime Status Integrator # image repository: sysdig/runtime-status-integrator - tag: "0.5.9" + tag: "0.6.0" # Params to manage leader election # Leader election is implemented leveraging the native capabilities of # Kubernetes see: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/ @@ -170,7 +170,7 @@ imageSbomExtractor: registry: quay.io # The image repository to use for pulling the Image SBOM Extractor image repository: sysdig/image-sbom-extractor - tag: "0.5.9" + tag: "0.6.0" ports: # The port to be used to expose prometheus metrics for the Image SBOM # Extractor diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index 4ae069d16..121528fdd 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.38.2 +version: 1.39.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -42,7 +42,7 @@ dependencies: - name: cluster-scanner # repository: https://charts.sysdig.com repository: file://../cluster-scanner - version: ~0.9.1 + version: ~0.10.0 alias: clusterScanner condition: clusterScanner.enabled - name: kspm-collector From 1eaf9d03b8df2f090dd404267c271cdf58b1158b Mon Sep 17 00:00:00 2001 From: Michele Mangili Date: Wed, 14 Feb 2024 15:33:33 +0100 Subject: [PATCH 2/2] feat(cluster-scanner): enable eve by default [SSPROD-37253] --- charts/cluster-scanner/README.md | 2 +- charts/cluster-scanner/tests/configmap_test.yaml | 2 +- charts/cluster-scanner/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/cluster-scanner/README.md b/charts/cluster-scanner/README.md index 7702be44a..99efe383c 100644 --- a/charts/cluster-scanner/README.md +++ b/charts/cluster-scanner/README.md @@ -101,7 +101,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c | global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | | | global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | | | global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | | -| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | false | +| eveEnabled | Enables Sysdig Eve to retrieve the list of running packages. | true | | eveIntegrationEnabled | Enables the integration with Sysdig Eve. Stores the list of running packages to Sysdig backend. It implies `eveEnabled: true`. | false | | rootNamespace | The namespace to use to retrieve the cluster UID | "kube-system" | | replicaCount | | 2 | diff --git a/charts/cluster-scanner/tests/configmap_test.yaml b/charts/cluster-scanner/tests/configmap_test.yaml index e4fd3859c..04594b41b 100644 --- a/charts/cluster-scanner/tests/configmap_test.yaml +++ b/charts/cluster-scanner/tests/configmap_test.yaml @@ -33,7 +33,7 @@ tests: value: kube-system - equal: path: data.eve_enabled - value: "false" + value: "true" - equal: path: data.eve_integration_enabled value: "false" diff --git a/charts/cluster-scanner/values.yaml b/charts/cluster-scanner/values.yaml index a465cced2..fea90fbae 100644 --- a/charts/cluster-scanner/values.yaml +++ b/charts/cluster-scanner/values.yaml @@ -65,7 +65,7 @@ global: # Provide the filename that is defined inside the existing ConfigMap existingCaConfigMapKeyName: # Enables Sysdig Eve to retrieve the list of running packages. -eveEnabled: false +eveEnabled: true # Enables the integration with Sysdig Eve. Stores the list of running packages # to Sysdig backend. It implies `eveEnabled: true`. eveIntegrationEnabled: false