fixed kubectl image, add default vuln scheduler

David Wertenteil · David Wertenteil · commit 883227515035 · 2022-08-10T16:48:29.000+03:00
diff --git a/charts/armo-components/templates/armo-collector-statefulset.yaml b/charts/armo-components/templates/armo-collector-statefulset.yaml
@@ -35,21 +35,14 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
-      # initContainers:
-      # - image: bitnami/kubectl:1.24
-      #   name: disconnect-handle
-      #   command: 
-      #   - bash
-      #   args:
-      #   - -c
-      #   - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done 
-      #   resources:
-      #     limits:
-      #       cpu: 10m
-      #       memory: 40Mi
-      #     requests:
-      #       cpu: 10m
-      #       memory: 40Mi
+      initContainers:
+      - image: quay.io/armosec/kubectl
+        name: disconnect-handle
+        command: 
+        - bash
+        args:
+        - -c
+        - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done 
       containers:
         - name: {{ .Values.armoCollector.name }}
           image: "{{ .Values.armoCollector.image.repository }}:{{ .Values.armoCollector.image.tag }}"
diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-configmap.yaml
@@ -0,0 +1,13 @@
+{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }}
+kind: ConfigMap 
+apiVersion: v1 
+metadata:
+  name: {{ .Values.armoVulnScanScheduler.name }}
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.armoVulnScanScheduler.name }}
+    tier: {{ .Values.global.namespaceTier }}
+data:
+  request-body.json: |-
+    {"commands":[{"commandName":"scan","designators":[{"designatorType":"Attributes","attributes":{"cluster":"dwertent","namespace":"systest-ns-ty8m"}}]}]}
+{{- end }}
diff --git a/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml b/charts/armo-components/templates/armo-vulnScanScheduler-cronjob.yaml
@@ -0,0 +1,58 @@
+{{- if and .Values.armoVulnScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }}
+{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
+apiVersion: batch/v1
+{{- else }}
+apiVersion: batch/v1beta1
+{{- end }}
+kind: CronJob
+metadata:
+  name: {{ .Values.armoVulnScanScheduler.name }}
+  namespace: {{ .Values.armoNameSpace }}
+  labels:
+    app: {{ .Values.armoVulnScanScheduler.name }}
+    tier: {{ .Values.global.namespaceTier}}
+    armo.tier: "kubescape-scan"
+spec:
+  schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            armo.tier: "kubescape-scan"
+        spec:
+          containers:
+          - name: {{ .Values.armoVulnScanScheduler.name }}
+            image: "{{ .Values.armoVulnScanScheduler.image.repository }}:{{ .Values.armoVulnScanScheduler.image.tag }}"
+            imagePullPolicy: {{ .Values.armoVulnScanScheduler.image.pullPolicy }}
+            args: 
+              - -method=post
+              - -scheme=http
+              - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
+              - -path=v1/triggerAction
+              - -headers="Content-Type:application/json"
+              - -path-body=/home/ks/request-body.json
+            volumeMounts:
+              - name: {{ .Values.armoVulnScanScheduler.name }}
+                mountPath: /home/ks/request-body.json
+                subPath: request-body.json
+                readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 14 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 14 }}
+{{- end }}
+          restartPolicy: Never
+          automountServiceAccountToken: false
+          volumes:
+          - name: {{ .Values.armoVulnScanScheduler.name }}
+            configMap:
+              name: {{ .Values.armoVulnScanScheduler.name }}
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 10 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumes }}
+{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 10 }}
+{{- end }}
+{{- end }}
diff --git a/charts/armo-components/values.yaml b/charts/armo-components/values.yaml
@@ -71,7 +71,7 @@ global:
   beConfig: armo-be-config
   armoServiceAccountName: armo-scanner-service-account
   armoKubescapeServiceAccountName: armo-kubescape-service-account
-  
+
 # kubescape scheduled scan using a CronJob
 armoKubescapeScanScheduler:
 
