feat(agent): Add Local Forwarder support for Agent (#1458)

Co-authored-by: Marco Vito Moscaritolo <[email protected]>

Author: aroberts87

charts/agent/Chart.yaml

@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.16.0
+version: 1.17.0

charts/agent/README.md

@@ -153,6 +153,9 @@ The following table lists the configurable parameters of the Sysdig chart and th
 | `sysdig.disableCaptures`                                | Disables capture functionality. See https://docs.sysdig.com/en/disable-captures.html.                                                                                                    | `false`                                                                                                   |
 | `sysdig.settings`                                       | Provides additional settings that are given  in the `dragent.yaml`file.                                                                                                                  | `{}`                                                                                                      |
 | `logPriority`                                           | Sets both agent console and file logging priorities. Possible values are: `"info"`, `"debug"`. Mutually exclusive with `sysdig.settings.log`.                                            | ` `                                                                                                       |
+| `localForwarder.enabled`                                | Enable the Agent Local Forwarder                                                                                                                                                         | `false`                                                                                                   |
+| `localForwarder.transmitMessageTypes`                   | Message types to forward from the Agent to the Agent Local Forwarder                                                                                                                     | `[POLICY_EVENTS, SECURE_AUDIT]`                                                                           |
+| `localForwarder.integrations`                           | List of configurations for how and where the Agent Local Forwarder should forward messages                                                                                               | `[]`                                                                                                      |
 | `secure.enabled`                                        | Enables Sysdig Secure.                                                                                                                                                                   | `true`                                                                                                    |
 | `monitor.enabled`                                       | Enables Sysdig Monitor.                                                                                                                                                                  | `true`                                                                                                    |
 | `auditLog.enabled`                                      | Enables Kubernetes audit log support for Sysdig Secure.                                                                                                                                  | `false`                                                                                                   |

charts/agent/templates/_helpers.tpl

@@ -506,3 +506,8 @@ sysdig_capture_enabled: false
 true
 {{- end }}
 {{- end }}
+
+{{/* Return the name of the local forwarder configmap */}}
+{{- define "agent.localForwarderConfigMapName" }}
+{{- include "agent.configmapName" . | trunc 46 | trimSuffix "-" | printf "%s-local-forwarder" }}
+{{- end }}

charts/agent/templates/configmap-local-forwarder.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.localForwarder.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "agent.localForwarderConfigMapName" . }}
+  namespace: {{ include "agent.namespace" . }}
+  labels:
+{{ (include "agent.labels" .) | indent 4 }}
+data:
+  local_forwarder_config.yaml: |
+    integrations:
+      {{- toYaml .Values.localForwarder.integrations | nindent 6 }}
+{{- end }}

charts/agent/templates/configmap.yaml

@@ -45,6 +45,12 @@ data:
       enforce_leader_election: true
       namespace: {{ include "agent.namespace" . }}
 {{- end }}
+{{- if .Values.localForwarder.enabled }}
+    local_forwarder:
+      enabled: true
+      transmit_message_types:
+        {{- toYaml .Values.localForwarder.transmitMessageTypes | nindent 8 }}
+{{- end }}
 {{- if .Values.prometheus.file }}
   prometheus.yaml: |
 {{ toYaml .Values.prometheus.yaml | indent 4 }}

charts/agent/templates/daemonset.yaml

@@ -223,6 +223,11 @@ spec:
               command: [ "test", "-e", "/opt/draios/logs/running" ]
             initialDelaySeconds: {{ .Values.daemonset.probes.initialDelay }}
           volumeMounts:
+          {{- if .Values.localForwarder.enabled }}
+            - mountPath: /opt/draios/etc/local_forwarder_config.yaml
+              subPath: local_forwarder_config.yaml
+              name: local-forwarder-config
+          {{- end }}
           {{- /* Always requested */}}
             - mountPath: /host/dev
               name: dev-vol
@@ -344,6 +349,12 @@ spec:
           configMap:
             name: {{ include "agent.configmapName" . }}
             optional: true
+        {{- if .Values.localForwarder.enabled }}
+        - name: local-forwarder-config
+          configMap:
+            name: {{ include "agent.localForwarderConfigMapName" . }}
+            optional: true
+        {{- end }}
         - name: sysdig-agent-secrets
           secret:
             {{- if not ( include "agent.accessKeySecret" . ) }}

charts/agent/tests/local_forwarder_test.yaml

@@ -0,0 +1,104 @@
+suite: Test enabling the agent local forwarder
+templates:
+  - configmap.yaml
+  - configmap-local-forwarder.yaml
+  - daemonset.yaml
+tests:
+  - it: Check the enabling the forwarder
+    set:
+      localForwarder:
+        enabled: true
+        integrations:
+          - channels:
+              - SECURE_EVENTS_POLICIES
+              - ACTIVITY_AUDIT
+            configuration:
+              output: stdout
+            type: LOCAL
+    asserts:
+      - equal:
+          path: data["local_forwarder_config.yaml"]
+          value: |
+            integrations:
+              - channels:
+                - SECURE_EVENTS_POLICIES
+                - ACTIVITY_AUDIT
+                configuration:
+                  output: stdout
+                type: LOCAL
+        template: configmap-local-forwarder.yaml
+      - matchRegex:
+          path: data["dragent.yaml"]
+          pattern: |
+            local_forwarder:
+              enabled: true
+              transmit_message_types:
+                - POLICY_EVENTS
+                - SECURE_AUDIT
+        template: configmap.yaml
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: local-forwarder-config
+            configMap:
+              name: sysdig-agent-local-forwarder
+              optional: true
+        template: daemonset.yaml
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /opt/draios/etc/local_forwarder_config.yaml
+            subPath: local_forwarder_config.yaml
+            name: local-forwarder-config
+        template: daemonset.yaml
+  - it: Ensure items are absent if local forwarder is disabled
+    set:
+      localForwarder:
+        enabled: false
+    asserts:
+      - notMatchRegex:
+          path: data["dragent.yaml"]
+          pattern: |
+            local_forwarder:
+              enabled: true
+              transmit_message_types:
+                - POLICY_EVENTS
+                - SECURE_AUDIT
+        template: configmap.yaml
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: local-forwarder-config
+            configMap:
+              name: sysdig-agent-local-forwarder
+              optional: true
+        template: daemonset.yaml
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            mountPath: /opt/draios/etc/local_forwarder_config.yaml
+            subPath: local_forwarder_config.yaml
+            name: local-forwarder-config
+        template: daemonset.yaml
+  - it: Customize the forwarded message types
+    set:
+      localForwarder:
+        enabled: true
+        transmitMessageTypes:
+          - POLICY_EVENTS
+        integrations:
+          - channels:
+              - SECURE_EVENTS_POLICIES
+              - ACTIVITY_AUDIT
+            configuration:
+              output: stdout
+            type: LOCAL
+    asserts:
+      - matchRegex:
+          path: data["dragent.yaml"]
+          pattern: |
+            local_forwarder:
+              enabled: true
+              transmit_message_types:
+                - POLICY_EVENTS
+        template: configmap.yaml

charts/agent/values.schema.json

@@ -2,7 +2,8 @@
   "$schema": "http://json-schema.org/schema#",
   "type": "object",
   "required": [
-    "ebpf"
+    "ebpf",
+    "localForwarder"
   ],
   "properties": {
     "ebpf": {
@@ -23,6 +24,98 @@
           ]
         }
       }
+    },
+    "localForwarder": {
+      "type": "object",
+      "required": [
+        "enabled",
+        "integrations",
+        "transmitMessageTypes"
+      ],
+      "if": {
+        "properties": {
+          "enabled": {
+            "const": true
+          }
+        }
+      },
+      "then": {
+        "properties": {
+          "integrations": {
+            "type": "array",
+            "minItems": 1,
+            "items": {
+              "$ref": "#/$defs/AgentLocalForwarderIntegrations"
+            }
+          },
+          "enabled": {
+            "type": "boolean"
+          },
+          "transmitMessageTypes": {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "enum": [
+                "POLICY_EVENTS",
+                "SECURE_AUDIT"
+              ]
+            }
+          }
+        }
+      }
+    }
+  },
+  "$defs": {
+    "AgentLocalForwarderIntegrations": {
+      "type": "object",
+      "required": [
+        "channels",
+        "configuration"
+      ],
+      "properties": {
+        "channels": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": [
+              "POLICY_EVENTS",
+              "ACTIVITY_AUDIT",
+              "MONITOR_EVENTS",
+              "SECURE_EVENTS_POLICIES",
+              "SECURE_EVENTS_SCANNING",
+              "SECURE_EVENTS_BENCHMARK",
+              "SECURE_EVENTS_HOSTSCANNING",
+              "SECURE_EVENTS_COMPLIANCE",
+              "SECURE_EVENTS_AUDIT_TRAIL",
+              "SECURE_OBJECT_STORE_RUNTIME",
+              "SECURE_OBJECT_STORE_REGISTRY",
+              "SECURE_OBJECT_STORE_PIPELINE"
+            ]
+          }
+        },
+        "configuration": {
+          "type": "object"
+        },
+        "type": {
+          "type": "string",
+          "enum": [
+            "SYSLOG",
+            "SPLUNK",
+            "MCM",
+            "QRADAR",
+            "WEBHOOK",
+            "KAFKA",
+            "CHRONICLE",
+            "SENTINEL",
+            "SQS",
+            "PUBSUB",
+            "SCC",
+            "LOCAL",
+            "ELASTIC",
+            "S3"
+          ]
+        }
+      }
     }
   }
 }

charts/agent/values.yaml

@@ -280,6 +280,12 @@ tolerations:
     value: "true"
 leaderelection:
   enable: false
+localForwarder:
+  enabled: false
+  transmitMessageTypes:
+    - POLICY_EVENTS
+    - SECURE_AUDIT
+  integrations: []
 delegatedAgentDeployment:
   # Enable a specialized installation where an Agent Deployment is installed
   # in addition to the traditional DaemonSet. The DaemonSet Agents will not

charts/sysdig-deploy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.30.1
+version: 1.31.0
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
   - name: agent
     # repository: https://charts.sysdig.com
     repository: file://../agent
-    version: ~1.16.0
+    version: ~1.17.0
     alias: agent
     condition: agent.enabled
   - name: common