From 17d6478b14506902ae7bcb3cc391cda438705066 Mon Sep 17 00:00:00 2001 From: Yaron Date: Tue, 12 Nov 2024 12:19:57 +0200 Subject: [PATCH] fix: update to latest chart (#18) --- helm/runtime-sensor/Chart.yaml | 2 +- helm/runtime-sensor/templates/_helpers.tpl | 23 +++++++++++++++ helm/runtime-sensor/templates/daemonset.yaml | 18 ++++++++++-- .../templates/secretproviderclass.yaml | 28 +++++++++++++++++++ helm/runtime-sensor/values.schema.json | 12 ++++---- helm/runtime-sensor/values.yaml | 11 +++++++- 6 files changed, 83 insertions(+), 11 deletions(-) create mode 100644 helm/runtime-sensor/templates/secretproviderclass.yaml diff --git a/helm/runtime-sensor/Chart.yaml b/helm/runtime-sensor/Chart.yaml index aace44c..e1572b8 100644 --- a/helm/runtime-sensor/Chart.yaml +++ b/helm/runtime-sensor/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: runtime-sensor -version: v1.19.3 +version: v1.60.0 description: Snyk Runtime Sensor Helm chart type: application sources: diff --git a/helm/runtime-sensor/templates/_helpers.tpl b/helm/runtime-sensor/templates/_helpers.tpl index ebdc801..116c6a4 100644 --- a/helm/runtime-sensor/templates/_helpers.tpl +++ b/helm/runtime-sensor/templates/_helpers.tpl @@ -62,3 +62,26 @@ Create the name of the service account to use {{- .Values.sensor.podLabels | toYaml }} {{- end }} {{- end }} + +{{- define "runtime-sensor.additionalVolumes" -}} +{{- if .Values.secretProvider }} +{{- if eq .Values.secretProvider "aws" }} +- name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: {{ include "runtime-sensor.name" . }}-aws-secrets +{{- end }} +{{- end }} +{{- end }} + +{{- define "runtime-sensor.additionalVolumeMounts" -}} +{{- if .Values.secretProvider }} +{{- if eq .Values.secretProvider "aws" }} +- name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/runtime-sensor/templates/daemonset.yaml b/helm/runtime-sensor/templates/daemonset.yaml index b73505e..6efc0f0 100644 --- a/helm/runtime-sensor/templates/daemonset.yaml +++ b/helm/runtime-sensor/templates/daemonset.yaml @@ -15,14 +15,18 @@ spec: metadata: annotations: snyk/runtime-sensor: "true" + {{- include "runtime-sensor.podAnnotations" . | nindent 8 }} labels: {{- include "runtime-sensor.selectorLabels" . | nindent 8 }} {{- include "runtime-sensor.podLabels" . | nindent 8 }} control-plane: runtime-sensor spec: - # This toleration makes sure we run on any node, regardless of taints tolerations: + {{- if and .Values.tolerations }} + {{- .Values.tolerations | toYaml | nindent 8 }} + {{- else }} - operator: Exists + {{- end }} {{- if and .Values.imagePullSecret }} imagePullSecrets: - name: "{{ .Values.imagePullSecret }}" @@ -65,18 +69,27 @@ spec: - name: sysfs mountPath: /sys readOnly: true + {{- include "runtime-sensor.additionalVolumeMounts" . | nindent 12 }} env: - name: SNYK_TOKEN valueFrom: secretKeyRef: - name: {{ required "A secretName is required! Please provide a value" .Values.secretName }} + name: {{ required "A snykToken is required! Please provide a value" .Values.secretName }} key: "snykToken" + - name: GROUPS_SCOPES + valueFrom: + secretKeyRef: + name: {{ .Values.secretName }} + key: "groupsScopes" + optional: true - name: CLUSTER_NAME value: "{{ .Values.clusterName }}" - name: SNYK_GROUP_ID value: "{{ .Values.snykGroupId }}" - name: SNYK_API_BASE_URL value: "{{ .Values.snykAPIBaseURL }}" + - name: SNYK_DEBUG + value: "{{ .Values.debug }}" envFrom: - configMapRef: name: env-config-map @@ -90,3 +103,4 @@ spec: - name: sysfs hostPath: path: /sys + {{- include "runtime-sensor.additionalVolumes" . | nindent 8 }} diff --git a/helm/runtime-sensor/templates/secretproviderclass.yaml b/helm/runtime-sensor/templates/secretproviderclass.yaml new file mode 100644 index 0000000..0e6c208 --- /dev/null +++ b/helm/runtime-sensor/templates/secretproviderclass.yaml @@ -0,0 +1,28 @@ +{{- if .Values.secretProvider }} +{{- if eq .Values.secretProvider "aws" }} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: {{ include "runtime-sensor.name" . }}-aws-secrets + namespace: {{ .Release.Namespace }} +spec: + provider: aws + secretObjects: + - secretName: {{ .Values.secretName }} + type: Opaque + data: + - key: snykToken + objectName: "snykToken" + - key: groupsScopes + objectName: "groupsScopes" + parameters: + objects: | + - objectName: "{{ .Values.secretName }}" + objectType: "secretsmanager" + jmesPath: + - path: "snykToken" + objectAlias: "snykToken" + - path: "groupsScopes" + objectAlias: "groupsScopes" +{{- end }} +{{- end }} diff --git a/helm/runtime-sensor/values.schema.json b/helm/runtime-sensor/values.schema.json index 5ef3138..357a1c2 100644 --- a/helm/runtime-sensor/values.schema.json +++ b/helm/runtime-sensor/values.schema.json @@ -9,7 +9,6 @@ "clusterName", "snykGroupId", "snykAPIBaseURL", - "replicaCount", "nameOverride", "sensor" ], @@ -22,12 +21,12 @@ "snyk-secret", "my-secret" ] }, - "replicaCount": { - "type": "integer", - "default": 0, - "title": "The replicaCount Schema", + "secretProvider": { + "default": "none", + "type": "string", + "title": "Use a different provider to pull the snyk-secret from", "examples": [ - 1 + "aws", "none" ] }, "nameOverride": { @@ -288,7 +287,6 @@ } }, "examples": [{ - "replicaCount": 1, "nameOverride": "", "sensor": { "image": { diff --git a/helm/runtime-sensor/values.yaml b/helm/runtime-sensor/values.yaml index 72179aa..adcc9f5 100644 --- a/helm/runtime-sensor/values.yaml +++ b/helm/runtime-sensor/values.yaml @@ -2,7 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 1 ## Provide a name in place of runtime-sensor. ## nameOverride: "" @@ -11,6 +10,16 @@ snykGroupId: "ffffffff-ffff-ffff-ffff-fffffffffffff" snykAPIBaseURL: api.snyk.io:443 ### Provide the name of the secret secretName: snyk-secret + +# Debug node +debug: "false" + +### Secret provider details +secretProvider: none + +# Tolerations allow pods to be scheduled on nodes with specific taints +tolerations: [] + ## Provide Snyk runtime sensor container image and resources. sensor: image: