feat(cluster-scanner): added support for handling AC requests [SSPROD-35871]

charts/cluster-scanner/Chart.yaml

@@ -3,7 +3,7 @@ name: cluster-scanner
 description: Sysdig Cluster Scanner
 
 type: application
-version: 0.9.1
+version: 0.10.0
 appVersion: "0.1.0"
 home: https://www.sysdig.com/
 

charts/cluster-scanner/templates/_helpers.tpl

@@ -92,6 +92,7 @@ rsi_js_consumer_ack_wait: "120s"
 rsi_js_consumer_max_deliver: "1"
 rsi_js_consumer_deliver_policy_all: "true"
 rsi_js_producer_subject_prefix: "analysis.requests"
+rsi_js_priority_producer_subject_prefix: "analysis.priority.requests"
 rsi_js_server_metrics_enable: "true"
 rsi_js_server_metrics_port: "8222"
 {{ end }}
@@ -111,6 +112,18 @@ ise_js_consumer_max_in_flight: "256"
 ise_js_consumer_ack_wait: "240s"
 ise_js_consumer_max_deliver: "1"
 ise_js_consumer_deliver_policy_all: "true"
+
+ise_js_priority_consumer_streamname: "analysis-requests"
+ise_js_priority_consumer_name: "ise-priority"
+ise_js_priority_consumer_durable: "ise-priority"
+ise_js_priority_consumer_pull: "true"
+ise_js_priority_consumer_pull_batch: "1"
+ise_js_priority_consumer_subject: "analysis.priority.requests.>"
+ise_js_priority_consumer_max_in_flight: "256"
+ise_js_priority_consumer_ack_wait: "240s"
+ise_js_priority_consumer_max_deliver: "1"
+ise_js_priority_consumer_deliver_policy_all: "true"
+
 ise_js_producer_subject: "analysis.sboms"
 {{ end }}
 

charts/cluster-scanner/templates/deployment.yaml

@@ -255,6 +255,11 @@ spec:
               configMapKeyRef:
                 name: {{ include "cluster-scanner.fullname" . }}
                 key: rsi_js_producer_subject_prefix
+          - name: NATS_JS_PRIORITY_PRODUCER_SUBJECT_PREFIX
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: rsi_js_priority_producer_subject_prefix
           - name: NATS_JS_SERVER_USERNAME
             valueFrom:
               configMapKeyRef:
@@ -474,6 +479,68 @@ spec:
               configMapKeyRef:
                 name: {{ include "cluster-scanner.fullname" . }}
                 key: ise_js_consumer_deliver_policy_all
+          - name: HIGH_PRIORITY_CONSUMER_ENABLED
+            value: "true"
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_STREAMNAME
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_streamname
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_NAME
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_name
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_DURABLE
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_durable
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_PULL
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_pull
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_PULL_BATCH
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_pull_batch
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_SUBJECT
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_subject
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_MAX_IN_FLIGHT
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_max_in_flight
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_ACK_WAIT
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_ack_wait
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_MAX_DELIVER
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_max_deliver
+                optional: true
+          - name: HIGH_PRIORITY_NATS_JS_CONSUMER_DELIVER_POLICY_ALL
+            valueFrom:
+              configMapKeyRef:
+                name: {{ include "cluster-scanner.fullname" . }}
+                key: ise_js_priority_consumer_deliver_policy_all
+                optional: true
           - name: NATS_JS_PRODUCER_SUBJECT
             valueFrom:
               configMapKeyRef:

charts/cluster-scanner/templates/service.yaml

@@ -12,4 +12,8 @@ spec:
       targetPort: 4222
       protocol: TCP
       name: nats
+    - port: 9999
+      targetPort: 9999
+      protocol: TCP
+      name: grpc
   # NOTE: selector is intentionally left empty, the RSI component will implement a controller to handle the Endpoints resource associated with this service

charts/cluster-scanner/tests/configmap_test.yaml

@@ -33,7 +33,7 @@ tests:
           value: kube-system
       - equal:
           path: data.eve_enabled
-          value: "false"
+          value: "true"
       - equal:
           path: data.eve_integration_enabled
           value: "false"

charts/cluster-scanner/tests/existing-secret_test.yaml

@@ -21,15 +21,15 @@ tests:
       global.sysdig.accessKeySecret: "secret"
     asserts:
       - equal:
-          path: spec.template.spec.containers[0].env[35]
+          path: spec.template.spec.containers[0].env[?(@.name == "SYSDIG_ACCESS_KEY")]
           value:
             name: SYSDIG_ACCESS_KEY
             valueFrom:
               secretKeyRef:
                 key: access-key
                 name: secret
       - equal:
-          path: spec.template.spec.containers[1].env[8]
+          path: spec.template.spec.containers[1].env[?(@.name == "SYSDIG_ACCESS_KEY")]
           value:
             name: SYSDIG_ACCESS_KEY
             valueFrom:

charts/cluster-scanner/tests/secret_test.yaml

@@ -53,6 +53,7 @@ tests:
       - equal:
           path: data.cache_redis_password
           value: "c2VjcmV0"
+
   - it: "does not require redis password"
     set:
       global.sysdig.accessKey: "secret"

charts/cluster-scanner/values.yaml

@@ -65,7 +65,7 @@ global:
       # Provide the filename that is defined inside the existing ConfigMap
       existingCaConfigMapKeyName:
 # Enables Sysdig Eve to retrieve the list of running packages.
-eveEnabled: false
+eveEnabled: true
 # Enables the integration with Sysdig Eve. Stores the list of running packages
 # to Sysdig backend. It implies `eveEnabled: true`.
 eveIntegrationEnabled: false
@@ -108,7 +108,7 @@ runtimeStatusIntegrator:
     # The image repository to use for pulling the Runtime Status Integrator
     # image
     repository: sysdig/runtime-status-integrator
-    tag: "0.5.9"
+    tag: "0.6.0"
   # Params to manage leader election
   # Leader election is implemented leveraging the native capabilities of
   # Kubernetes see: https://kubernetes.io/blog/2016/01/simple-leader-election-with-kubernetes/
@@ -170,7 +170,7 @@ imageSbomExtractor:
     registry: quay.io
     # The image repository to use for pulling the Image SBOM Extractor image
     repository: sysdig/image-sbom-extractor
-    tag: "0.5.9"
+    tag: "0.6.0"
   ports:
     # The port to be used to expose prometheus metrics for the Image SBOM
     # Extractor

charts/sysdig-deploy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.38.2
+version: 1.39.0
 maintainers:
   - name: AlbertoBarba
     email: alberto.barba@sysdig.com
@@ -42,7 +42,7 @@ dependencies:
   - name: cluster-scanner
     # repository: https://charts.sysdig.com
     repository: file://../cluster-scanner
-    version: ~0.9.1
+    version: ~0.10.0
     alias: clusterScanner
     condition: clusterScanner.enabled
   - name: kspm-collector