fix: update to latest chart (#18)

helm/runtime-sensor/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: runtime-sensor
-version: v1.19.3
+version: v1.60.0
 description: Snyk Runtime Sensor Helm chart
 type: application
 sources:

helm/runtime-sensor/templates/_helpers.tpl

@@ -62,3 +62,26 @@ Create the name of the service account to use
 {{- .Values.sensor.podLabels | toYaml }}
 {{- end }}
 {{- end }}
+
+{{- define "runtime-sensor.additionalVolumes" -}}
+{{- if .Values.secretProvider }}
+{{- if eq .Values.secretProvider "aws" }}
+- name: secrets-store-inline
+  csi:
+    driver: secrets-store.csi.k8s.io
+    readOnly: true
+    volumeAttributes:
+      secretProviderClass: {{ include "runtime-sensor.name" . }}-aws-secrets
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "runtime-sensor.additionalVolumeMounts" -}}
+{{- if .Values.secretProvider }}
+{{- if eq .Values.secretProvider "aws" }}
+- name: secrets-store-inline
+  mountPath: "/mnt/secrets-store"
+  readOnly: true
+{{- end }}
+{{- end }}
+{{- end }}

helm/runtime-sensor/templates/daemonset.yaml

@@ -15,14 +15,18 @@ spec:
     metadata:
       annotations:
         snyk/runtime-sensor: "true"
+        {{- include "runtime-sensor.podAnnotations" . | nindent 8 }}
       labels:
         {{- include "runtime-sensor.selectorLabels" . | nindent 8 }}
         {{- include "runtime-sensor.podLabels" . | nindent 8 }}
         control-plane: runtime-sensor
     spec:
-      # This toleration makes sure we run on any node, regardless of taints
       tolerations:
+      {{- if and .Values.tolerations }}
+        {{- .Values.tolerations | toYaml | nindent 8 }}
+      {{- else }}
         - operator: Exists
+      {{- end }}
       {{- if and .Values.imagePullSecret }}
       imagePullSecrets:
         - name: "{{ .Values.imagePullSecret }}"
@@ -65,18 +69,27 @@ spec:
             - name: sysfs
               mountPath: /sys
               readOnly: true
+            {{- include "runtime-sensor.additionalVolumeMounts" . | nindent 12 }}
           env:
             - name: SNYK_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: {{ required "A secretName is required! Please provide a value" .Values.secretName }}
+                  name: {{ required "A snykToken is required! Please provide a value" .Values.secretName }}
                   key: "snykToken"
+            - name: GROUPS_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.secretName }}
+                  key: "groupsScopes"
+                  optional: true
             - name: CLUSTER_NAME
               value: "{{ .Values.clusterName }}"
             - name: SNYK_GROUP_ID
               value: "{{ .Values.snykGroupId }}"
             - name: SNYK_API_BASE_URL
               value: "{{ .Values.snykAPIBaseURL }}"
+            - name: SNYK_DEBUG
+              value: "{{ .Values.debug }}"
           envFrom:
           - configMapRef:
               name: env-config-map
@@ -90,3 +103,4 @@ spec:
         - name: sysfs
           hostPath:
             path: /sys
+        {{- include "runtime-sensor.additionalVolumes" . | nindent 8 }}

helm/runtime-sensor/templates/secretproviderclass.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.secretProvider }}
+{{- if eq .Values.secretProvider "aws" }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ include "runtime-sensor.name" . }}-aws-secrets
+  namespace: {{ .Release.Namespace }}
+spec:
+  provider: aws
+  secretObjects:
+  - secretName: {{ .Values.secretName }}
+    type: Opaque
+    data:
+      - key: snykToken
+        objectName: "snykToken"
+      - key: groupsScopes
+        objectName: "groupsScopes"
+  parameters:
+    objects: |
+        - objectName: "{{ .Values.secretName }}"
+          objectType: "secretsmanager"
+          jmesPath:
+              - path: "snykToken"
+                objectAlias: "snykToken"
+              - path: "groupsScopes"
+                objectAlias: "groupsScopes"
+{{- end }}
+{{- end }}

helm/runtime-sensor/values.schema.json

@@ -9,7 +9,6 @@
         "clusterName",
         "snykGroupId",
         "snykAPIBaseURL",
-        "replicaCount",
         "nameOverride",
         "sensor"
     ],
@@ -22,12 +21,12 @@
                 "snyk-secret", "my-secret"
             ]
         },
-        "replicaCount": {
-            "type": "integer",
-            "default": 0,
-            "title": "The replicaCount Schema",
+        "secretProvider": {
+            "default": "none",
+            "type": "string",
+            "title": "Use a different provider to pull the snyk-secret from",
             "examples": [
-                1
+                "aws", "none"
             ]
         },
         "nameOverride": {
@@ -288,7 +287,6 @@
         }
     },
     "examples": [{
-        "replicaCount": 1,
         "nameOverride": "",
         "sensor": {
             "image": {

helm/runtime-sensor/values.yaml

@@ -2,7 +2,6 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-replicaCount: 1
 ## Provide a name in place of runtime-sensor.
 ##
 nameOverride: ""
@@ -11,6 +10,16 @@ snykGroupId: "ffffffff-ffff-ffff-ffff-fffffffffffff"
 snykAPIBaseURL: api.snyk.io:443
 ### Provide the name of the secret
 secretName: snyk-secret
+
+# Debug node
+debug: "false"
+
+### Secret provider details
+secretProvider: none
+
+# Tolerations allow pods to be scheduled on nodes with specific taints
+tolerations: []
+
 ## Provide Snyk runtime sensor container image and resources.
 sensor:
   image: