Merge pull request #114 from armosec/dev

Release v1.7.18

Author: David Wertenteil

README.md

@@ -43,7 +43,7 @@ helm upgrade --install armo  armo/armo-cluster-components -n armo-system --creat
 | armoCollector.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the StatefulSet |
 | armoCollector.enabled | bool | `true` | enable/disable the armoCollector |
 | armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) |
-| armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) |
+| armoCollector.image.repository | string | `"quay.io/kubescape/kollector"` | [source code](https://github.com/kubescape/kollector) |
 | armoCollector.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoCollector.volumes | object | `[]` | Additional volumes for the collector |
 | armoCollector.volumeMounts | object | `[]` | Additional volumeMounts for the collector |
@@ -65,31 +65,32 @@ helm upgrade --install armo  armo/armo-cluster-components -n armo-system --creat
 | armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoNotificationService.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
-| armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) |
+| armoNotificationService.image.repository | string | `"quay.io/kubescape/gateway"` | [source code](https://github.com/kubescape/gateway) |
 | armoNotificationService.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service |
 | armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service |
-| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob |
-| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl |
-| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
-| armoScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
-| armoScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoVulnScanner.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning |
-| armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) |
+| armoVulnScanner.image.repository | string | `"quay.io/kubescape/kubevuln"` | [source code](https://github.com/kubescape/kubevuln) |
 | armoVulnScanner.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning |
 | armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning |
+| armoVulnScanScheduler.enabled | bool | `true` | enable/disable a image vulnerability scheduled scan using a CronJob |
+| armoVulnScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) |
+| armoVulnScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
+| armoVulnScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
+| armoVulnScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoWebsocket.affinity | object | `{}` | Assign custom [affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) rules to the deployment |
 | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning |
-| armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) |
+| armoWebsocket.image.repository | string | `"quay.io/kubescape/kontroller"` | [source code](https://github.com/kubescape/kontroller) |
 | armoWebsocket.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | armoWebsocket.volumes | object | `[]` | Additional volumes for the web socket |
 | armoWebsocket.volumeMounts | object | `[]` | Additional volumeMounts for the web socket |
 | armoKubescapeHostScanner.volumes | object | `[]` | Additional volumes for the host scanner |
 | armoKubescapeHostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner |
 | aws_iam_role_arn | string | `nil` | AWS IAM arn role |
 | clientID | string | `""` | client ID, [read more](https://hub.armosec.io/docs/authentication) |
+| addRevisionLabel | bool | `true` | Add revision label to the components. This will insure the components will restart when updating the helm |
 | cloudRegion | string | `nil` | cloud region |
 | cloud_provider_engine | string | `nil` | cloud provider engine |
 | gkeProject | string | `nil` | GKE project |

charts/armo-components/Chart.yaml

@@ -8,13 +8,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.17
+version: 1.7.18
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.7.17"
+appVersion: "v1.7.18"
 
 maintainers:
 - name: Ben Hirschberg

charts/armo-components/assets/armo-kubescape-cronjob-full.yaml

@@ -8,7 +8,7 @@ apiVersion: batch/v1
         tier: {{ .Values.global.namespaceTier}}
         armo.tier: "kubescape-scan"
     spec:
-      schedule: "{{ .Values.armoScanScheduler.scanSchedule }}"
+      schedule: "{{ .Values.armoKubescapeScanScheduler.scanSchedule }}"
       jobTemplate:
         spec:
           template:
@@ -26,10 +26,10 @@ apiVersion: batch/v1
                   - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
                   - -path=v1/triggerAction
                   - -headers="Content-Type:application/json"
-                  - -path-body=/home/armo/request-body.json
+                  - -path-body=/home/ks/request-body.json
                 volumeMounts:
                   - name: "request-body-volume"
-                    mountPath: /home/armo/request-body.json
+                    mountPath: /home/ks/request-body.json
                     subPath: request-body.json
                     readOnly: true
 {{- if .Values.volumeMounts }}

charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml

@@ -26,10 +26,10 @@ apiVersion: batch/v1
                   - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
                   - -path=v1/triggerAction
                   - -headers="Content-Type:application/json"
-                  - -path-body=/home/armo/request-body.json
+                  - -path-body=/home/ks/request-body.json
                 volumeMounts:
                   - name: "request-body-volume"
-                    mountPath: /home/armo/request-body.json
+                    mountPath: /home/ks/request-body.json
                     subPath: request-body.json
                     readOnly: true
 {{- if .Values.volumeMounts }}

charts/armo-components/assets/armo-vulnscan-cronjob-full.yaml

@@ -8,7 +8,7 @@ apiVersion: batch/v1
         tier: {{ .Values.global.namespaceTier}}
         armo.tier: "vuln-scan"
     spec:
-      schedule: "{{ .Values.armoScanScheduler.scanSchedule }}"
+      schedule: "{{ .Values.armoVulnScanScheduler.scanSchedule }}"
       jobTemplate:
         spec:
           template:
@@ -26,18 +26,28 @@ apiVersion: batch/v1
                   - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
                   - -path=v1/triggerAction
                   - -headers="Content-Type:application/json"
-                  - -path-body=/home/armo/request-body.json
+                  - -path-body=/home/ks/request-body.json
                 volumeMounts:
                   - name: "request-body-volume"
-                    mountPath: /home/armo/request-body.json
+                    mountPath: /home/ks/request-body.json
                     subPath: request-body.json
                     readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 18 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoVulnScanScheduler.volumeMounts | indent 18 }}
+{{- end }}
               restartPolicy: Never
               automountServiceAccountToken: false
               volumes:
                 - name: "request-body-volume" # placeholder
                   configMap:
                     name: {{ .Values.armoVulnScanScheduler.name }}
- 
-
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 16 }}
+{{- end }}
+{{- if .Values.armoVulnScanScheduler.volumes }}
+{{ toYaml .Values.armoVulnScanScheduler.volumes | indent 16 }}
+{{- end }}
 

charts/armo-components/templates/armo-collector-statefulset.yaml

@@ -27,23 +27,26 @@ spec:
         tier: {{ .Values.global.namespaceTier}}
         app: {{ .Values.armoCollector.name }}
         helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+      {{- if .Values.addRevisionLabel }}
+        helm.sh/revision: "{{ .Release.Revision }}"
+      {{- end }}
     spec:
       {{- if .Values.imagePullSecrets }}
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
       initContainers:
-      - image: bitnami/kubectl:1.24
-        name: disconnect-handle
+      - image: quay.io/armosec/kubectl:1.24 # https://github.com/armosec/bitnami-docker-kubectl
+        name: remove-old-deployments
         command: 
         - bash
         args:
         - -c
         - set -xv; kubectl delete deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; while [ $dep_exist -eq 0 ]; do kubectl get deployment armo-collector -n armo-system; dep_exist=$?; echo $dep_exist; done 
         resources:
           limits:
-            cpu: 10m
-            memory: 40Mi
+            cpu: 20m
+            memory: 100Mi
           requests:
             cpu: 10m
             memory: 40Mi
@@ -66,13 +69,18 @@ spec:
           env:
             - name: ACTIVATE_CVE_SCAN_ON_NEW_IMAGE_FEATURE
               value: "{{ .Values.triggerNewImageScan }}"
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             {{- range .Values.armoCollector.env }}
             - name: {{ .name  }}
               value: "{{ .value }}"
             {{- end }}
           args:
-            - -include-namespaces={{ .Values.armoNameSpace }}
-            - 2>&1
+          - -alsologtostderr
+          - -v=4
+          - 2>&1
           volumeMounts:
             - name: {{ .Values.global.beConfig }}
               mountPath: /etc/config

charts/armo-components/templates/armo-configmap.yaml

@@ -11,37 +11,28 @@ metadata:
 data:
   clusterData: |
     {
-      "ociImageURL": "",
-      "notificationWSURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}",
-      "notificationRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}",
+      "gatewayWebsocketURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.websocketService.port }}",
+      "gatewayRestURL": "{{ .Values.armoNotificationService.name }}:{{ .Values.armoNotificationService.httpService.port }}",
       "vulnScanURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}",
+      "kubevulnURL": "{{ .Values.armoVulnScanner.name }}:{{ .Values.armoVulnScanner.service.port }}",
       "kubescapeURL": "{{ .Values.armoKubescape.name }}:{{ .Values.armoKubescape.service.port }}",
-      "oracleURL": "",
       "triggerNewImageScan": "{{ .Values.armoTriggerNewImageScan }}",
+      "accountID": "{{ .Values.accountGuid }}",
+      "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}",
 {{- if eq .Values.environment "dev" }} 
       "backendOpenAPI": "{{ .Values.devBackendOpenAPI }}",
-      "dashboard": "{{ .Values.devBackendOpenAPI }}",
-      "eventReceiverREST": "{{ .Values.devEventReceiverHttpUrl }}",
-      "postman": "wss://{{ .Values.devPostmanUrl }}",
-      "eventReceiverWS": "{{ .Values.devK8sReportUrl }}",
-      "masterNotificationServer": "wss://{{ .Values.devMasterNotificationService }}/v1/waitfornotification",
+      "eventReceiverRestURL": "{{ .Values.devEventReceiverHttpUrl }}",
+      "eventReceiverWebsocketURL": "{{ .Values.devK8sReportUrl }}",
+      "rootGatewayURL": "wss://{{ .Values.devGateway }}/v1/waitfornotification"
 {{- else if eq .Values.environment "staging" }}
-      "dashboard": "{{ .Values.stagingBackendOpenAPI }}",
       "backendOpenAPI": "{{ .Values.stagingBackendOpenAPI }}",
-      "eventReceiverREST": "{{ .Values.stagingEventReceiverHttpUrl }}",
-      "postman": "wss://{{ .Values.stagingPostmanUrl }}",
-      "eventReceiverWS": "{{ .Values.stagingK8sReportUrl }}",
-      "masterNotificationServer": "wss://{{ .Values.stagingMasterNotificationService }}/v1/waitfornotification",
+      "eventReceiverRestURL": "{{ .Values.stagingEventReceiverHttpUrl }}",
+      "eventReceiverWebsocketURL": "{{ .Values.stagingK8sReportUrl }}",
+      "rootGatewayURL": "wss://{{ .Values.stagingGateway }}/v1/waitfornotification"
 {{- else }} 
-      "dashboard": "{{ .Values.backendOpenAPI }}",
-      "eventReceiverREST": "{{ .Values.eventReceiverHttpUrl }}",
       "backendOpenAPI": "{{ .Values.backendOpenAPI }}",
-      "postman": "wss://{{ .Values.postmanUrl }}",
-      "eventReceiverWS": "{{ .Values.k8sReportUrl }}",
-      "masterNotificationServer": "wss://{{ .Values.masterNotificationService }}/v1/waitfornotification",
+      "eventReceiverRestURL": "{{ .Values.eventReceiverHttpUrl }}",
+      "eventReceiverWebsocketURL": "{{ .Values.k8sReportUrl }}",
+      "rootGatewayURL": "wss://{{ .Values.gateway }}/v1/waitfornotification"
 {{- end }}       
-      "portal": "",
-      "customerGUID": "{{ .Values.accountGuid }}",
-      "clusterGUID": "",
-      "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower }}"
     }

charts/armo-components/templates/armo-kubescape-configmap.yaml

@@ -10,7 +10,6 @@ metadata:
     app: {{ .Values.armoKubescape.name }}-config
     tier: {{ .Values.global.namespaceTier }}  
 data:
-  clusterName: {{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}  # deprecate
   config.json: |
     {
       "accountID": "{{ .Values.accountGuid }}",

charts/armo-components/templates/armo-kubescape-deployment.yaml

@@ -30,6 +30,9 @@ spec:
         helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
         tier: {{ .Values.global.namespaceTier}}
         app: {{ .Values.armoKubescape.name }}
+      {{- if .Values.addRevisionLabel }}
+        helm.sh/revision: "{{ .Release.Revision }}"
+      {{- end }}
     spec:
       containers:
       - name: kubescape
@@ -57,7 +60,9 @@ spec:
         - name: KS_DEFAULT_CONFIGMAP_NAME
           value: "{{ .Values.armoKubescape.name }}-config"
         - name: KS_DEFAULT_CONFIGMAP_NAMESPACE
-          value: "{{ .Values.armoNameSpace }}"
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         - name: KS_ENABLE_HOST_SCANNER
           value: "{{ .Values.armoKubescape.enableHostScan }}"
         - name: KS_SUBMIT
@@ -90,10 +95,10 @@ spec:
 {{ toYaml .Values.armoKubescape.resources | indent 14 }}            
         volumeMounts:
         - name: kubescape-config-volume
-          mountPath: /home/armo/.kubescape/config.json
+          mountPath: /home/ks/.kubescape/config.json
           subPath: config.json
         - name: host-scanner-definition
-          mountPath: /home/armo/.kubescape/host-scanner.yaml
+          mountPath: /home/ks/.kubescape/host-scanner.yaml
           subPath: host-scanner-yaml
 {{- if .Values.volumeMounts }}
 {{ toYaml .Values.volumeMounts | indent 8 }}

charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml

@@ -31,10 +31,10 @@ spec:
               - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
               - -path=v1/triggerAction
               - -headers="Content-Type:application/json"
-              - -path-body=/home/armo/request-body.json
+              - -path-body=/home/ks/request-body.json
             volumeMounts:
               - name: {{ .Values.armoKubescapeScanScheduler.name }}
-                mountPath: /home/armo/request-body.json
+                mountPath: /home/ks/request-body.json
                 subPath: request-body.json
                 readOnly: true
 {{- if .Values.volumeMounts }}