diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 34ec4b99b..9b129da2c 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.5.0 +version: 1.5.1 appVersion: "1.0.0" diff --git a/charts/shield/templates/cluster/_config.tpl b/charts/shield/templates/cluster/_config.tpl index 4ac750ca7..9494d666d 100644 --- a/charts/shield/templates/cluster/_config.tpl +++ b/charts/shield/templates/cluster/_config.tpl @@ -60,7 +60,7 @@ "ca_cert_file" (printf "%s%s" (include "cluster.tls_certificates.mount_path" .) (include "cluster.tls_certificates.ca_cert_file_name" .)) ) -}} {{- if (include "cluster.audit_enabled" .) -}} - {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}} + {{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}} {{- if semverCompare "< 6.12.0" .Values.on_prem_version -}} {{- if not (include "common.credentials.has_secure_api_token" . ) -}} {{- fail "Secure API Token is required for kubernetes audit with On Premise Versions < 6.12.0" -}} @@ -83,7 +83,7 @@ {{- $_ := set $clusterScannerConfig "leader_election_lock_name" (include "cluster.container_vulnerability_management_lease_name" .) -}} {{- $_ := set $config "cluster_scanner" $clusterScannerConfig -}} - {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}} + {{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}} {{- if semverCompare "< 6.12.0" .Values.on_prem_version -}} {{- $_ := set $config.features.container_vulnerability_management "platform_services_enabled" false -}} {{- end -}} diff --git a/charts/shield/templates/common/_regions.tpl b/charts/shield/templates/common/_regions.tpl index 4117648e2..07c1f99b2 100644 --- a/charts/shield/templates/common/_regions.tpl +++ b/charts/shield/templates/common/_regions.tpl @@ -3,34 +3,66 @@ "monitor_api_endpoint" "app.au1.sysdig.com" "secure_api_endpoint" "app.au1.sysdig.com" "secure_ui" "app.au1.sysdig.com/secure") + "au1-alt" (dict "collector_endpoint" "ingest-alt.au1.sysdig.com" + "monitor_api_endpoint" "app.au1.sysdig.com" + "secure_api_endpoint" "app.au1.sysdig.com" + "secure_ui" "app.au1.sysdig.com/secure") "eu1" (dict "collector_endpoint" "ingest-eu1.app.sysdig.com" "monitor_api_endpoint" "eu1.app.sysdig.com" "secure_api_endpoint" "eu1.app.sysdig.com" "secure_ui" "eu1.app.sysdig.com/secure") + "eu1-alt" (dict "collector_endpoint" "ingest-alt-eu1.app.sysdig.com" + "monitor_api_endpoint" "eu1.app.sysdig.com" + "secure_api_endpoint" "eu1.app.sysdig.com" + "secure_ui" "eu1.app.sysdig.com/secure") "in1" (dict "collector_endpoint" "ingest.in1.sysdig.com" "monitor_api_endpoint" "app.in1.sysdig.com" "secure_api_endpoint" "app.in1.sysdig.com" "secure_ui" "app.in1.sysdig.com/secure") + "in1-alt" (dict "collector_endpoint" "ingest-alt.in1.sysdig.com" + "monitor_api_endpoint" "app.in1.sysdig.com" + "secure_api_endpoint" "app.in1.sysdig.com" + "secure_ui" "app.in1.sysdig.com/secure") "me2" (dict "collector_endpoint" "ingest.me2.sysdig.com" "monitor_api_endpoint" "app.me2.sysdig.com" "secure_api_endpoint" "app.me2.sysdig.com" "secure_ui" "app.me2.sysdig.com/secure") + "me2-alt" (dict "collector_endpoint" "ingest-alt.me2.sysdig.com" + "monitor_api_endpoint" "app.me2.sysdig.com" + "secure_api_endpoint" "app.me2.sysdig.com" + "secure_ui" "app.me2.sysdig.com/secure") "us1" (dict "collector_endpoint" "collector.sysdigcloud.com" "monitor_api_endpoint" "app.sysdigcloud.com" "secure_api_endpoint" "secure.sysdig.com" "secure_ui" "secure.sysdig.com") + "us1-alt" (dict "collector_endpoint" "collector-alt.sysdigcloud.com" + "monitor_api_endpoint" "app.sysdigcloud.com" + "secure_api_endpoint" "secure.sysdig.com" + "secure_ui" "secure.sysdig.com") "us2" (dict "collector_endpoint" "ingest-us2.app.sysdig.com" "monitor_api_endpoint" "us2.app.sysdig.com" "secure_api_endpoint" "us2.app.sysdig.com" "secure_ui" "us2.app.sysdig.com/secure") + "us2-alt" (dict "collector_endpoint" "ingest-alt-us2.app.sysdig.com" + "monitor_api_endpoint" "us2.app.sysdig.com" + "secure_api_endpoint" "us2.app.sysdig.com" + "secure_ui" "us2.app.sysdig.com/secure") "us3" (dict "collector_endpoint" "ingest.us3.sysdig.com" "monitor_api_endpoint" "app.us3.sysdig.com" "secure_api_endpoint" "app.us3.sysdig.com" "secure_ui" "app.us3.sysdig.com/secure") + "us3-alt" (dict "collector_endpoint" "ingest-alt.us3.sysdig.com" + "monitor_api_endpoint" "app.us3.sysdig.com" + "secure_api_endpoint" "app.us3.sysdig.com" + "secure_ui" "app.us3.sysdig.com/secure") "us4" (dict "collector_endpoint" "ingest.us4.sysdig.com" "monitor_api_endpoint" "app.us4.sysdig.com" "secure_api_endpoint" "app.us4.sysdig.com" "secure_ui" "app.us4.sysdig.com/secure") + "us4-alt" (dict "collector_endpoint" "ingest-alt.us4.sysdig.com" + "monitor_api_endpoint" "app.us4.sysdig.com" + "secure_api_endpoint" "app.us4.sysdig.com" + "secure_ui" "app.us4.sysdig.com/secure") "au-syd-monitor" (dict "collector_endpoint" "ingest.au-syd.monitoring.cloud.ibm.com" "monitor_api_endpoint" "au-syd.monitoring.cloud.ibm.com" "secure_api_endpoint" "au-syd.security-compliance-secure.cloud.ibm.com" @@ -213,3 +245,19 @@ {{- .Values.sysdig_endpoint.api_url}} {{- end }} {{- end }} + +{{- define "common.is_alt_region" -}} + {{- $altRegions := list + "au1-alt" + "eu1-alt" + "in1-alt" + "me2-alt" + "us1-alt" + "us2-alt" + "us3-alt" + "us4-alt" + -}} + {{- if has .Values.sysdig_endpoint.region $altRegions -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/shield/templates/common/_semver.tpl b/charts/shield/templates/common/_semver.tpl new file mode 100644 index 000000000..76e3f6b38 --- /dev/null +++ b/charts/shield/templates/common/_semver.tpl @@ -0,0 +1,5 @@ +{{- define "common.semver.is_valid" -}} + {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/shield/templates/host/_configmap_helpers.tpl b/charts/shield/templates/host/_configmap_helpers.tpl index 9f4dd9c06..e69662792 100644 --- a/charts/shield/templates/host/_configmap_helpers.tpl +++ b/charts/shield/templates/host/_configmap_helpers.tpl @@ -43,13 +43,6 @@ {{- $config | toYaml }} {{- end }} -{{/* Check if semver. The regex is from the code of the library Helm uses for semver. */}} -{{- define "shield.is_semver" -}} - {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . }} - true - {{- end -}} -{{- end -}} - {{- define "host.features.netsec_enabled" }} {{- if or .Values.features.investigations.network_security.enabled (dig "network_topology" "enabled" false .Values.host.additional_settings) }} @@ -73,7 +66,7 @@ true {{/* Calculate the agent mode based on enabled features */}} {{- define "host.configmap.agent_mode" }} {{- $mode := "secure_light" }} -{{- if and (include "host.features.netsec_enabled" .) (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }} +{{- if and (include "host.features.netsec_enabled" .) (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }} {{- $mode = "secure" }} {{- end }} {{- if (include "host.features.monitor_enabled" .) }} @@ -115,7 +108,7 @@ true {{- define "host.dragent_yaml.host_scanner" }} {{- $config := dict }} {{- $config = merge $config (dict "host_fs_mount_path" "/host") }} - {{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} + {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} {{- $config = merge $config (dict "verify_certificate" false) }} {{- end }} {{- if hasKey .Values.host.additional_settings "host_scanner" }} @@ -128,7 +121,7 @@ true {{- $config := dict }} {{- $respond := get .Values.features (include "host.respond_key" .Values.features) }} {{- $rapid_response := omit (get $respond "rapid_response") "password" }} - {{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} + {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }} {{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }} {{- end }} {{ $rapid_response | toJson }} @@ -142,6 +135,9 @@ true {{- if not .Values.ssl.verify }} {{- $config = merge $config (dict "ssl_verify_certificate" false) }} {{- end }} +{{- if (include "common.is_alt_region" .) -}} + {{- $_ := set $config "collector_port" 6443 -}} +{{- end -}} {{- if .Values.features.kubernetes_metadata.enabled }} {{- $_ := set $config "k8s_delegated_nodes" (dig "k8s_delegated_nodes" 0 .Values.host.additional_settings) -}} {{- else if hasKey .Values.host.additional_settings "k8s_delegated_nodes" }} diff --git a/charts/shield/templates/host/_windows_configmap_helpers.tpl b/charts/shield/templates/host/_windows_configmap_helpers.tpl index d11b1d97d..74c87039e 100644 --- a/charts/shield/templates/host/_windows_configmap_helpers.tpl +++ b/charts/shield/templates/host/_windows_configmap_helpers.tpl @@ -41,6 +41,14 @@ {{- $_ := set $sysdigEndpointConfig $k $v -}} {{- end -}} {{- end -}} +{{- if (include "common.is_alt_region" .) -}} + {{- if not (include "host.windows.supports_alt_regions" .) -}} + {{- $_ := set $sysdigEndpointConfig "region" "custom" -}} + {{- $_ := set $sysdigEndpointConfig "api_url" (printf "https://%s" (include "common.secure_api_endpoint" .)) -}} + {{- $_ := set $sysdigEndpointConfig.collector "host" (include "common.collector_endpoint" .) -}} + {{- $_ := set $sysdigEndpointConfig.collector "port" 6443 -}} + {{- end -}} +{{- end -}} {{- $_ := set $config "sysdig_endpoint" $sysdigEndpointConfig -}} {{- with .Values.features.posture }} @@ -64,12 +72,25 @@ {{- $finalConfig | toYaml }} {{- end }} +{{- define "host.windows.supports_alt_regions" -}} + {{- if (include "common.semver.is_valid" (.Values.host_windows.image.tag | default "")) -}} + {{- if semverCompare "> 0.7.1" .Values.host_windows.image.tag -}} + {{- true -}} + {{- end -}} + {{- else -}} + {{- true -}} + {{- end -}} +{{- end -}} + {{/* Generate the 'dragent.yaml' content */}} {{- define "host.windows.configmap" }} {{- $config := dict "k8s_cluster_name" .Values.cluster_config.name "collector" (include "common.collector_endpoint" .) }} +{{- if (include "common.is_alt_region" .) -}} + {{- $_ := set $config "collector_port" 6443 -}} +{{- end -}} {{- if .Values.cluster_config.tags -}} {{- $tagList := list }} {{- range $k, $v := .Values.cluster_config.tags }} diff --git a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml index 86002e4f5..69b6a303e 100644 --- a/charts/shield/tests/host/configmap-dragent-yaml_test.yaml +++ b/charts/shield/tests/host/configmap-dragent-yaml_test.yaml @@ -1343,3 +1343,25 @@ tests: host_scanner: host_fs_mount_path: /host verify_certificate: true + + - it: Alternative regions + set: + sysdig_endpoint: + region: "eu1-alt" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: release-name-shield-host + - equal: + path: metadata.namespace + value: shield-namespace + - exists: + path: data['dragent.yaml'] + - matchRegex: + path: data['dragent.yaml'] + pattern: | + collector: ingest-alt-eu1.app.sysdig.com + collector_port: 6443 diff --git a/charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml b/charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml index 26445e3e2..8e94d9612 100644 --- a/charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml +++ b/charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml @@ -707,3 +707,25 @@ tests: pattern: | log: console_priority: debug + + - it: Alternative regions + set: + sysdig_endpoint: + region: "eu1-alt" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: release-name-shield-host-windows + - equal: + path: metadata.namespace + value: shield-namespace + - exists: + path: data['dragent.yaml'] + - matchRegex: + path: data['dragent.yaml'] + pattern: | + collector: ingest-alt-eu1.app.sysdig.com + collector_port: 6443 diff --git a/charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml b/charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml index 7894405c3..63a59b73c 100644 --- a/charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml +++ b/charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml @@ -330,3 +330,88 @@ tests: pattern: | proxy: no_proxy: example.com + + - it: Alternative regions (default) + set: + sysdig_endpoint: + region: "eu1-alt" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: release-name-shield-host-windows + - equal: + path: metadata.namespace + value: shield-namespace + - exists: + path: data["host-shield.yaml"] + - matchRegex: + path: data["host-shield.yaml"] + pattern: | + sysdig_endpoint: + api_url: https://eu1.app.sysdig.com + collector: + host: ingest-alt-eu1.app.sysdig.com + port: 6443 + region: custom + + - it: Alternative regions (host-shield windows version <= 0.7.1) + set: + sysdig_endpoint: + region: "eu1-alt" + host_windows: + image: + tag: "0.7.1" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: release-name-shield-host-windows + - equal: + path: metadata.namespace + value: shield-namespace + - exists: + path: data["host-shield.yaml"] + - matchRegex: + path: data["host-shield.yaml"] + pattern: | + sysdig_endpoint: + api_url: https://eu1.app.sysdig.com + collector: + host: ingest-alt-eu1.app.sysdig.com + port: 6443 + region: custom + + - it: Alternative regions (host-shield windows version > 0.7.1) + set: + sysdig_endpoint: + region: "eu1-alt" + api_url: + collector: + host: + port: + host_windows: + image: + tag: "0.7.2" + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: ConfigMap + apiVersion: v1 + name: release-name-shield-host-windows + - equal: + path: metadata.namespace + value: shield-namespace + - exists: + path: data["host-shield.yaml"] + - matchRegex: + path: data["host-shield.yaml"] + pattern: | + sysdig_endpoint: + collector: {} + region: eu1-alt diff --git a/charts/shield/values.schema.json b/charts/shield/values.schema.json index b56f5a214..f55193927 100644 --- a/charts/shield/values.schema.json +++ b/charts/shield/values.schema.json @@ -174,6 +174,7 @@ "au-syd-private-secure", "au-syd-secure", "au1", + "au1-alt", "br-sao-monitor", "br-sao-private-monitor", "br-sao-private-secure", @@ -191,7 +192,9 @@ "eu-gb-private-secure", "eu-gb-secure", "eu1", + "eu1-alt", "in1", + "in1-alt", "jp-osa-monitor", "jp-osa-private-monitor", "jp-osa-private-secure", @@ -201,6 +204,7 @@ "jp-tok-private-secure", "jp-tok-secure", "me2", + "me2-alt", "us-east-monitor", "us-east-private-monitor", "us-east-private-secure", @@ -210,9 +214,13 @@ "us-south-private-secure", "us-south-secure", "us1", + "us1-alt", "us2", + "us2-alt", "us3", + "us3-alt", "us4", + "us4-alt", null ] },