feat(shield): allow support for alt regions

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: marcovito.moscaritolo@sysdig.com
 type: application
-version: 1.5.0
+version: 1.5.1
 appVersion: "1.0.0"

charts/shield/templates/cluster/_config.tpl

@@ -60,7 +60,7 @@
       "ca_cert_file" (printf "%s%s" (include "cluster.tls_certificates.mount_path" .) (include "cluster.tls_certificates.ca_cert_file_name" .))
     ) -}}
     {{- if (include "cluster.audit_enabled" .) -}}
-      {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}}
+      {{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}}
         {{- if semverCompare "< 6.12.0" .Values.on_prem_version -}}
           {{- if not (include "common.credentials.has_secure_api_token" . ) -}}
             {{- fail "Secure API Token is required for kubernetes audit with On Premise Versions < 6.12.0" -}}
@@ -83,7 +83,7 @@
       {{- $_ := set $clusterScannerConfig "leader_election_lock_name" (include "cluster.container_vulnerability_management_lease_name" .) -}}
       {{- $_ := set $config "cluster_scanner" $clusterScannerConfig -}}
 
-      {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}}
+      {{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}}
         {{- if semverCompare "< 6.12.0" .Values.on_prem_version -}}
           {{- $_ := set $config.features.container_vulnerability_management "platform_services_enabled" false -}}
         {{- end -}}

charts/shield/templates/common/_regions.tpl

@@ -3,34 +3,66 @@
                                    "monitor_api_endpoint" "app.au1.sysdig.com"
                                    "secure_api_endpoint"  "app.au1.sysdig.com"
                                    "secure_ui"           "app.au1.sysdig.com/secure")
+                       "au1-alt" (dict "collector_endpoint"  "ingest-alt.au1.sysdig.com"
+                                   "monitor_api_endpoint" "app.au1.sysdig.com"
+                                   "secure_api_endpoint"  "app.au1.sysdig.com"
+                                   "secure_ui"           "app.au1.sysdig.com/secure")
                        "eu1" (dict "collector_endpoint"  "ingest-eu1.app.sysdig.com"
                                    "monitor_api_endpoint" "eu1.app.sysdig.com"
                                    "secure_api_endpoint"  "eu1.app.sysdig.com"
                                    "secure_ui"           "eu1.app.sysdig.com/secure")
+                       "eu1-alt" (dict "collector_endpoint"  "ingest-alt-eu1.app.sysdig.com"
+                                   "monitor_api_endpoint" "eu1.app.sysdig.com"
+                                   "secure_api_endpoint"  "eu1.app.sysdig.com"
+                                   "secure_ui"           "eu1.app.sysdig.com/secure")
                        "in1" (dict "collector_endpoint"  "ingest.in1.sysdig.com"
                                    "monitor_api_endpoint" "app.in1.sysdig.com"
                                    "secure_api_endpoint"  "app.in1.sysdig.com"
                                    "secure_ui"           "app.in1.sysdig.com/secure")
+                       "in1-alt" (dict "collector_endpoint"  "ingest-alt.in1.sysdig.com"
+                                   "monitor_api_endpoint" "app.in1.sysdig.com"
+                                   "secure_api_endpoint"  "app.in1.sysdig.com"
+                                   "secure_ui"           "app.in1.sysdig.com/secure")
                        "me2" (dict "collector_endpoint"  "ingest.me2.sysdig.com"
                                    "monitor_api_endpoint" "app.me2.sysdig.com"
                                    "secure_api_endpoint"  "app.me2.sysdig.com"
                                    "secure_ui"           "app.me2.sysdig.com/secure")
+                       "me2-alt" (dict "collector_endpoint"  "ingest-alt.me2.sysdig.com"
+                                   "monitor_api_endpoint" "app.me2.sysdig.com"
+                                   "secure_api_endpoint"  "app.me2.sysdig.com"
+                                   "secure_ui"           "app.me2.sysdig.com/secure")
                        "us1" (dict "collector_endpoint"  "collector.sysdigcloud.com"
                                    "monitor_api_endpoint" "app.sysdigcloud.com"
                                    "secure_api_endpoint"  "secure.sysdig.com"
                                    "secure_ui"           "secure.sysdig.com")
+                       "us1-alt" (dict "collector_endpoint"  "collector-alt.sysdigcloud.com"
+                                   "monitor_api_endpoint" "app.sysdigcloud.com"
+                                   "secure_api_endpoint"  "secure.sysdig.com"
+                                   "secure_ui"           "secure.sysdig.com")
                        "us2" (dict "collector_endpoint"  "ingest-us2.app.sysdig.com"
                                    "monitor_api_endpoint" "us2.app.sysdig.com"
                                    "secure_api_endpoint"  "us2.app.sysdig.com"
                                    "secure_ui"           "us2.app.sysdig.com/secure")
+                       "us2-alt" (dict "collector_endpoint"  "ingest-alt-us2.app.sysdig.com"
+                                   "monitor_api_endpoint" "us2.app.sysdig.com"
+                                   "secure_api_endpoint"  "us2.app.sysdig.com"
+                                   "secure_ui"           "us2.app.sysdig.com/secure")
                        "us3" (dict "collector_endpoint"  "ingest.us3.sysdig.com"
                                    "monitor_api_endpoint" "app.us3.sysdig.com"
                                    "secure_api_endpoint"  "app.us3.sysdig.com"
                                    "secure_ui"           "app.us3.sysdig.com/secure")
+                       "us3-alt" (dict "collector_endpoint"  "ingest-alt.us3.sysdig.com"
+                                   "monitor_api_endpoint" "app.us3.sysdig.com"
+                                   "secure_api_endpoint"  "app.us3.sysdig.com"
+                                   "secure_ui"           "app.us3.sysdig.com/secure")
                        "us4" (dict "collector_endpoint"  "ingest.us4.sysdig.com"
                                    "monitor_api_endpoint" "app.us4.sysdig.com"
                                    "secure_api_endpoint"  "app.us4.sysdig.com"
                                    "secure_ui"           "app.us4.sysdig.com/secure")
+                       "us4-alt" (dict "collector_endpoint"  "ingest-alt.us4.sysdig.com"
+                                   "monitor_api_endpoint" "app.us4.sysdig.com"
+                                   "secure_api_endpoint"  "app.us4.sysdig.com"
+                                   "secure_ui"           "app.us4.sysdig.com/secure")
                       "au-syd-monitor"   (dict "collector_endpoint"  "ingest.au-syd.monitoring.cloud.ibm.com"
                                                "monitor_api_endpoint" "au-syd.monitoring.cloud.ibm.com"
                                                "secure_api_endpoint"  "au-syd.security-compliance-secure.cloud.ibm.com"
@@ -213,3 +245,19 @@
     {{- .Values.sysdig_endpoint.api_url}}
   {{- end }}
 {{- end }}
+
+{{- define "common.is_alt_region" -}}
+  {{- $altRegions := list
+    "au1-alt"
+    "eu1-alt"
+    "in1-alt"
+    "me2-alt"
+    "us1-alt"
+    "us2-alt"
+    "us3-alt"
+    "us4-alt"
+  -}}
+  {{- if has .Values.sysdig_endpoint.region $altRegions -}}
+    {{- true -}}
+  {{- end -}}
+{{- end -}}

charts/shield/templates/common/_semver.tpl

@@ -0,0 +1,5 @@
+{{- define "common.semver.is_valid" -}}
+  {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . -}}
+    {{- true -}}
+  {{- end -}}
+{{- end -}}

charts/shield/templates/host/_configmap_helpers.tpl

@@ -43,13 +43,6 @@
 {{- $config | toYaml }}
 {{- end }}
 
-{{/* Check if semver. The regex is from the code of the library Helm uses for semver. */}}
-{{- define "shield.is_semver" -}}
-    {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . }}
-        true
-    {{- end -}}
-{{- end -}}
-
 {{- define "host.features.netsec_enabled" }}
 {{- if or .Values.features.investigations.network_security.enabled
           (dig "network_topology" "enabled" false .Values.host.additional_settings) }}
@@ -73,7 +66,7 @@ true
 {{/* Calculate the agent mode based on enabled features */}}
 {{- define "host.configmap.agent_mode" }}
 {{- $mode := "secure_light" }}
-{{- if and (include "host.features.netsec_enabled" .) (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }}
+{{- if and (include "host.features.netsec_enabled" .) (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }}
 {{- $mode = "secure" }}
 {{- end }}
 {{- if (include "host.features.monitor_enabled" .) }}
@@ -115,7 +108,7 @@ true
 {{- define "host.dragent_yaml.host_scanner" }}
   {{- $config := dict }}
   {{- $config = merge $config (dict "host_fs_mount_path" "/host") }}
-  {{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
+  {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
     {{- $config = merge $config (dict "verify_certificate" false) }}
   {{- end }}
   {{- if hasKey .Values.host.additional_settings "host_scanner" }}
@@ -128,7 +121,7 @@ true
   {{- $config := dict }}
   {{- $respond := get .Values.features (include "host.respond_key" .Values.features) }}
   {{- $rapid_response := omit (get $respond "rapid_response") "password" }}
-  {{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
+  {{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
     {{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }}
   {{- end }}
   {{ $rapid_response | toJson }}
@@ -142,6 +135,9 @@ true
 {{- if not .Values.ssl.verify }}
   {{- $config = merge $config (dict "ssl_verify_certificate" false) }}
 {{- end }}
+{{- if (include "common.is_alt_region" .) -}}
+  {{- $_ := set $config "collector_port" 6443 -}}
+{{- end -}}
 {{- if .Values.features.kubernetes_metadata.enabled }}
   {{- $_ := set $config "k8s_delegated_nodes" (dig "k8s_delegated_nodes" 0 .Values.host.additional_settings) -}}
 {{- else if hasKey .Values.host.additional_settings "k8s_delegated_nodes" }}

charts/shield/templates/host/_windows_configmap_helpers.tpl

@@ -41,6 +41,14 @@
         {{- $_ := set $sysdigEndpointConfig $k $v -}}
     {{- end -}}
 {{- end -}}
+{{- if (include "common.is_alt_region" .) -}}
+  {{- if not (include "host.windows.supports_alt_regions" .) -}}
+    {{- $_ := set $sysdigEndpointConfig "region" "custom" -}}
+    {{- $_ := set $sysdigEndpointConfig "api_url" (printf "https://%s" (include "common.secure_api_endpoint" .)) -}}
+    {{- $_ := set $sysdigEndpointConfig.collector "host" (include "common.collector_endpoint" .) -}}
+    {{- $_ := set $sysdigEndpointConfig.collector "port" 6443 -}}
+  {{- end -}}
+{{- end -}}
 {{- $_ := set $config "sysdig_endpoint" $sysdigEndpointConfig -}}
 
 {{- with .Values.features.posture }}
@@ -64,12 +72,25 @@
 {{- $finalConfig | toYaml }}
 {{- end }}
 
+{{- define "host.windows.supports_alt_regions" -}}
+  {{- if (include "common.semver.is_valid" (.Values.host_windows.image.tag | default "")) -}}
+    {{- if semverCompare "> 0.7.1" .Values.host_windows.image.tag -}}
+      {{- true -}}
+    {{- end -}}
+  {{- else -}}
+    {{- true -}}
+  {{- end -}}
+{{- end -}}
+
 {{/* Generate the 'dragent.yaml' content */}}
 {{- define "host.windows.configmap" }}
 {{- $config := dict
   "k8s_cluster_name" .Values.cluster_config.name
   "collector" (include "common.collector_endpoint" .)
 }}
+{{- if (include "common.is_alt_region" .) -}}
+  {{- $_ := set $config "collector_port" 6443 -}}
+{{- end -}}
 {{- if .Values.cluster_config.tags -}}
   {{- $tagList := list }}
   {{- range $k, $v := .Values.cluster_config.tags }}

charts/shield/tests/host/configmap-dragent-yaml_test.yaml

@@ -1343,3 +1343,25 @@ tests:
             host_scanner:
               host_fs_mount_path: /host
               verify_certificate: true
+
+  - it: Alternative regions
+    set:
+      sysdig_endpoint:
+        region: "eu1-alt"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: release-name-shield-host
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - exists:
+          path: data['dragent.yaml']
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |
+            collector: ingest-alt-eu1.app.sysdig.com
+            collector_port: 6443

charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml

@@ -707,3 +707,25 @@ tests:
           pattern: |
             log:
               console_priority: debug
+
+  - it: Alternative regions
+    set:
+      sysdig_endpoint:
+        region: "eu1-alt"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: release-name-shield-host-windows
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - exists:
+          path: data['dragent.yaml']
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |
+            collector: ingest-alt-eu1.app.sysdig.com
+            collector_port: 6443

charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml

@@ -330,3 +330,88 @@ tests:
           pattern: |
             proxy:
               no_proxy: example.com
+
+  - it: Alternative regions (default)
+    set:
+      sysdig_endpoint:
+        region: "eu1-alt"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: release-name-shield-host-windows
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - exists:
+          path: data["host-shield.yaml"]
+      - matchRegex:
+          path: data["host-shield.yaml"]
+          pattern: |
+            sysdig_endpoint:
+              api_url: https://eu1.app.sysdig.com
+              collector:
+                host: ingest-alt-eu1.app.sysdig.com
+                port: 6443
+              region: custom
+
+  - it: Alternative regions (host-shield windows version <= 0.7.1)
+    set:
+      sysdig_endpoint:
+        region: "eu1-alt"
+      host_windows:
+        image:
+          tag: "0.7.1"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: release-name-shield-host-windows
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - exists:
+          path: data["host-shield.yaml"]
+      - matchRegex:
+          path: data["host-shield.yaml"]
+          pattern: |
+            sysdig_endpoint:
+              api_url: https://eu1.app.sysdig.com
+              collector:
+                host: ingest-alt-eu1.app.sysdig.com
+                port: 6443
+              region: custom
+
+  - it: Alternative regions (host-shield windows version > 0.7.1)
+    set:
+      sysdig_endpoint:
+        region: "eu1-alt"
+        api_url:
+        collector:
+          host:
+          port:
+      host_windows:
+        image:
+          tag: "0.7.2"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: release-name-shield-host-windows
+      - equal:
+          path: metadata.namespace
+          value: shield-namespace
+      - exists:
+          path: data["host-shield.yaml"]
+      - matchRegex:
+          path: data["host-shield.yaml"]
+          pattern: |
+            sysdig_endpoint:
+              collector: {}
+              region: eu1-alt

charts/shield/values.schema.json

@@ -174,6 +174,7 @@
             "au-syd-private-secure",
             "au-syd-secure",
             "au1",
+            "au1-alt",
             "br-sao-monitor",
             "br-sao-private-monitor",
             "br-sao-private-secure",
@@ -191,7 +192,9 @@
             "eu-gb-private-secure",
             "eu-gb-secure",
             "eu1",
+            "eu1-alt",
             "in1",
+            "in1-alt",
             "jp-osa-monitor",
             "jp-osa-private-monitor",
             "jp-osa-private-secure",
@@ -201,6 +204,7 @@
             "jp-tok-private-secure",
             "jp-tok-secure",
             "me2",
+            "me2-alt",
             "us-east-monitor",
             "us-east-private-monitor",
             "us-east-private-secure",
@@ -210,9 +214,13 @@
             "us-south-private-secure",
             "us-south-secure",
             "us1",
+            "us1-alt",
             "us2",
+            "us2-alt",
             "us3",
+            "us3-alt",
             "us4",
+            "us4-alt",
             null
           ]
         },