Merge pull request #464 from jetstack/pf/agent-args

feat: Config and Argument configuration plus tests for these features

Author: hawksight

.github/workflows/chart-test.yaml

@@ -0,0 +1,23 @@
+name: Chart Testing
+
+on:
+  push:
+    branches-ignore:
+      - master
+  pull_request:
+    branches:
+      - "*"
+
+jobs:
+  unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: d3adb5/helm-unittest-action@v2
+        with:
+          flags: "--color --strict"
+          charts: deploy/charts/jetstack-agent
+          helm-version: v3.12.3
+      # This has to be second as helm may not be installed until after above action
+      # source: https://github.com/marketplace/actions/helm-unit-tests#examples
+      - run: helm lint deploy/charts/jetstack-agent

.gitignore

@@ -9,3 +9,5 @@ terraform.tfstate
 terraform.tfstate.backup
 bom.xml
 predicate.json
+privatekey.pem
+

deploy/charts/jetstack-agent/.helmignore

@@ -0,0 +1 @@
+tests

deploy/charts/jetstack-agent/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
 name: jetstack-agent
-description: Jetstack Secure Agent
+description: TLS Protect for Kubernetes Agent
 type: application
-version: 0.2.1
-appVersion: "v0.1.39"
+version: 0.3.0
+appVersion: "v0.1.40"
 home: https://github.com/jetstack/jetstack-secure
 maintainers:
 - name: JSCP and CRE Team

deploy/charts/jetstack-agent/README.md

@@ -1,8 +1,8 @@
 # jetstack-agent
 
-Jetstack Secure Agent
+TLS Protect for Kubernetes Agent
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.39](https://img.shields.io/badge/AppVersion-v0.1.39-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.40](https://img.shields.io/badge/AppVersion-v0.1.40-informational?style=flat-square)
 
 ## Additional Information
 
@@ -137,19 +137,24 @@ kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kube
 | authentication.secretKey | string | `"credentials.json"` | Key name in secret |
 | authentication.secretName | string | `"agent-credentials"` | Name of the secret containing agent credentials.json |
 | authentication.secretValue | string | `""` | Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true |
-| authentication.type | string | `"file"` | Type can be "file"/"token" which dictates whether a credential file or token is used |
-| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
+| authentication.type | string | `"file"` | Type can be "file"/"token" determining how the agent should authenticate the to the backend |
+| command | list | `[]` |  |
+| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":"","configmap":{"key":"","name":""},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
 | config.cluster | string | `""` | REQUIRED - Your Jetstack Secure Cluster Name |
 | config.dataGatherers | object | `{"custom":[],"default":true}` | Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration |
 | config.dataGatherers.custom | list | `[]` | A list of data gatherers to limit agent scope |
 | config.dataGatherers.default | bool | `true` | Use the standard full set of data gatherers |
 | config.organisation | string | `""` | REQUIRED - Your Jetstack Secure Organisation Name |
+| config.override | object | `{"config":"","configmap":{"key":"","name":""},"enabled":false}` | Provide an Override to allow completely custom agent configuration |
+| config.override.config | string | `""` | Embed the agent configuration here in the chart values |
+| config.override.configmap | object | `{"key":"","name":""}` | Sepcify ConfigMap details to load config from existing ConfigMap |
+| config.override.enabled | bool | `false` | Override disabled by default |
 | config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed |
 | config.server | string | `"https://platform.jetstack.io"` | Overrides the server if using a proxy between agent and Jetstack Secure |
 | fullnameOverride | string | `""` | Helm default setting, use this to shorten install name |
 | image.pullPolicy | string | `"IfNotPresent"` | Defaults to only pull if not already present |
 | image.repository | string | `"quay.io/jetstack/preflight"` | Default to Open Source image repository |
-| image.tag | string | `"v0.1.39"` | Overrides the image tag whose default is the chart appVersion |
+| image.tag | string | `"v0.1.40"` | Overrides the image tag whose default is the chart appVersion |
 | imagePullSecrets | list | `[]` | Specify image pull credentials if using a prviate registry |
 | nameOverride | string | `""` | Helm default setting to override release name, leave blank |
 | nodeSelector | object | `{}` |  |

deploy/charts/jetstack-agent/templates/configmap.yaml

@@ -1,3 +1,4 @@
+{{ if not (and .Values.config.override.enabled .Values.config.override.configmap.name) }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -6,8 +7,12 @@ metadata:
   labels:
     {{- include "jetstack-agent.labels" . | nindent 4 }}
 data:
+{{- if .Values.config.override.config }}
   config.yaml: |-
-    server: {{ .Values.config.server }}
+  {{- toYaml .Values.config.override.config | nindent 4 }}
+{{- else }}
+  config.yaml: |-
+    server: {{ .Values.config.server | quote }}
     organization_id: {{ required "Organisation is a required input value" .Values.config.organisation }}
     cluster_id: {{ required "Cluster is a required input value" .Values.config.cluster }}
     data-gatherers:
@@ -68,7 +73,7 @@ data:
       name: "k8s/cronjobs"
       config:
         resource-type:
-          version: v1beta1
+          version: v1
           resource: cronjobs
           group: batch
     - kind: "k8s-dynamic"
@@ -205,3 +210,5 @@ data:
           version: v1alpha1
           resource: venafiissuers
 {{- end }}
+{{- end }}
+{{- end }}

deploy/charts/jetstack-agent/templates/deployment.yaml

@@ -40,27 +40,40 @@ spec:
                   name: {{ default "agent-credentials" .Values.authentication.secretName }}
                   key: {{ default "apitoken" .Values.authentication.secretKey }}
           {{- end }}
+          {{- if not (empty .Values.command) }}
+          command:
+          {{- range .Values.command }}
+            - {{ . | quote }}
+          {{- end }}
+          {{- end }}
           args:
             - "agent"
             - "-c"
+            {{- if .Values.config.override.enabled }}
+            - "/etc/jetstack-secure/agent/config/{{ default "config.yaml" .Values.config.override.configmap.key }}"
+            {{- else }}
             - "/etc/jetstack-secure/agent/config/config.yaml"
+            {{- end }}
             {{- if eq .Values.authentication.type "file" }}
             - "-k"
             - "/etc/jetstack-secure/agent/credentials/{{ default "credentials.json" .Values.authentication.secretKey}}"
             {{- end }}
             - "-p"
             - "0h1m0s"
+            {{- range .Values.extraArgs }}
+            - {{ . | quote }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
             - name: config
               mountPath: "/etc/jetstack-secure/agent/config"
               readOnly: true
             {{- if eq .Values.authentication.type "file" }}
             - name: credentials
-              mountPath: /etc/jetstack-secure/agent/credentials
+              mountPath: "/etc/jetstack-secure/agent/credentials"
               readOnly: true
             {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -74,10 +87,17 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+        {{- if .Values.config.override.enabled }}
+        - name: config
+          configMap:
+            name: {{ default "agent-config" .Values.config.override.configmap.name }}
+            optional: false
+        {{- else }}
         - name: config
           configMap:
             name: agent-config
             optional: false
+        {{- end }}
         - name: credentials
           secret:
             secretName: {{ default "agent-credentials" .Values.authentication.secretName }}

deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap

@@ -0,0 +1,196 @@
+render correctly when only required config is given:
+  1: |
+    apiVersion: v1
+    data:
+      config.yaml: |-
+        server: "https://platform.jetstack.io"
+        organization_id: test_org
+        cluster_id: test_cluster
+        data-gatherers:
+        # gather k8s apiserver version information
+        - kind: "k8s-discovery"
+          name: "k8s-discovery"
+        # pods data is used in the pods and application_versions packages
+        - kind: "k8s-dynamic"
+          name: "k8s/pods"
+          config:
+            resource-type:
+              resource: pods
+              version: v1
+        # gather services for pod readiness probe rules
+        - kind: "k8s-dynamic"
+          name: "k8s/services"
+          config:
+            resource-type:
+              resource: services
+              version: v1
+        # gather higher level resources to ensure data to determine ownership is present
+        - kind: "k8s-dynamic"
+          name: "k8s/deployments"
+          config:
+            resource-type:
+              version: v1
+              resource: deployments
+              group: apps
+        - kind: "k8s-dynamic"
+          name: "k8s/replicasets"
+          config:
+            resource-type:
+              version: v1
+              resource: replicasets
+              group: apps
+        - kind: "k8s-dynamic"
+          name: "k8s/statefulsets"
+          config:
+            resource-type:
+              version: v1
+              resource: statefulsets
+              group: apps
+        - kind: "k8s-dynamic"
+          name: "k8s/daemonsets"
+          config:
+            resource-type:
+              version: v1
+              resource: daemonsets
+              group: apps
+        - kind: "k8s-dynamic"
+          name: "k8s/jobs"
+          config:
+            resource-type:
+              version: v1
+              resource: jobs
+              group: batch
+        - kind: "k8s-dynamic"
+          name: "k8s/cronjobs"
+          config:
+            resource-type:
+              version: v1
+              resource: cronjobs
+              group: batch
+        - kind: "k8s-dynamic"
+          name: "k8s/ingresses"
+          config:
+            resource-type:
+              group: networking.k8s.io
+              version: v1
+              resource: ingresses
+        - kind: "k8s-dynamic"
+          name: "k8s/secrets"
+          config:
+            resource-type:
+              version: v1
+              resource: secrets
+        - kind: "k8s-dynamic"
+          name: "k8s/certificates"
+          config:
+            resource-type:
+              group: cert-manager.io
+              version: v1
+              resource: certificates
+        - kind: "k8s-dynamic"
+          name: "k8s/certificaterequests"
+          config:
+            resource-type:
+              group: cert-manager.io
+              version: v1
+              resource: certificaterequests
+        - kind: "k8s-dynamic"
+          name: "k8s/issuers"
+          config:
+            resource-type:
+              group: cert-manager.io
+              version: v1
+              resource: issuers
+        - kind: "k8s-dynamic"
+          name: "k8s/clusterissuers"
+          config:
+            resource-type:
+              group: cert-manager.io
+              version: v1
+              resource: clusterissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/googlecasissuers"
+          config:
+            resource-type:
+              group: cas-issuer.jetstack.io
+              version: v1beta1
+              resource: googlecasissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/googlecasclusterissuers"
+          config:
+            resource-type:
+              group: cas-issuer.jetstack.io
+              version: v1beta1
+              resource: googlecasclusterissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/awspcaissuer"
+          config:
+            resource-type:
+              group: awspca.cert-manager.io
+              version: v1beta1
+              resource: awspcaissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/awspcaclusterissuers"
+          config:
+            resource-type:
+              group: awspca.cert-manager.io
+              version: v1beta1
+              resource: awspcaclusterissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/mutatingwebhookconfigurations"
+          config:
+            resource-type:
+              group: admissionregistration.k8s.io
+              version: v1
+              resource: mutatingwebhookconfigurations
+        - kind: "k8s-dynamic"
+          name: "k8s/validatingwebhookconfigurations"
+          config:
+            resource-type:
+              group: admissionregistration.k8s.io
+              version: v1
+              resource: validatingwebhookconfigurations
+        - kind: "k8s-dynamic"
+          name: "k8s/gateways"
+          config:
+            resource-type:
+              group: networking.istio.io
+              version: v1alpha3
+              resource: gateways
+        - kind: "k8s-dynamic"
+          name: "k8s/virtualservices"
+          config:
+            resource-type:
+              group: networking.istio.io
+              version: v1alpha3
+              resource: virtualservices
+        - kind: "k8s-dynamic"
+          name: "k8s/routes"
+          config:
+            resource-type:
+              version: v1
+              group: route.openshift.io
+              resource: routes
+        - kind: "k8s-dynamic"
+          name: "k8s/venaficlusterissuers"
+          config:
+            resource-type:
+              group: jetstack.io
+              version: v1alpha1
+              resource: venaficlusterissuers
+        - kind: "k8s-dynamic"
+          name: "k8s/venafiissuers"
+          config:
+            resource-type:
+              group: jetstack.io
+              version: v1alpha1
+              resource: venafiissuers
+    kind: ConfigMap
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: jetstack-agent
+        app.kubernetes.io/version: v0.1.40
+        helm.sh/chart: jetstack-agent-0.3.0
+      name: agent-config