Merge pull request #70 from armosec/dev

update helm from dev after testing

Author: David Wertenteil

README.md

@@ -1,7 +1,7 @@
 # ARMO cluster components
 ARMO Vulnerability Scanning
 
-![Version: 1.7.8](https://img.shields.io/badge/Version-1.7.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.8](https://img.shields.io/badge/AppVersion-v1.7.8-informational?style=flat-square)
+![Version: 1.7.9](https://img.shields.io/badge/Version-1.7.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.9](https://img.shields.io/badge/AppVersion-v1.7.9-informational?style=flat-square)
 
 ## [Docs](https://hub.armo.cloud/docs/installation-of-armo-in-cluster)
 
@@ -43,25 +43,41 @@ helm upgrade --install armo  armo/armo-cluster-components -n armo-system --creat
 | armoCollector.enabled | bool | `true` | enable/disable the armoCollector |
 | armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) |
 | armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) |
+| armoCollector.volumes | object | `[]` | Additional volumes for the collector |
+| armoCollector.volumeMounts | object | `[]` | Additional volumeMounts for the collector |
 | armoKubescape.downloadArtifacts | bool | `true` | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
 | armoKubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armo.cloud/docs/host-sensor) |
 | armoKubescape.enabled | bool | `true` | enable/disable kubescape scanning |
 | armoKubescape.image.repository | string | `"quay.io/armosec/kubescape"` | [source code](https://github.com/armosec/kubescape/tree/master/httphandler) (public repo) |
 | armoKubescape.serviceMonitor.enabled | bool | `false` | enable/disable service monitor for prometheus (operator) integration |
 | armoKubescape.skipUpdateCheck | bool | `false` | skip check for a newer version  |
 | armoKubescape.submit | bool | `true` | submit results to ARMO SaaS: https://portal.armo.cloud/ |
+| armoKubescape.volumes | object | `[]` | Additional volumes for Kubescape |
+| armoKubescape.volumeMounts | object | `[]` | Additional volumeMounts for Kubescape |
 | armoKubescapeScanScheduler.enabled | bool | `true` | enable/disable a kubescape scheduled scan using a CronJob |
 | armoKubescapeScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) |
 | armoKubescapeScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
+| armoKubescapeScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
+| armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
 | armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) |
+| armoNotificationService.volumes | object | `[]` | Additional volumes for the notification service |
+| armoNotificationService.volumeMounts | object | `[]` | Additional volumeMounts for the notification service |
 | armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob |
 | armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl |
 | armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
+| armoKubescapeScanScheduler.volumes | object | `[]` | Additional volumes for scan scheduler |
+| armoKubescapeScanScheduler.volumeMounts | object | `[]` | Additional volumeMounts for scan scheduler |
 | armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning |
 | armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) |
+| armoVulnScanner.volumes | object | `[]` | Additional volumes for the image vulnerability scanning |
+| armoVulnScanner.volumeMounts | object | `[]` | Additional volumeMounts for the image vulnerability scanning |
 | armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning |
 | armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) |
+| armoWebsocket.volumes | object | `[]` | Additional volumes for the web socket |
+| armoWebsocket.volumeMounts | object | `[]` | Additional volumeMounts for the web socket |
+| armoKubescapeHostScanner.volumes | object | `[]` | Additional volumes for the host scanner |
+| armoKubescapeHostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner |
 | aws_iam_role_arn | string | `nil` | AWS IAM arn role |
 | clientID | string | `""` | client ID, [read more](https://hub.armo.cloud/docs/authentication) |
 | cloudRegion | string | `nil` | cloud region |
@@ -70,5 +86,7 @@ helm upgrade --install armo  armo/armo-cluster-components -n armo-system --creat
 | gke_service_account | string | `nil` | GKE service account |
 | secretKey | string | `""` | secret key, [read more](https://hub.armo.cloud/docs/authentication) |
 | triggerNewImageScan | string | `"disable"` | enable/disable trigger image scan for new images |
+| volumes | object | `[]` | Additional volumes for all containers |
+| volumeMounts | object | `[]` | Additional volumeMounts for all containers |
 
 

charts/armo-components/Chart.yaml

@@ -8,13 +8,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.8
+version: 1.7.9
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.7.8"
+appVersion: "v1.7.9"
 
 maintainers:
 - name: Ben Hirschberg

charts/armo-components/assets/armo-kubescape-cronjob-full.yaml

@@ -32,12 +32,22 @@ apiVersion: batch/v1
                     mountPath: /home/armo/request-body.json
                     subPath: request-body.json
                     readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 18 }}
+{{- end }}
+{{- if .Values.armoKubescapeScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoKubescapeScanScheduler.volumeMounts | indent 18 }}
+{{- end }}
               restartPolicy: Never
               automountServiceAccountToken: false
               volumes:
                 - name: "request-body-volume" # placeholder
                   configMap:
                     name: {{ .Values.armoKubescapeScanScheduler.name }}
- 
-
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 16 }}
+{{- end }}
+{{- if .Values.armoKubescapeScanScheduler.volumes }}
+{{ toYaml .Values.armoKubescapeScanScheduler.volumes | indent 16 }}
+{{- end }}
 

charts/armo-components/assets/armo-registry-scan-cronjob-ful.yaml

@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+    kind: CronJob
+    metadata:
+      name: {{ .Values.armoRegistryScanScheduler.name }}
+      namespace: {{ .Values.armoNameSpace }}
+      labels:
+        app: {{ .Values.armoRegistryScanScheduler.name }}
+        tier: {{ .Values.global.namespaceTier}}
+        armo.tier: "registry-scan"
+    spec:
+      schedule: "{{ .Values.armoRegistryScanScheduler.scanSchedule }}"
+      jobTemplate:
+        spec:
+          template:
+            metadata:
+              labels:
+                armo.tier: "registry-scan"
+            spec:
+              containers:
+              - name: {{ .Values.armoRegistryScanScheduler.name }}
+                image: "{{ .Values.armoRegistryScanScheduler.image.repository }}:{{ .Values.armoRegistryScanScheduler.image.tag }}"
+                imagePullPolicy: {{ .Values.armoRegistryScanScheduler.image.pullPolicy }}
+                args: 
+                  - -method=post
+                  - -scheme=http
+                  - -host={{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}
+                  - -path=v1/triggerAction
+                  - -headers="Content-Type:application/json"
+                  - -path-body=/home/armo/request-body.json
+                volumeMounts:
+                  - name: "request-body-volume"
+                    mountPath: /home/armo/request-body.json
+                    subPath: request-body.json
+                    readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 18 }}
+{{- end }}
+{{- if .Values.armoRegistryScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoRegistryScanScheduler.volumeMounts | indent 18 }}
+{{- end }}
+              restartPolicy: Never
+              automountServiceAccountToken: false
+              volumes:
+                - name: "request-body-volume" # placeholder
+                  configMap:
+                    name: {{ .Values.armoRegistryScanScheduler.name }}
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 16 }}
+{{- end }}
+{{- if .Values.armoRegistryScanScheduler.volumes }}
+{{ toYaml .Values.armoRegistryScanScheduler.volumes | indent 16 }}
+{{- end }}
+          

charts/armo-components/assets/host-scanner-definition.yaml

@@ -53,6 +53,12 @@ spec:
         volumeMounts:
         - mountPath: /host_fs
           name: host-filesystem
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.armoKubescapeHostScanner.volumeMounts }}
+{{ toYaml .Values.armoKubescapeHostScanner.volumeMounts | indent 8 }}
+{{- end }}
         readinessProbe:
           httpGet:
             path: /kernelVersion
@@ -67,6 +73,12 @@ spec:
           path: /
           type: Directory
         name: host-filesystem
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumes | indent 6 }}
+{{- end }}
+{{- if .Values.armoKubescapeHostScanner.volumes }}
+{{ toYaml .Values.armoKubescapeHostScanner.volumes | indent 6 }}
+{{- end }}
       hostNetwork: true
       hostPID: true
       hostIPC: true

charts/armo-components/templates/armo-collector-deployment.yaml

@@ -60,13 +60,25 @@ spec:
             - name: {{ .Values.global.beConfig }}
               mountPath: /etc/config
               readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 12 }}
+{{- end }}
+{{- if .Values.armoCollector.volumeMounts }}
+{{ toYaml .Values.armoCollector.volumeMounts | indent 12 }}
+{{- end }}
       volumes:
         - name: {{ .Values.global.beConfig }}
           configMap:
             name: {{ .Values.global.beConfig }}
             items:
             - key: "clusterData"
               path: "clusterData.json"
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 8 }}
+{{- end }}
+{{- if .Values.armoCollector.volumes }}
+{{ toYaml .Values.armoCollector.volumes | indent 8 }}
+{{- end }}
       serviceAccountName: {{ .Values.global.armoServiceAccountName }}
       automountServiceAccountToken: true
       {{- with .Values.nodeSelector }}

charts/armo-components/templates/armo-kubescape-deployment.yaml

@@ -89,6 +89,12 @@ spec:
         - name: host-scanner-definition
           mountPath: /home/armo/.kubescape/host-scanner.yaml
           subPath: host-scanner-yaml
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.armoKubescape.volumeMounts }}
+{{ toYaml .Values.armoKubescape.volumeMounts | indent 8 }}
+{{- end }}
       serviceAccountName: {{ .Values.global.armoKubescapeServiceAccountName }}
       automountServiceAccountToken: true
       volumes:
@@ -98,4 +104,10 @@ spec:
       - name: host-scanner-definition
         configMap:
           name: host-scanner-definition
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 6 }}
+{{- end }}
+{{- if .Values.armoKubescape.volumes }}
+{{ toYaml .Values.armoKubescape.volumes | indent 6 }}
+{{- end }}
 {{- end }}

charts/armo-components/templates/armo-kubescape-host-scanner-definition-config-map.yaml

@@ -8,4 +8,4 @@ metadata:
     tier: {{ .Values.global.namespaceTier }}
 data:
   host-scanner-yaml: |-
-{{ .Files.Get "assets/host-scanner-definition.yaml" | indent 6 }}
+{{ tpl (.Files.Get "assets/host-scanner-definition.yaml") . | indent 4}}

charts/armo-components/templates/armo-kubescape-servicemonitor.yaml

@@ -3,9 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ .Values.armoKubescape.name }}-monitor
-  {{- if .Values.armoKubescape.serviceMonitor.namespace }}
-  namespace: {{ .Values.armoKubescape.serviceMonitor.namespace }}
-  {{- end }}
+  namespace: {{ .Values.armoKubescape.serviceMonitor.namespace | default .Values.armoNameSpace }}
   labels:
     app: {{ .Values.armoKubescape.name }}
     helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}

charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml

@@ -37,10 +37,22 @@ spec:
                 mountPath: /home/armo/request-body.json
                 subPath: request-body.json
                 readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 14 }}
+{{- end }}
+{{- if .Values.armoKubescapeScanScheduler.volumeMounts }}
+{{ toYaml .Values.armoKubescapeScanScheduler.volumeMounts | indent 14 }}
+{{- end }}
           restartPolicy: Never
           automountServiceAccountToken: false
           volumes:
           - name: {{ .Values.armoKubescapeScanScheduler.name }}
             configMap:
               name: {{ .Values.armoKubescapeScanScheduler.name }}
+{{- if .Values.volumes }}
+{{ toYaml .Values.volumes | indent 10 }}
+{{- end }}
+{{- if .Values.armoKubescapeScanScheduler.volumes }}
+{{ toYaml .Values.armoKubescapeScanScheduler.volumes | indent 10 }}
+{{- end }}
 {{- end }}