Merge pull request #9 from junior/sysdig_config_updates

Sysdig config updates, including falcobaseline variables

Author: junior

terraform/.terraform.lock.hcl

@@ -1 +1 @@
-1.0.2
+1.0.3

terraform/VERSION

@@ -19,7 +19,7 @@ data "oci_containerengine_node_pool_option" "oke" {
   node_pool_option_id = "all"
 }
 data "oci_containerengine_clusters" "oke" {
-    compartment_id = local.oke_compartment_ocid
+  compartment_id = local.oke_compartment_ocid
 }
 
 # Gets a list of Availability Domains

terraform/oke-datasources.tf

@@ -16,10 +16,6 @@ variable "existent_oke_cluster_id" {
   default     = ""
   description = "Using existent OKE Cluster. Only the application and services will be provisioned. If select cluster autoscaler feature, you need to get the node pool id and enter when required"
 }
-variable "existent_oke_cluster_compartment_ocid" {
-  default     = ""
-  description = "Existent OKE Cluster Compartment"
-}
 variable "create_new_compartment_for_oke" {
   default     = false
   description = "Creates new compartment for OKE Nodes and OCI Services deployed.  NOTE: The creation of the compartment increases the deployment time by at least 3 minutes, and can increase by 15 minutes when destroying"

terraform/oke-variables.tf

@@ -89,8 +89,7 @@ resource "oci_identity_compartment" "oke_compartment" {
   count = var.create_new_compartment_for_oke ? 1 : 0
 }
 locals {
-  # oke_compartment_ocid = var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid
-  oke_compartment_ocid = var.create_new_oke_cluster ? (var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid) : var.existent_oke_cluster_compartment_ocid
+  oke_compartment_ocid = var.create_new_oke_cluster ? (var.create_new_compartment_for_oke ? oci_identity_compartment.oke_compartment.0.id : var.compartment_ocid) : var.compartment_ocid
 }
 
 # Local kubeconfig for when using Terraform locally. Not used by Oracle Resource Manager
@@ -109,8 +108,8 @@ resource "tls_private_key" "oke_worker_node_ssh_key" {
 locals {
   cluster_k8s_latest_version   = reverse(sort(data.oci_containerengine_cluster_option.oke.kubernetes_versions))[0]
   node_pool_k8s_latest_version = reverse(sort(data.oci_containerengine_node_pool_option.oke.kubernetes_versions))[0]
-  deployed_k8s_version = var.create_new_oke_cluster ? (var.k8s_version == "Latest") ? local.cluster_k8s_latest_version : var.k8s_version :[
-    for x in data.oci_containerengine_clusters.oke.clusters : x.kubernetes_version if x.id == var.existent_oke_cluster_id][0]
+  deployed_k8s_version = var.create_new_oke_cluster ? (var.k8s_version == "Latest") ? local.cluster_k8s_latest_version : var.k8s_version : [
+  for x in data.oci_containerengine_clusters.oke.clusters : x.kubernetes_version if x.id == var.existent_oke_cluster_id][0]
 }
 
 # Checks if is using Flexible Compute Shapes

terraform/oke.tf

@@ -7,8 +7,8 @@ terraform {
   required_providers {
     oci = {
       source  = "oracle/oci"
-      version = ">= 4.75.0"
-      # https://registry.terraform.io/providers/oracle/oci/4.75.0
+      version = ">= 4.78.0"
+      # https://registry.terraform.io/providers/oracle/oci/4.78.0
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"

terraform/providers.tf

@@ -17,7 +17,6 @@ locale: "en"
 variableGroups:
   - title: "Basic Hidden"
     variables:
-    - compartment_ocid
     - tenancy_ocid
     - region
     visible: false
@@ -49,7 +48,7 @@ variableGroups:
   - title: "OKE Cluster Configuration"
     variables:
     - create_new_oke_cluster
-    - existent_oke_cluster_compartment_ocid
+    - compartment_ocid
     - existent_oke_cluster_id
     - show_advanced
     - app_name
@@ -103,11 +102,6 @@ variableGroups:
     visible: false
 
 variables:
-  compartment_ocid:
-    type: oci:identity:compartment:id
-    title: "Compartment"
-    description: "The compartment in which to create compute instance(s)"
-    required: true
 
   sysdig_access_key:
     type: string
@@ -216,11 +210,10 @@ variables:
     type: boolean
     title: "Create new OKE Cluster"
 
-  existent_oke_cluster_compartment_ocid:
+  compartment_ocid:
     type: oci:identity:compartment:id
     title: "Existent OKE Cluster Compartment"
     description: "The compartment where you find the existent OKE Cluster"
-    default: compartment_ocid
     required: true
     visible:
       not:
@@ -231,7 +224,7 @@ variables:
     title: "Existent OKE Cluster"
     required: true
     dependsOn:
-      compartmentId: existent_oke_cluster_compartment_ocid
+      compartmentId: compartment_ocid
     visible:
       not:
         - create_new_oke_cluster

terraform/schema.yaml

@@ -60,12 +60,12 @@ resource "kubernetes_secret" "snyk_monitor" {
 
 locals {
   snyk_dockercfg = var.snyk_private_registry ? {
-      auths = {
-        "${var.snyk_private_registry_url}" = {
-          auth = "${base64encode("${var.snyk_private_registry_username}:${var.snyk_private_registry_password}")}"
-        }
+    auths = {
+      "${var.snyk_private_registry_url}" = {
+        auth = "${base64encode("${var.snyk_private_registry_username}:${var.snyk_private_registry_password}")}"
       }
-    } : {}
+    }
+  } : {}
 }
 
 # resource "kubernetes_secret" "snyk_docker_cfg" {
@@ -75,12 +75,12 @@ locals {
 
 #   data = {
 #     ".dockerconfigjson" = jsonencode({
-    #   auths = {
-    #     "${var.registry_server}" = {
-    #       auth = "${base64encode("${var.registry_username}:${var.registry_password}")}"
-    #     }
-    #   }
-    # })
+#   auths = {
+#     "${var.registry_server}" = {
+#       auth = "${base64encode("${var.registry_username}:${var.registry_password}")}"
+#     }
+#   }
+# })
 #   }
 
 #   type = "kubernetes.io/dockerconfigjson"

terraform/snyk-monitor.tf

@@ -58,6 +58,22 @@ resource "helm_release" "sysdig_agent" {
     name  = "resources.limits.cpu"
     value = "null"
   }
+  set {
+    name  = "sysdig.settings.falcobaseline.debug"
+    value = false
+  }
+  set {
+    name  = "sysdig.settings.falcobaseline.debug_metadata"  # to print baseliner workload metadata as info
+    value = false
+  }
+  set {
+    name  = "sysdig.settings.falcobaseline.max_drops_buffer_rate_percentage" # necessary for baseliner to start
+    value = 0.99
+  }
+  set {
+    name  = "sysdig.settings.falcobaseline.max_sampling_ratio" # necessary for baseliner to start
+    value = 128
+  }
 
   count = local.install_sysdig ? 1 : 0
 }

terraform/sysdig-agent.tf

@@ -17,12 +17,13 @@ region = "us-ashburn-1"
 # Sysdig 
 ## For access key please go to sysdig secure UI > Settings > Agent Installation
 ## For endpoints please check https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/#saas-regions-and-ip-ranges
-sysdig_access_key = ""
-sysdig_settings_collector = "" # i.e. "ingest-us2.app.sysdig.com"
+sysdig_access_key              = ""
+sysdig_settings_collector      = "" # i.e. "ingest-us2.app.sysdig.com"
 sysdig_settings_collector_port = "6443"
-sysdig_node_analyzer_api_endpoint = "" # i.e. "us2.app.sysdig.com" (sysdig secure endpoint)
+sysdig_secure_api_endpoint     = "" # i.e. "us2.app.sysdig.com" (sysdig secure endpoint)
 
 # Snyk (in case of sysdig+snyk joint installations)
+sysdig_snyk_integration = false
 snyk_integration_id     = "" # Copy from https://app.snyk.io/org/YOUR-ORGANIZATION-NAME/manage/integrations/kubernetes
 snyk_deploy_goof_sample = false