feat(shield): use secure_light for netsec_enabled (#2233)

Author: IvanNik

charts/shield/Chart.yaml

@@ -13,5 +13,5 @@ maintainers:
   - name: mavimo
     email: [email protected]
 type: application
-version: 1.4.0
+version: 1.4.1
 appVersion: "1.0.0"

charts/shield/templates/host/_configmap_helpers.tpl

@@ -43,6 +43,13 @@
 {{- $config | toYaml }}
 {{- end }}
 
+{{/* Check if semver. The regex is from the code of the library Helm uses for semver. */}}
+{{- define "shield.is_semver" -}}
+    {{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . }}
+        true
+    {{- end -}}
+{{- end -}}
+
 {{- define "host.features.netsec_enabled" }}
 {{- if or .Values.features.investigations.network_security.enabled
           (dig "network_topology" "enabled" false .Values.host.additional_settings) }}
@@ -66,7 +73,7 @@ true
 {{/* Calculate the agent mode based on enabled features */}}
 {{- define "host.configmap.agent_mode" }}
 {{- $mode := "secure_light" }}
-{{- if (include "host.features.netsec_enabled" .) }}
+{{- if and (include "host.features.netsec_enabled" .) (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }}
 {{- $mode = "secure" }}
 {{- end }}
 {{- if (include "host.features.monitor_enabled" .) }}

charts/shield/tests/host/configmap-dragent-yaml_test.yaml

@@ -983,26 +983,78 @@ tests:
         investigations:
           network_security:
             enabled: true
+      host:
+        image:
+          tag: 13.8.0
     asserts:
       - matchRegex:
           path: data['dragent.yaml']
           pattern: |
             feature:
               mode: secure
 
+  - it: Test enabling NetSec does not flip agent to secure mode for unknown version
+    set:
+      features:
+        investigations:
+          network_security:
+            enabled: true
+      host:
+        image:
+          tag: notAVersion
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |
+            feature:
+              mode: secure_light
+
+  - it: Test enabling NetSec does not flip agent to secure mode for 13.9.0
+    set:
+      features:
+        investigations:
+          network_security:
+            enabled: true
+      host:
+        image:
+          tag: 13.9.0
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |
+            feature:
+              mode: secure_light
+
   - it: Test enabling NetSec in additional_settings flips agent to secure mode
     set:
       host:
         additional_settings:
           network_topology:
             enabled: true
+        image:
+          tag: 13.8.0
     asserts:
       - matchRegex:
           path: data['dragent.yaml']
           pattern: |
             feature:
               mode: secure
 
+  - it: Test enabling NetSec in additional_settings does not flip agent to secure mode for 13.9.0
+    set:
+      host:
+        additional_settings:
+          network_topology:
+            enabled: true
+        image:
+          tag: 13.9.0
+    asserts:
+      - matchRegex:
+          path: data['dragent.yaml']
+          pattern: |
+            feature:
+              mode: secure_light
+
   - it: Test enabling a monitor feature forces agent mode to monitor
     set:
       features: