From 504a50682dd325bcb5625375de7d3e15a7e1817e Mon Sep 17 00:00:00 2001 From: Adam Stirk <67702268+adamstirk-ct@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:55:09 +0100 Subject: [PATCH 01/22] Add additional volumes/volume mounts Add additional volumes and volume mounts to the vuln scan scheduler cronjob. --- README.md | 2 ++ .../assets/armo-vulnscan-cronjob-full.yaml | 14 ++++++++++++-- charts/armo-components/values.yaml | 6 ++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 178061b..5c65bd3 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,8 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning | | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning | +| armoVulnScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | +| armoVulnScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning | | armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) | diff --git a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml index 1bc2178..d9d8158 100644 --- a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml @@ -32,12 +32,22 @@ apiVersion: batch/v1 mountPath: /home/armo/request-body.json subPath: request-body.json readOnly: true +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 18 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumeMounts }} +{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 18 }} +{{- end }} restartPolicy: Never automountServiceAccountToken: false volumes: - name: "request-body-volume" # placeholder configMap: name: {{ .Values.armoVulnScanScheduler.name }} - - +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 16 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumes }} +{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 16 }} +{{- end }} \ No newline at end of file diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index d410d28..9095306 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -271,6 +271,12 @@ armoVulnScanScheduler: replicaCount: 1 + # Additional volumes to be mounted on the vuln scan scheduler + volumes: [] + + # Additional volumeMounts to be mounted on the vuln scan scheduler + volumeMounts: [] + # image vulnerability scanning microservice armoVulnScanner: From f329df4253dc94eb9fcca196508a126091fb4ddb Mon Sep 17 00:00:00 2001 From: Daniel-GrunbergerCA Date: Mon, 8 Aug 2022 10:29:06 +0300 Subject: [PATCH 02/22] update websocket tag --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index d410d28..dc7d378 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -216,7 +216,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.45 + tag: v0.0.52 pullPolicy: Always service: From 104e7136bf8ef16e11cff28ce0db6a5a961a0ccc Mon Sep 17 00:00:00 2001 From: Bezalel Brandwine Date: Mon, 8 Aug 2022 10:56:51 +0300 Subject: [PATCH 03/22] bump helm chart --- charts/armo-components/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/armo-components/Chart.yaml b/charts/armo-components/Chart.yaml index 9196fb1..735eba4 100644 --- a/charts/armo-components/Chart.yaml +++ b/charts/armo-components/Chart.yaml @@ -8,13 +8,13 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.7.17 +version: 1.7.18 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v1.7.17" +appVersion: "v1.7.18" maintainers: - name: Ben Hirschberg From dc4acfdb49c5ca8024babdacfea056f2bab70333 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 8 Aug 2022 14:22:13 +0300 Subject: [PATCH 04/22] remove deprecated from helm --- .../templates/armo-collector-statefulset.yaml | 4 ++++ .../templates/armo-configmap.yaml | 21 ++++++------------- .../templates/armo-kubescape-deployment.yaml | 4 +++- .../templates/armo-websocket-deployment.yaml | 6 +++++- 4 files changed, 18 insertions(+), 17 deletions(-) diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 483c584..866fa56 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -66,6 +66,10 @@ spec: env: - name: ACTIVATE_CVE_SCAN_ON_NEW_IMAGE_FEATURE value: "{{ .Values.triggerNewImageScan }}" + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace {{- range .Values.armoCollector.env }} - name: {{ .name }} value: "{{ .value }}" diff --git a/charts/armo-components/templates/armo-configmap.yaml b/charts/armo-components/templates/armo-configmap.yaml index f414fb3..933facb 100644 --- a/charts/armo-components/templates/armo-configmap.yaml +++ b/charts/armo-components/templates/armo-configmap.yaml @@ -11,37 +11,28 @@ metadata: data: clusterData: | { - "ociImageURL": "", "notificationWSURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}", "notificationRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}", "vulnScanURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}", "kubescapeURL": "{{ .Values.armoKubescape.name }}:{{ .Values.armoKubescape.service.port }}", - "oracleURL": "", "triggerNewImageScan": "{{ .Values.armoTriggerNewImageScan }}", + "customerGUID": "{{ .Values.accountGuid }}", + "accountID": "{{ .Values.accountGuid }}", + "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}", {{- if eq .Values.environment "dev" }} "backendOpenAPI": "{{ .Values.devBackendOpenAPI }}", - "dashboard": "{{ .Values.devBackendOpenAPI }}", "eventReceiverREST": "{{ .Values.devEventReceiverHttpUrl }}", - "postman": "wss://{{ .Values.devPostmanUrl }}", "eventReceiverWS": "{{ .Values.devK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.devMasterNotificationService }}/v1/waitfornotification", + "masterNotificationServer": "wss://{{ .Values.devMasterNotificationService }}/v1/waitfornotification" {{- else if eq .Values.environment "staging" }} - "dashboard": "{{ .Values.stagingBackendOpenAPI }}", "backendOpenAPI": "{{ .Values.stagingBackendOpenAPI }}", "eventReceiverREST": "{{ .Values.stagingEventReceiverHttpUrl }}", - "postman": "wss://{{ .Values.stagingPostmanUrl }}", "eventReceiverWS": "{{ .Values.stagingK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.stagingMasterNotificationService }}/v1/waitfornotification", + "masterNotificationServer": "wss://{{ .Values.stagingMasterNotificationService }}/v1/waitfornotification" {{- else }} - "dashboard": "{{ .Values.backendOpenAPI }}", "eventReceiverREST": "{{ .Values.eventReceiverHttpUrl }}", "backendOpenAPI": "{{ .Values.backendOpenAPI }}", - "postman": "wss://{{ .Values.postmanUrl }}", "eventReceiverWS": "{{ .Values.k8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.masterNotificationService }}/v1/waitfornotification", + "masterNotificationServer": "wss://{{ .Values.masterNotificationService }}/v1/waitfornotification" {{- end }} - "portal": "", - "customerGUID": "{{ .Values.accountGuid }}", - "clusterGUID": "", - "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}" } \ No newline at end of file diff --git a/charts/armo-components/templates/armo-kubescape-deployment.yaml b/charts/armo-components/templates/armo-kubescape-deployment.yaml index fd3ee2b..e29b8d5 100644 --- a/charts/armo-components/templates/armo-kubescape-deployment.yaml +++ b/charts/armo-components/templates/armo-kubescape-deployment.yaml @@ -57,7 +57,9 @@ spec: - name: KS_DEFAULT_CONFIGMAP_NAME value: "{{ .Values.armoKubescape.name }}-config" - name: KS_DEFAULT_CONFIGMAP_NAMESPACE - value: "{{ .Values.armoNameSpace }}" + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: KS_ENABLE_HOST_SCANNER value: "{{ .Values.armoKubescape.enableHostScan }}" - name: KS_SUBMIT diff --git a/charts/armo-components/templates/armo-websocket-deployment.yaml b/charts/armo-components/templates/armo-websocket-deployment.yaml index 1f1de0a..5229b93 100644 --- a/charts/armo-components/templates/armo-websocket-deployment.yaml +++ b/charts/armo-components/templates/armo-websocket-deployment.yaml @@ -53,7 +53,11 @@ spec: resources: {{ toYaml .Values.armoWebsocket.resources | indent 12 }} env: - - name: CA_NAMESPACE + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CA_NAMESPACE # deprecated value: "{{ .Values.armoNameSpace }}" - name: CA_SYSTEM_MODE value: "{{ .Values.global.armoSystemMode }}" From 30ab51a7c0aebb6125ebc0805abf157a214de12c Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 8 Aug 2022 18:23:14 +0300 Subject: [PATCH 05/22] updating images versions --- .../templates/armo-collector-statefulset.yaml | 1 - .../templates/armo-websocket-deployment.yaml | 4 ---- charts/armo-components/values.yaml | 13 ++++--------- 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 866fa56..11bb15e 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -75,7 +75,6 @@ spec: value: "{{ .value }}" {{- end }} args: - - -include-namespaces={{ .Values.armoNameSpace }} - 2>&1 volumeMounts: - name: {{ .Values.global.beConfig }} diff --git a/charts/armo-components/templates/armo-websocket-deployment.yaml b/charts/armo-components/templates/armo-websocket-deployment.yaml index 5229b93..8700cb8 100644 --- a/charts/armo-components/templates/armo-websocket-deployment.yaml +++ b/charts/armo-components/templates/armo-websocket-deployment.yaml @@ -57,10 +57,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: CA_NAMESPACE # deprecated - value: "{{ .Values.armoNameSpace }}" - - name: CA_SYSTEM_MODE - value: "{{ .Values.global.armoSystemMode }}" {{- range .Values.armoWebsocket.env }} - name: {{ .name }} value: "{{ .value }}" diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index dc7d378..61c3d8b 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -4,7 +4,6 @@ armoNameSpace: armo-system appLabel: armo-vuln-scanner -registrySecretName: armoregcred loginSecretName: armo-login createKubescapeServiceAccount: true @@ -13,18 +12,15 @@ createKubescapeServiceAccount: true environment: "prod" eventReceiverHttpUrl: "https://report.armo.cloud" k8sReportUrl: "wss://report.armo.cloud" -postmanUrl: "postman.euprod1.cyberarmorsoft.com" masterNotificationService: "ens.euprod1.cyberarmorsoft.com" backendOpenAPI: "https://api.armosec.io/api" # ARMO DEV BE URLs devEventReceiverHttpUrl: "https://report.eudev3.cyberarmorsoft.com" -devPostmanUrl: "postman.eudev3.cyberarmorsoft.com" devK8sReportUrl: "wss://report.eudev3.cyberarmorsoft.com" devMasterNotificationService: "ens.eudev3.cyberarmorsoft.com" devBackendOpenAPI: "https://api-dev.armosec.io/api" # ARMO STAGING BE URLs stagingEventReceiverHttpUrl: "https://report-ks.eustage2.cyberarmorsoft.com" -stagingPostmanUrl: "postman.eustage2.cyberarmorsoft.com" stagingK8sReportUrl: "wss://report.eustage2.cyberarmorsoft.com" stagingMasterNotificationService: "ens.eustage2.cyberarmorsoft.com" stagingBackendOpenAPI: "https://api-stage.armosec.io/api" @@ -69,7 +65,6 @@ volumes: [] volumeMounts: [] global: - armoSystemMode: "SCAN" namespaceTier: armo-system-control-plane beConfig: armo-be-config armoServiceAccountName: armo-scanner-service-account @@ -158,7 +153,7 @@ armoKubescape: image: # -- source code: https://github.com/armosec/kubescape/tree/master/httphandler (public repo) repository: quay.io/armosec/kubescape - tag: v2.0.160 + tag: v2.0.165 pullPolicy: Always resources: @@ -216,7 +211,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.52 + tag: v0.0.55 pullPolicy: Always service: @@ -286,7 +281,7 @@ armoVulnScanner: image: # -- source code: https://github.com/armosec/ca-vuln-scan (private repo) repository: quay.io/armosec/images-vulnerabilities-scan - tag: v0.0.19 + tag: v0.0.29 pullPolicy: Always replicaCount: 1 @@ -334,7 +329,7 @@ armoCollector: image: # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) repository: quay.io/armosec/cluster-collector - tag: v0.0.16 + tag: v0.0.20 pullPolicy: Always replicaCount: 1 From 91c10a22a6c96e196d0e75d8b0ae35b5a2f5531b Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Mon, 8 Aug 2022 21:18:50 +0300 Subject: [PATCH 06/22] fixed paths and update image tags --- .../assets/armo-kubescape-cronjob-full.yaml | 4 ++-- .../assets/armo-registry-scan-cronjob-ful.yaml | 4 ++-- .../assets/armo-vulnscan-cronjob-full.yaml | 4 ++-- .../templates/armo-kubescape-deployment.yaml | 10 +++++----- .../templates/armo-kubescapeScanScheduler-cronjob.yaml | 4 ++-- charts/armo-components/values.yaml | 10 +++++----- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml index 9386e28..fa8aa41 100644 --- a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml @@ -26,10 +26,10 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml b/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml index 80327c8..77154c3 100644 --- a/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml +++ b/charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml @@ -26,10 +26,10 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml index 1bc2178..00eeb66 100644 --- a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml @@ -26,10 +26,10 @@ apiVersion: batch/v1 - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: "request-body-volume" - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true restartPolicy: Never diff --git a/charts/armo-components/templates/armo-kubescape-deployment.yaml b/charts/armo-components/templates/armo-kubescape-deployment.yaml index e29b8d5..5e7bfa2 100644 --- a/charts/armo-components/templates/armo-kubescape-deployment.yaml +++ b/charts/armo-components/templates/armo-kubescape-deployment.yaml @@ -57,9 +57,9 @@ spec: - name: KS_DEFAULT_CONFIGMAP_NAME value: "{{ .Values.armoKubescape.name }}-config" - name: KS_DEFAULT_CONFIGMAP_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: KS_ENABLE_HOST_SCANNER value: "{{ .Values.armoKubescape.enableHostScan }}" - name: KS_SUBMIT @@ -92,10 +92,10 @@ spec: {{ toYaml .Values.armoKubescape.resources | indent 14 }} volumeMounts: - name: kubescape-config-volume - mountPath: /home/armo/.kubescape/config.json + mountPath: /home/ks/.kubescape/config.json subPath: config.json - name: host-scanner-definition - mountPath: /home/armo/.kubescape/host-scanner.yaml + mountPath: /home/ks/.kubescape/host-scanner.yaml subPath: host-scanner-yaml {{- if .Values.volumeMounts }} {{ toYaml .Values.volumeMounts | indent 8 }} diff --git a/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml index c3939bb..b19dc6c 100644 --- a/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml +++ b/charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml @@ -31,10 +31,10 @@ spec: - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} - -path=v1/triggerAction - -headers="Content-Type:application/json" - - -path-body=/home/armo/request-body.json + - -path-body=/home/ks/request-body.json volumeMounts: - name: {{ .Values.armoKubescapeScanScheduler.name }} - mountPath: /home/armo/request-body.json + mountPath: /home/ks/request-body.json subPath: request-body.json readOnly: true {{- if .Values.volumeMounts }} diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 61c3d8b..f0b66cc 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -131,7 +131,7 @@ armoKubescapeScanScheduler: image: # -- source code: https://github.com/armosec/http-request (public repo) repository: quay.io/armosec/http_request - tag: v0.0.6 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1 @@ -211,7 +211,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.55 + tag: v0.0.56 pullPolicy: Always service: @@ -261,7 +261,7 @@ armoVulnScanScheduler: image: # source code - https://github.com/armosec/http-request repository: quay.io/armosec/http_request - tag: v0.0.5 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1 @@ -281,7 +281,7 @@ armoVulnScanner: image: # -- source code: https://github.com/armosec/ca-vuln-scan (private repo) repository: quay.io/armosec/images-vulnerabilities-scan - tag: v0.0.29 + tag: v0.0.30 pullPolicy: Always replicaCount: 1 @@ -434,7 +434,7 @@ armoRegistryScanScheduler: image: # -- source code: https://github.com/armosec/http-request (public repo) repository: quay.io/armosec/http_request - tag: v0.0.6 + tag: v0.0.7 pullPolicy: IfNotPresent replicaCount: 1 From 617d1590d1e0304e8ccc011185100ebb81a0bc3d Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 9 Aug 2022 00:29:38 +0300 Subject: [PATCH 07/22] adding addRevisionLabel --- README.md | 1 + .../armo-components/templates/armo-collector-statefulset.yaml | 3 +++ .../armo-components/templates/armo-kubescape-deployment.yaml | 3 +++ .../templates/armo-notification-service-deployment.yaml | 3 +++ .../templates/armo-vuln-scanner-deployment.yaml | 3 +++ .../armo-components/templates/armo-websocket-deployment.yaml | 3 +++ charts/armo-components/values.yaml | 4 +++- 7 files changed, 19 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 178061b..1b5bf0f 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,7 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoKubescapeHostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner | | aws_iam_role_arn | string | `nil` | AWS IAM arn role | | clientID | string | `""` | client ID, [read more](https://hub.armosec.io/docs/authentication) | +| addRevisionLabel | bool | `true` | Add revision label to the components. This will insure the components will restart when updating the helm | | cloudRegion | string | `nil` | cloud region | | cloud_provider_engine | string | `nil` | cloud provider engine | | gkeProject | string | `nil` | GKE project | diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 11bb15e..7e12ac5 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -27,6 +27,9 @@ spec: tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoCollector.name }} helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/armo-components/templates/armo-kubescape-deployment.yaml b/charts/armo-components/templates/armo-kubescape-deployment.yaml index 5e7bfa2..7ec19f2 100644 --- a/charts/armo-components/templates/armo-kubescape-deployment.yaml +++ b/charts/armo-components/templates/armo-kubescape-deployment.yaml @@ -30,6 +30,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoKubescape.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: containers: - name: kubescape diff --git a/charts/armo-components/templates/armo-notification-service-deployment.yaml b/charts/armo-components/templates/armo-notification-service-deployment.yaml index fe7230e..64f0dc1 100644 --- a/charts/armo-components/templates/armo-notification-service-deployment.yaml +++ b/charts/armo-components/templates/armo-notification-service-deployment.yaml @@ -29,6 +29,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoNotificationService.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml index 9ba1352..3fa3d09 100644 --- a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml +++ b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml @@ -30,6 +30,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoVulnScanner.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/armo-components/templates/armo-websocket-deployment.yaml b/charts/armo-components/templates/armo-websocket-deployment.yaml index 8700cb8..89ae748 100644 --- a/charts/armo-components/templates/armo-websocket-deployment.yaml +++ b/charts/armo-components/templates/armo-websocket-deployment.yaml @@ -28,6 +28,9 @@ spec: helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} tier: {{ .Values.global.namespaceTier}} app: {{ .Values.armoWebsocket.name }} + {{- if .Values.addRevisionLabel }} + helm.sh/revision: "{{ .Release.Revision }}" + {{- end }} spec: {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index f0b66cc..ec0f781 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -7,6 +7,8 @@ appLabel: armo-vuln-scanner loginSecretName: armo-login createKubescapeServiceAccount: true +# -- enable/disable revision label +addRevisionLabel: true # ARMO BE URLs environment: "prod" @@ -329,7 +331,7 @@ armoCollector: image: # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) repository: quay.io/armosec/cluster-collector - tag: v0.0.20 + tag: v0.0.21 pullPolicy: Always replicaCount: 1 From 84719073297d7a5dcdc896fbf9fe005ee4f1bd2b Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 9 Aug 2022 09:34:43 +0300 Subject: [PATCH 08/22] update collector image tag --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index ec0f781..3661b3d 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -331,7 +331,7 @@ armoCollector: image: # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) repository: quay.io/armosec/cluster-collector - tag: v0.0.21 + tag: v0.0.22 pullPolicy: Always replicaCount: 1 From c1d3981dcd060146a9dbaa4e014fbd7bfc0b7983 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 9 Aug 2022 10:36:57 +0300 Subject: [PATCH 09/22] remove initContainer --- .../templates/armo-collector-statefulset.yaml | 30 +++++++++---------- charts/armo-components/values.yaml | 2 +- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 7e12ac5..e58617a 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -35,21 +35,21 @@ spec: imagePullSecrets: - name: {{ toYaml .Values.imagePullSecrets }} {{- end }} - initContainers: - - image: bitnami/kubectl:1.24 - name: disconnect-handle - command: - - bash - args: - - -c - - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done - resources: - limits: - cpu: 10m - memory: 40Mi - requests: - cpu: 10m - memory: 40Mi + # initContainers: + # - image: bitnami/kubectl:1.24 + # name: disconnect-handle + # command: + # - bash + # args: + # - -c + # - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done + # resources: + # limits: + # cpu: 10m + # memory: 40Mi + # requests: + # cpu: 10m + # memory: 40Mi containers: - name: {{ .Values.armoCollector.name }} image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}" diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 3661b3d..49213cb 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -331,7 +331,7 @@ armoCollector: image: # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) repository: quay.io/armosec/cluster-collector - tag: v0.0.22 + tag: v0.0.23 pullPolicy: Always replicaCount: 1 From 1d59cb1a12cba53758b03360dafa6d949c82b531 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Tue, 9 Aug 2022 14:23:30 +0300 Subject: [PATCH 10/22] update WS image tag --- .../armo-components/templates/armo-collector-statefulset.yaml | 4 +++- charts/armo-components/values.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index e58617a..9442bb6 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -78,7 +78,9 @@ spec: value: "{{ .value }}" {{- end }} args: - - 2>&1 + - -alsologtostderr + - -v=4 + - 2>&1 volumeMounts: - name: {{ .Values.global.beConfig }} mountPath: /etc/config diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 49213cb..abd906e 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -213,7 +213,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.56 + tag: v0.0.57 pullPolicy: Always service: From d55d13f20630903a691ad4322f915274fae7274f Mon Sep 17 00:00:00 2001 From: OleksiiHahren Date: Tue, 9 Aug 2022 14:24:16 +0300 Subject: [PATCH 11/22] updated vuln-scan version --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 49213cb..8b28c88 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -283,7 +283,7 @@ armoVulnScanner: image: # -- source code: https://github.com/armosec/ca-vuln-scan (private repo) repository: quay.io/armosec/images-vulnerabilities-scan - tag: v0.0.30 + tag: v0.0.32 pullPolicy: Always replicaCount: 1 From 77d25dafe06184eb9a7dc0c97945c3b5cd458386 Mon Sep 17 00:00:00 2001 From: Bezalel Brandwine Date: Tue, 9 Aug 2022 18:05:00 +0300 Subject: [PATCH 12/22] trigger to send sensor name for vuln scan --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 5aed7f9..78f51c7 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -213,7 +213,7 @@ armoWebsocket: image: # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) repository: quay.io/armosec/action-trigger - tag: v0.0.57 + tag: v0.0.58 pullPolicy: Always service: From 3973bbd1afe3bf511499591c3fb9dc593165d19e Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Wed, 10 Aug 2022 15:03:37 +0300 Subject: [PATCH 13/22] updated repo & image names --- README.md | 8 ++++---- charts/armo-components/values.yaml | 24 ++++++++++++------------ 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 1b5bf0f..f0810c4 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoCollector.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the StatefulSet | | armoCollector.enabled | bool | `true` | enable/disable the armoCollector | | armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) | -| armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) | +| armoCollector.image.repository | string | `"quay.io/kubescape/kollector"` | [source code](https://github.com/kubescape/kollector) | | armoCollector.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoCollector.volumes | object | `[]` | Additional volumes for the collector | | armoCollector.volumeMounts | object | `[]` | Additional volumeMounts for the collector | @@ -65,7 +65,7 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoNotificationService.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings | -| armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) | +| armoNotificationService.image.repository | string | `"quay.io/kubescape/gateway"` | [source code](https://github.com/kubescape/gateway) | | armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service | | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service | @@ -76,13 +76,13 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning | -| armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) | +| armoVulnScanner.image.repository | string | `"quay.io/kubescape/kubevuln"` | [source code](https://github.com/kubescape/kubevuln) | | armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning | | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning | | armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning | -| armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) | +| armoWebsocket.image.repository | string | `"quay.io/kubescape/kontroller"` | [source code](https://github.com/kubescape/kontroller) | | armoWebsocket.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoWebsocket.volumes | object | `[]` | Additional volumes for the web socket | | armoWebsocket.volumeMounts | object | `[]` | Additional volumeMounts for the web socket | diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 78f51c7..108b78b 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -211,9 +211,9 @@ armoWebsocket: name: armo-web-socket image: - # -- source code: https://github.com/armosec/k8s-ca-websocket (private repo) - repository: quay.io/armosec/action-trigger - tag: v0.0.58 + # -- source code: https://github.com/kubescape/kontroller + repository: quay.io/kubescape/kontroller + tag: v0.0.60 pullPolicy: Always service: @@ -281,9 +281,9 @@ armoVulnScanner: name: armo-vuln-scan image: - # -- source code: https://github.com/armosec/ca-vuln-scan (private repo) - repository: quay.io/armosec/images-vulnerabilities-scan - tag: v0.0.32 + # -- source code: https://github.com/kubescape/kubevuln + repository: quay.io/kubescape/kubevuln + tag: v0.0.39 pullPolicy: Always replicaCount: 1 @@ -329,9 +329,9 @@ armoCollector: name: armo-collector image: - # -- source code: https://github.com/armosec/k8s-armo-collector (private repo) - repository: quay.io/armosec/cluster-collector - tag: v0.0.23 + # -- source code: https://github.com/kubescape/kollector + repository: quay.io/kubescapearmosec/kollector + tag: v0.0.24 pullPolicy: Always replicaCount: 1 @@ -381,9 +381,9 @@ armoNotificationService: protocol: TCP image: - # -- source code: https://github.com/armosec/capostman (private repo) - repository: quay.io/armosec/notification-server - tag: v0.0.5 + # -- source code: https://github.com/kubescape/gateway + repository: quay.io/kubescape/gateway + tag: v0.0.11 pullPolicy: Always replicaCount: 1 From 252f030fcf80a9813207b88d8253a2415ce945f2 Mon Sep 17 00:00:00 2001 From: Amir Malka Date: Wed, 10 Aug 2022 15:18:10 +0300 Subject: [PATCH 14/22] fix image name --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 108b78b..8c0dc78 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -330,7 +330,7 @@ armoCollector: image: # -- source code: https://github.com/kubescape/kollector - repository: quay.io/kubescapearmosec/kollector + repository: quay.io/kubescape/kollector tag: v0.0.24 pullPolicy: Always From fa9ccfb181028eb90c88a2859b06f99bac6555ea Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Wed, 10 Aug 2022 15:36:37 +0300 Subject: [PATCH 15/22] remove armoScanScheduler --- README.md | 5 -- .../assets/armo-kubescape-cronjob-full.yaml | 2 +- .../assets/armo-vulnscan-cronjob-full.yaml | 2 +- .../armo-scanScheduler-configmap.yaml | 14 ----- .../templates/armo-scanScheduler-cronjob.yaml | 57 ------------------- charts/armo-components/values.yaml | 36 ------------ 6 files changed, 2 insertions(+), 114 deletions(-) delete mode 100644 charts/armo-components/templates/armo-scanScheduler-configmap.yaml delete mode 100644 charts/armo-components/templates/armo-scanScheduler-cronjob.yaml diff --git a/README.md b/README.md index 1b5bf0f..9758c7b 100644 --- a/README.md +++ b/README.md @@ -69,11 +69,6 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service | | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service | -| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob | -| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl | -| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | -| armoScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | -| armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning | | armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) | diff --git a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml index fa8aa41..1d5b785 100644 --- a/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-kubescape-cronjob-full.yaml @@ -8,7 +8,7 @@ apiVersion: batch/v1 tier: {{ .Values.global.namespaceTier}} armo.tier: "kubescape-scan" spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" + schedule: "{{ .Values.armoKubescapeScanScheduler.scanSchedule }}" jobTemplate: spec: template: diff --git a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml index 00eeb66..3669ead 100644 --- a/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml +++ b/charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml @@ -8,7 +8,7 @@ apiVersion: batch/v1 tier: {{ .Values.global.namespaceTier}} armo.tier: "vuln-scan" spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" + schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}" jobTemplate: spec: template: diff --git a/charts/armo-components/templates/armo-scanScheduler-configmap.yaml b/charts/armo-components/templates/armo-scanScheduler-configmap.yaml deleted file mode 100644 index cc86aad..0000000 --- a/charts/armo-components/templates/armo-scanScheduler-configmap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ .Values.armoScanScheduler.name }}-config - namespace: {{ .Values.armoNameSpace }} - labels: - app: {{ .Values.armoScanScheduler.name }} - tier: {{ .Values.global.namespaceTier }} -data: - trigger-script.sh: |- - #!/bin/sh - curl -X POST http://{{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}/v1/triggerAction -H 'Content-Type: application/json' -d '{"commands":[{"CommandName": "scan", "WildWlid": "wlid://cluster-{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}"}]}' -{{- end }} diff --git a/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml deleted file mode 100644 index ae4cf3d..0000000 --- a/charts/armo-components/templates/armo-scanScheduler-cronjob.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }} -{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} -apiVersion: batch/v1 -{{- else if .Capabilities.APIVersions.Has "batch/v1beta1/CronJob" }} -apiVersion: batch/v1beta1 -{{- else }} -apiVersion: batch/v1beta1 -{{- end }} -kind: CronJob -metadata: - name: {{ .Values.armoScanScheduler.name }} - namespace: {{ .Values.armoNameSpace }} - labels: - app: {{ .Values.armoScanScheduler.name }} - tier: {{ .Values.global.namespaceTier}} -spec: - schedule: "{{ .Values.armoScanScheduler.scanSchedule }}" - jobTemplate: - spec: - template: - spec: - containers: - - name: {{ .Values.armoScanScheduler.name }} - image: "{{ .Values.armoScanScheduler.image.repository }}:{{ .Values.armoScanScheduler.image.tag }}" - imagePullPolicy: {{ .Values.armoScanScheduler.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - echo Starting; - ls -ltr /home/curl_user/; - /bin/sh -x ./home/curl_user/trigger-script.sh; - sleep 30; - echo Done; - volumeMounts: - - name: {{ .Values.armoScanScheduler.name }}-volume - mountPath: /home/curl_user/trigger-script.sh - subPath: trigger-script.sh - readOnly: true -{{- if .Values.volumeMounts }} -{{ toYaml .Values.volumeMounts | indent 14 }} -{{- end }} -{{- if .Values.armoScanScheduler.volumeMounts }} -{{ toYaml .Values.armoScanScheduler.volumeMounts | indent 14 }} -{{- end }} - restartPolicy: Never - automountServiceAccountToken: false - volumes: - - name: {{ .Values.armoScanScheduler.name }}-volume - configMap: - defaultMode: 0777 - name: {{ .Values.armoScanScheduler.name }}-config -{{- if .Values.volumes }} -{{ toYaml .Values.volumes | indent 10 }} -{{- end }} -{{- if .Values.armoScanScheduler.volumes }} -{{ toYaml .Values.armoScanScheduler.volumes | indent 10 }} -{{- end }} -{{- end }} diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 78f51c7..86b2179 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -71,43 +71,7 @@ global: beConfig: armo-be-config armoServiceAccountName: armo-scanner-service-account armoKubescapeServiceAccountName: armo-kubescape-service-account - -# image vulnerability scheduled scan using a CronJob -armoScanScheduler: - - # -- enable/disable image vulnerability a schedule scan using a CronJob - enabled: true - - # scan scheduler container name - name: armo-scan-scheduler - - # Frequency of running the scan - # ┌───────────── minute (0 - 59) - # │ ┌───────────── hour (0 - 23) - # │ │ ┌───────────── day of the month (1 - 31) - # │ │ │ ┌───────────── month (1 - 12) - # │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday; - # │ │ │ │ │ 7 is also Sunday on some systems) - # │ │ │ │ │ - # │ │ │ │ │ - # * * * * * - # -- scan schedule frequency - scanSchedule: "0 0 * * *" - image: - # -- image: curlimages/curl - repository: curlimages/curl - tag: latest - pullPolicy: IfNotPresent - - replicaCount: 1 - - # Additional volumes to be mounted on the scan scheduler - volumes: [] - - # Additional volumeMounts to be mounted on the scan scheduler - volumeMounts: [] - # kubescape scheduled scan using a CronJob armoKubescapeScanScheduler: From 8832275150353417bdc783742ba8400fdb5709bc Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Wed, 10 Aug 2022 16:48:29 +0300 Subject: [PATCH 16/22] fixed kubectl image, add default vuln scheduler --- .../templates/armo-collector-statefulset.yaml | 23 +++----- .../armo-vulnScanScheduler-configmap.yaml | 13 +++++ .../armo-vulnScanScheduler-cronjob.yaml | 58 +++++++++++++++++++ charts/armo-components/values.yaml | 2 +- 4 files changed, 80 insertions(+), 16 deletions(-) create mode 100644 charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml create mode 100644 charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 9442bb6..5eba3fd 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -35,21 +35,14 @@ spec: imagePullSecrets: - name: {{ toYaml .Values.imagePullSecrets }} {{- end }} - # initContainers: - # - image: bitnami/kubectl:1.24 - # name: disconnect-handle - # command: - # - bash - # args: - # - -c - # - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done - # resources: - # limits: - # cpu: 10m - # memory: 40Mi - # requests: - # cpu: 10m - # memory: 40Mi + initContainers: + - image: quay.io/armosec/kubectl + name: disconnect-handle + command: + - bash + args: + - -c + - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done containers: - name: {{ .Values.armoCollector.name }} image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}" diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml new file mode 100644 index 0000000..f20daa6 --- /dev/null +++ b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ .Values.armoVulnScanScheduler.name }} + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.armoVulnScanScheduler.name }} + tier: {{ .Values.global.namespaceTier }} +data: + request-body.json: |- + {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{"cluster":"dwertent","namespace":"systest-ns-ty8m"}}]}]} +{{- end }} \ No newline at end of file diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml new file mode 100644 index 0000000..8f2a803 --- /dev/null +++ b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml @@ -0,0 +1,58 @@ +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }} +{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} +apiVersion: batch/v1 +{{- else }} +apiVersion: batch/v1beta1 +{{- end }} +kind: CronJob +metadata: + name: {{ .Values.armoVulnScanScheduler.name }} + namespace: {{ .Values.armoNameSpace }} + labels: + app: {{ .Values.armoVulnScanScheduler.name }} + tier: {{ .Values.global.namespaceTier}} + armo.tier: "kubescape-scan" +spec: + schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}" + jobTemplate: + spec: + template: + metadata: + labels: + armo.tier: "kubescape-scan" + spec: + containers: + - name: {{ .Values.armoVulnScanScheduler.name }} + image: "{{ .Values.armoVulnScanScheduler.image.repository }}:{{ .Values.armoVulnScanScheduler.image.tag }}" + imagePullPolicy: {{ .Values.armoVulnScanScheduler.image.pullPolicy }} + args: + - -method=post + - -scheme=http + - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }} + - -path=v1/triggerAction + - -headers="Content-Type:application/json" + - -path-body=/home/ks/request-body.json + volumeMounts: + - name: {{ .Values.armoVulnScanScheduler.name }} + mountPath: /home/ks/request-body.json + subPath: request-body.json + readOnly: true +{{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 14 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumeMounts }} +{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 14 }} +{{- end }} + restartPolicy: Never + automountServiceAccountToken: false + volumes: + - name: {{ .Values.armoVulnScanScheduler.name }} + configMap: + name: {{ .Values.armoVulnScanScheduler.name }} +{{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 10 }} +{{- end }} +{{- if .Values.armoVulnScanScheduler.volumes }} +{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 10 }} +{{- end }} +{{- end }} diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index df71859..92de274 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -71,7 +71,7 @@ global: beConfig: armo-be-config armoServiceAccountName: armo-scanner-service-account armoKubescapeServiceAccountName: armo-kubescape-service-account - + # kubescape scheduled scan using a CronJob armoKubescapeScanScheduler: From 4e628bfde7a5f5457dd02a31266b1e8ba979f670 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Wed, 10 Aug 2022 16:51:05 +0300 Subject: [PATCH 17/22] revert resources --- .../templates/armo-collector-statefulset.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 5eba3fd..643ab64 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -43,6 +43,13 @@ spec: args: - -c - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done + resources: + limits: + cpu: 10m + memory: 40Mi + requests: + cpu: 10m + memory: 40Mi containers: - name: {{ .Values.armoCollector.name }} image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}" From ac28bc2741856db87c6ef9a4516eef0bc1ddf531 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 11 Aug 2022 11:26:57 +0300 Subject: [PATCH 18/22] remove specific attributes from configMap --- .../armo-components/templates/armo-kubescape-configmap.yaml | 1 - .../templates/armo-vulnScanScheduler-configmap.yaml | 4 ++-- .../templates/armo-vulnScanScheduler-cronjob.yaml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/armo-components/templates/armo-kubescape-configmap.yaml b/charts/armo-components/templates/armo-kubescape-configmap.yaml index 5484008..767a677 100644 --- a/charts/armo-components/templates/armo-kubescape-configmap.yaml +++ b/charts/armo-components/templates/armo-kubescape-configmap.yaml @@ -10,7 +10,6 @@ metadata: app: {{ .Values.armoKubescape.name }}-config tier: {{ .Values.global.namespaceTier }} data: - clusterName: {{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }} # deprecate config.json: | { "accountID": "{{ .Values.accountGuid }}", diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml index f20daa6..0af4700 100644 --- a/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml +++ b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }} +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }} kind: ConfigMap apiVersion: v1 metadata: @@ -9,5 +9,5 @@ metadata: tier: {{ .Values.global.namespaceTier }} data: request-body.json: |- - {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{"cluster":"dwertent","namespace":"systest-ns-ty8m"}}]}]} + {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{}}]}]} {{- end }} \ No newline at end of file diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml index 8f2a803..f424b6a 100644 --- a/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml +++ b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }} +{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.submit }} {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }} apiVersion: batch/v1 {{- else }} From 8190fd81f9b2160effd15dc916627889e93849fe Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 11 Aug 2022 21:06:27 +0300 Subject: [PATCH 19/22] some updated config map and images --- README.md | 3 +++ .../templates/armo-collector-statefulset.yaml | 8 +++---- .../templates/armo-configmap.yaml | 24 +++++++++---------- .../armo-notification-service-deployment.yaml | 6 ++--- .../armo-vuln-scanner-deployment.yaml | 16 ------------- charts/armo-components/values.yaml | 14 +++++------ 6 files changed, 28 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 5521508..2c53d96 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ helm upgrade --install armo armo/armo-cluster-components -n armo-system --creat | armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) | | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning | | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning | +| armoVulnScanScheduler.enabled | bool | `true` | enable/disable a image vulnerability scheduled scan using a CronJob | +| armoVulnScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) | +| armoVulnScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency | | armoVulnScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler | | armoVulnScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler | | armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment | diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml index 643ab64..3ad2ca9 100644 --- a/charts/armo-components/templates/armo-collector-statefulset.yaml +++ b/charts/armo-components/templates/armo-collector-statefulset.yaml @@ -36,8 +36,8 @@ spec: - name: {{ toYaml .Values.imagePullSecrets }} {{- end }} initContainers: - - image: quay.io/armosec/kubectl - name: disconnect-handle + - image: quay.io/armosec/kubectl:1.24 # https://github.com/armosec/bitnami-docker-kubectl + name: remove-old-deployments command: - bash args: @@ -45,8 +45,8 @@ spec: - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done resources: limits: - cpu: 10m - memory: 40Mi + cpu: 20m + memory: 100Mi requests: cpu: 10m memory: 40Mi diff --git a/charts/armo-components/templates/armo-configmap.yaml b/charts/armo-components/templates/armo-configmap.yaml index 933facb..6f9f30e 100644 --- a/charts/armo-components/templates/armo-configmap.yaml +++ b/charts/armo-components/templates/armo-configmap.yaml @@ -11,28 +11,28 @@ metadata: data: clusterData: | { - "notificationWSURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}", - "notificationRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}", + "gatewayWebsocketURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}", + "gatewayRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}", "vulnScanURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}", + "kubevulnURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}", "kubescapeURL": "{{ .Values.armoKubescape.name }}:{{ .Values.armoKubescape.service.port }}", "triggerNewImageScan": "{{ .Values.armoTriggerNewImageScan }}", - "customerGUID": "{{ .Values.accountGuid }}", "accountID": "{{ .Values.accountGuid }}", "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}", {{- if eq .Values.environment "dev" }} "backendOpenAPI": "{{ .Values.devBackendOpenAPI }}", - "eventReceiverREST": "{{ .Values.devEventReceiverHttpUrl }}", - "eventReceiverWS": "{{ .Values.devK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.devMasterNotificationService }}/v1/waitfornotification" + "eventReceiverRestURL": "{{ .Values.devEventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.devK8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.devGateway }}/v1/waitfornotification" {{- else if eq .Values.environment "staging" }} "backendOpenAPI": "{{ .Values.stagingBackendOpenAPI }}", - "eventReceiverREST": "{{ .Values.stagingEventReceiverHttpUrl }}", - "eventReceiverWS": "{{ .Values.stagingK8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.stagingMasterNotificationService }}/v1/waitfornotification" + "eventReceiverRestURL": "{{ .Values.stagingEventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.stagingK8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.stagingGateway }}/v1/waitfornotification" {{- else }} - "eventReceiverREST": "{{ .Values.eventReceiverHttpUrl }}", "backendOpenAPI": "{{ .Values.backendOpenAPI }}", - "eventReceiverWS": "{{ .Values.k8sReportUrl }}", - "masterNotificationServer": "wss://{{ .Values.masterNotificationService }}/v1/waitfornotification" + "eventReceiverRestURL": "{{ .Values.eventReceiverHttpUrl }}", + "eventReceiverWebsocketURL": "{{ .Values.k8sReportUrl }}", + "rootGatewayURL": "wss://{{ .Values.masterGateway }}/v1/waitfornotification" {{- end }} } \ No newline at end of file diff --git a/charts/armo-components/templates/armo-notification-service-deployment.yaml b/charts/armo-components/templates/armo-notification-service-deployment.yaml index 64f0dc1..cc4efa2 100644 --- a/charts/armo-components/templates/armo-notification-service-deployment.yaml +++ b/charts/armo-components/templates/armo-notification-service-deployment.yaml @@ -51,11 +51,9 @@ spec: resources: {{ toYaml .Values.armoNotificationService.resources | indent 12 }} env: - - name: MASTER_NOTIFICATION_SERVER_ATTRIBUTES - value: customerGUID - - name: CA_NOTIFICATION_SERVER_WS_PORT + - name: WEBSOCKET_PORT value: "{{ .Values.armoNotificationService.websocketService.port }}" - - name: CA_NOTIFICATION_SERVER_PORT + - name: HTTP_PORT value: "{{ .Values.armoNotificationService.httpService.port }}" {{- range .Values.armoNotificationService.env }} - name: {{ .name }} diff --git a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml index 3fa3d09..b78c348 100644 --- a/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml +++ b/charts/armo-components/templates/armo-vuln-scanner-deployment.yaml @@ -56,24 +56,8 @@ spec: resources: {{ toYaml .Values.armoVulnScanner.resources | indent 12 }} env: - - name: CA_CLUSTER_NAME - value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}" - - name: CA_CUSTOMER_GUID - value: "{{ .Values.accountGuid }}" - - name: OCIMAGE_URL - value: "" - - name: EVENT_RECEIVER_URL - value: "{{ .Values.k8sReportUrl }}" - name: PRINT_POST_JSON value: "{{ .Values.armoVulnScanner.verbose }}" - - name: CA_EVENT_RECEIVER_HTTP -{{- if eq .Values.environment "dev" }} - value: "{{ .Values.devEventReceiverHttpUrl }}" -{{- else if eq .Values.environment "staging" }} - value: "{{ .Values.stagingEventReceiverHttpUrl }}" -{{- else }} - value: "{{ .Values.eventReceiverHttpUrl }}" -{{- end }} {{- range .Values.armoVulnScanner.env }} - name: {{ .name }} value: "{{ .value }}" diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index 92de274..da30637 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -14,17 +14,17 @@ addRevisionLabel: true environment: "prod" eventReceiverHttpUrl: "https://report.armo.cloud" k8sReportUrl: "wss://report.armo.cloud" -masterNotificationService: "ens.euprod1.cyberarmorsoft.com" +gateway: "ens.euprod1.cyberarmorsoft.com" backendOpenAPI: "https://api.armosec.io/api" # ARMO DEV BE URLs devEventReceiverHttpUrl: "https://report.eudev3.cyberarmorsoft.com" devK8sReportUrl: "wss://report.eudev3.cyberarmorsoft.com" -devMasterNotificationService: "ens.eudev3.cyberarmorsoft.com" +devGateway: "ens.eudev3.cyberarmorsoft.com" devBackendOpenAPI: "https://api-dev.armosec.io/api" # ARMO STAGING BE URLs stagingEventReceiverHttpUrl: "https://report-ks.eustage2.cyberarmorsoft.com" stagingK8sReportUrl: "wss://report.eustage2.cyberarmorsoft.com" -stagingMasterNotificationService: "ens.eustage2.cyberarmorsoft.com" +stagingGateway: "ens.eustage2.cyberarmorsoft.com" stagingBackendOpenAPI: "https://api-stage.armosec.io/api" # Customer Specific Data @@ -177,7 +177,7 @@ armoWebsocket: image: # -- source code: https://github.com/kubescape/kontroller repository: quay.io/kubescape/kontroller - tag: v0.0.60 + tag: v0.0.61 pullPolicy: Always service: @@ -253,7 +253,7 @@ armoVulnScanner: image: # -- source code: https://github.com/kubescape/kubevuln repository: quay.io/kubescape/kubevuln - tag: v0.0.39 + tag: v0.0.42 pullPolicy: Always replicaCount: 1 @@ -301,7 +301,7 @@ armoCollector: image: # -- source code: https://github.com/kubescape/kollector repository: quay.io/kubescape/kollector - tag: v0.0.24 + tag: v0.0.27 pullPolicy: Always replicaCount: 1 @@ -353,7 +353,7 @@ armoNotificationService: image: # -- source code: https://github.com/kubescape/gateway repository: quay.io/kubescape/gateway - tag: v0.0.11 + tag: v0.0.13 pullPolicy: Always replicaCount: 1 From 6b0dd8b31a29e401e6707b6c46e4ed71bdc6fe9b Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Thu, 11 Aug 2022 21:14:17 +0300 Subject: [PATCH 20/22] fixed value --- charts/armo-components/templates/armo-configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/templates/armo-configmap.yaml b/charts/armo-components/templates/armo-configmap.yaml index 6f9f30e..167cbb3 100644 --- a/charts/armo-components/templates/armo-configmap.yaml +++ b/charts/armo-components/templates/armo-configmap.yaml @@ -33,6 +33,6 @@ data: "backendOpenAPI": "{{ .Values.backendOpenAPI }}", "eventReceiverRestURL": "{{ .Values.eventReceiverHttpUrl }}", "eventReceiverWebsocketURL": "{{ .Values.k8sReportUrl }}", - "rootGatewayURL": "wss://{{ .Values.masterGateway }}/v1/waitfornotification" + "rootGatewayURL": "wss://{{ .Values.gateway }}/v1/waitfornotification" {{- end }} } \ No newline at end of file From 8fbbf4d01d13720795dd1e377e912b6b16795bc1 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 14 Aug 2022 12:14:12 +0300 Subject: [PATCH 21/22] update images tags --- charts/armo-components/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index da30637..d3a443a 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -253,7 +253,7 @@ armoVulnScanner: image: # -- source code: https://github.com/kubescape/kubevuln repository: quay.io/kubescape/kubevuln - tag: v0.0.42 + tag: v0.0.43 pullPolicy: Always replicaCount: 1 @@ -353,7 +353,7 @@ armoNotificationService: image: # -- source code: https://github.com/kubescape/gateway repository: quay.io/kubescape/gateway - tag: v0.0.13 + tag: v0.0.14 pullPolicy: Always replicaCount: 1 From a47f09cc52b54879c2c97e955c839b1dc65cdd91 Mon Sep 17 00:00:00 2001 From: David Wertenteil Date: Sun, 14 Aug 2022 17:45:11 +0300 Subject: [PATCH 22/22] update ks default schedule time --- charts/armo-components/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml index d3a443a..b3274b1 100644 --- a/charts/armo-components/values.yaml +++ b/charts/armo-components/values.yaml @@ -92,7 +92,7 @@ armoKubescapeScanScheduler: # │ │ │ │ │ # * * * * * # -- scan schedule frequency - scanSchedule: "0 0 * * *" + scanSchedule: "0 8 * * *" image: # -- source code: https://github.com/armosec/http-request (public repo)