Skip to content

Commit 5b1e964

Browse files
michele-mangilimichele-mangili
authored
feat(cluster-scanner): added configuration for docker registry mirrors (#1372)
1 parent 3bcb67b commit 5b1e964

File tree

10 files changed

+229
-7
lines changed

10 files changed

+229
-7
lines changed

charts/cluster-scanner/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Sysdig Cluster Scanner
44

55
type: application
66

7-
version: 0.6.1
7+
version: 0.7.0
88

99
appVersion: "0.1.0"
1010
home: https://www.sysdig.com/

charts/cluster-scanner/README.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ $ pre-commit run -a
2525
$ helm repo add sysdig https://charts.sysdig.com
2626
$ helm repo update
2727
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
28-
--create-namespace -n sysdig --version=0.6.1 \
28+
--create-namespace -n sysdig --version=0.7.0 \
2929
--set global.clusterConfig.name=CLUSTER_NAME \
3030
--set global.sysdig.region=SYSDIG_REGION \
3131
--set global.sysdig.accessKey=YOUR-KEY-HERE
@@ -55,7 +55,7 @@ To install the chart with the release name `cluster-scanner`, run:
5555

5656
```console
5757
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
58-
--create-namespace -n sysdig --version=0.6.1 \
58+
--create-namespace -n sysdig --version=0.7.0 \
5959
--set global.clusterConfig.name=CLUSTER_NAME \
6060
--set global.sysdig.region=SYSDIG_REGION \
6161
--set global.sysdig.accessKey=YOUR-KEY-HERE
@@ -134,6 +134,7 @@ The following table lists the configurable parameters of the `cluster-scanner` c
134134
| imageSbomExtractor.cache.local.maxSizeBytes | The maximum size in bytes of the local cache. By default it is set to 35MB | <code>"36700160"</code> |
135135
| imageSbomExtractor.cache.local.maxElementSizeBytes | When using `local` as cache type, restrict the maximum size of elements to be cached. By default it is set to 100KB | <code>"102400"</code> |
136136
| imageSbomExtractor.cache.local.ttl | The TTL for items in the local cache. By default it is set to 7 days. | <code>"168h"</code> |
137+
| imageSbomExtractor.mirrors | Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images. [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from the provided mirrors. The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors (potentially insecure), can be specified. See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ . <br> Example: <br> `mirrors:` <br> `registryMirrors:` <br> `- insecure.mirror.acme.com` <br> `- secure.mirror.acme.com` <br> `insecureRegistries:` <br> `- insecure.mirror.acme.com` | <code>{}</code> |
137138
| nameOverride | Chart name override | <code>""</code> |
138139
| fullnameOverride | Chart full name override | <code>""</code> |
139140
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
@@ -160,7 +161,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `
160161

161162
```console
162163
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
163-
--create-namespace -n sysdig --version=0.6.1 \
164+
--create-namespace -n sysdig --version=0.7.0 \
164165
--set global.sysdig.region="us1"
165166
```
166167

@@ -169,7 +170,7 @@ installing the chart. For example:
169170

170171
```console
171172
$ helm upgrade --install sysdig-cluster-scanner sysdig/cluster-scanner \
172-
--create-namespace -n sysdig --version=0.6.1 \
173+
--create-namespace -n sysdig --version=0.7.0 \
173174
--values values.yaml
174175
```
175176

charts/cluster-scanner/templates/deployment.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,11 @@ spec:
4848
configMap:
4949
name: {{ include "sysdig.custom_ca.existingConfigMap" (dict "global" .Values.global.ssl "component" .Values.ssl) }}
5050
{{- end }}
51+
{{- if .Values.imageSbomExtractor.mirrors }}
52+
- name: registry-mirrors-config
53+
configMap:
54+
name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
55+
{{- end }}
5156
containers:
5257
- name: rsi
5358
securityContext:
@@ -315,6 +320,12 @@ spec:
315320
mountPath: /ca-certs
316321
readOnly: true
317322
{{- end }}
323+
{{- if .Values.imageSbomExtractor.mirrors }}
324+
- name: registry-mirrors-config
325+
mountPath: /etc/docker/daemon.json
326+
subPath: daemon.json
327+
readOnly: true
328+
{{- end }}
318329
{{- with .Values.imageSbomExtractor }}
319330
ports:
320331
- name: metrics

charts/cluster-scanner/templates/registrymirror.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{{- if .Values.imageSbomExtractor.mirrors -}}
2+
apiVersion: v1
3+
kind: ConfigMap
4+
metadata:
5+
name: {{ include "cluster-scanner.fullname" . }}-registry-mirrors
6+
namespace: {{ include "cluster-scanner.namespace" . }}
7+
labels:
8+
{{- include "cluster-scanner.labels" . | nindent 4 }}
9+
data:
10+
daemon.json: |-
11+
{
12+
"registry-mirrors": {{ .Values.imageSbomExtractor.mirrors.registryMirrors | default list | toJson }},
13+
"insecure-registries": {{ .Values.imageSbomExtractor.mirrors.insecureRegistries | default list | toJson }}
14+
}
15+
{{- end -}}

charts/cluster-scanner/tests/deployment_test.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -492,3 +492,34 @@ tests:
492492
content:
493493
name: ENV_VAR_BOOL
494494
value: "true"
495+
496+
- it: "does not have registry volume nor volumeMounts if mirrors is empty"
497+
templates:
498+
- ../templates/deployment.yaml
499+
asserts:
500+
- isEmpty:
501+
path: spec.template.spec.volumes
502+
- isEmpty:
503+
path: spec.template.spec.containers[1].volumeMounts
504+
505+
- it: "has registry volume mount if mirrors are configured"
506+
set:
507+
imageSbomExtractor.mirrors:
508+
registryMirrors:
509+
- "foobar"
510+
templates:
511+
- ../templates/deployment.yaml
512+
asserts:
513+
- contains:
514+
path: spec.template.spec.volumes
515+
content:
516+
name: registry-mirrors-config
517+
configMap:
518+
name: test-release-cluster-scanner-registry-mirrors
519+
- contains:
520+
path: spec.template.spec.containers[1].volumeMounts
521+
content:
522+
name: registry-mirrors-config
523+
mountPath: /etc/docker/daemon.json
524+
subPath: daemon.json
525+
readOnly: true

charts/cluster-scanner/tests/notes_test.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
suite: Test links in the notes section for regions
22
templates:
33
- templates/NOTES.txt
4+
values:
5+
- ../values.yaml
46
tests:
57
- it: Checking default value no region specified (us1)
68
asserts:

charts/cluster-scanner/tests/registrymirror_test.yaml

Lines changed: 120 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,120 @@
1+
suite: registrymirror
2+
templates:
3+
- ../templates/registrymirror.yaml
4+
values:
5+
- ../values.yaml
6+
release:
7+
name: test-release
8+
namespace: test-ns
9+
10+
tests:
11+
- it: "does not have mirrors, if they are not provided"
12+
set:
13+
imageSbomExtractor.mirrors: {}
14+
asserts:
15+
- hasDocuments:
16+
count: 0
17+
18+
- it: "has mirrors ConfigMap, when mirrors are set"
19+
set:
20+
imageSbomExtractor.mirrors:
21+
registryMirrors:
22+
- "insecure.mirror.acme.com"
23+
- "secure.mirror.acme.com"
24+
insecureRegistries:
25+
- "insecure.mirror.acme.com"
26+
asserts:
27+
- hasDocuments:
28+
count: 1
29+
- containsDocument:
30+
kind: ConfigMap
31+
apiVersion: v1
32+
name: test-release-cluster-scanner-registry-mirrors
33+
namespace: test-ns
34+
- equal:
35+
path: data["daemon.json"]
36+
value: |-
37+
{
38+
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com"],
39+
"insecure-registries": ["insecure.mirror.acme.com"]
40+
}
41+
42+
- it: "has correct empty registry mirrors"
43+
set:
44+
imageSbomExtractor.mirrors:
45+
insecureRegistries:
46+
- "insecure.mirror.acme.com"
47+
asserts:
48+
- hasDocuments:
49+
count: 1
50+
- containsDocument:
51+
kind: ConfigMap
52+
apiVersion: v1
53+
name: test-release-cluster-scanner-registry-mirrors
54+
namespace: test-ns
55+
- equal:
56+
path: data["daemon.json"]
57+
value: |-
58+
{
59+
"registry-mirrors": [],
60+
"insecure-registries": ["insecure.mirror.acme.com"]
61+
}
62+
63+
- it: "has correct empty insecure registries mirrors"
64+
set:
65+
imageSbomExtractor.mirrors:
66+
registryMirrors:
67+
- "insecure.mirror.acme.com"
68+
- "secure.mirror.acme.com"
69+
- "one more mirror"
70+
asserts:
71+
- hasDocuments:
72+
count: 1
73+
- containsDocument:
74+
kind: ConfigMap
75+
apiVersion: v1
76+
name: test-release-cluster-scanner-registry-mirrors
77+
namespace: test-ns
78+
- equal:
79+
path: data["daemon.json"]
80+
value: |-
81+
{
82+
"registry-mirrors": ["insecure.mirror.acme.com","secure.mirror.acme.com","one more mirror"],
83+
"insecure-registries": []
84+
}
85+
86+
- it: "fails if format of registry mirrors is wrong"
87+
set:
88+
imageSbomExtractor.mirrors:
89+
registryMirrors:
90+
nested: "object"
91+
asserts:
92+
- failedTemplate:
93+
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.registryMirrors: Invalid type. Expected: array, given: object\n"
94+
95+
- it: "fails if format of insecure registries is wrong"
96+
set:
97+
imageSbomExtractor.mirrors:
98+
insecureRegistries: 18
99+
asserts:
100+
- failedTemplate:
101+
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors.insecureRegistries: Invalid type. Expected: array, given: integer\n"
102+
103+
- it: "fails if format of mirrors is wrong"
104+
set:
105+
imageSbomExtractor.mirrors: 18
106+
asserts:
107+
- failedTemplate:
108+
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Invalid type. Expected: object, given: integer\n"
109+
110+
- it: "fails if mirrors contains unexpeceted property"
111+
set:
112+
imageSbomExtractor.mirrors:
113+
gigi:
114+
- "insecure.mirror.acme.com"
115+
- "secure.mirror.acme.com"
116+
insecureRegistries:
117+
- "insecure.mirror.acme.com"
118+
asserts:
119+
- failedTemplate:
120+
errorMessage: "values don't meet the specifications of the schema(s) in the following chart(s):\ncluster-scanner:\n- imageSbomExtractor.mirrors: Additional property gigi is not allowed\n"

charts/cluster-scanner/values.schema.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,29 @@
4343
}
4444
}
4545
}
46+
},
47+
"imageSbomExtractor": {
48+
"type": "object",
49+
"properties": {
50+
"mirrors": {
51+
"type": "object",
52+
"additionalProperties": false,
53+
"properties": {
54+
"registryMirrors": {
55+
"type": "array",
56+
"items": {
57+
"type": "string"
58+
}
59+
},
60+
"insecureRegistries": {
61+
"type": "array",
62+
"items": {
63+
"type": "string"
64+
}
65+
}
66+
}
67+
}
68+
}
4669
}
4770
}
4871
}

charts/cluster-scanner/values.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,25 @@ imageSbomExtractor:
218218
# sentinelAddress: ""
219219
# ttl: "168h" # Default ttl is 7 days
220220

221+
# Provide optional registry mirrors configuration to be used by Image SBOM Extractor to pull images.
222+
# [Only Docker HUB images](https://docs.docker.com/registry/recipes/mirror/#gotcha) are going to be pulled from
223+
# the provided mirrors.
224+
#
225+
# The configuration is similar to the one currently supported by the docker-daemon where multiple mirrors
226+
# (potentially insecure), can be specified.
227+
#
228+
# See https://docs.docker.com/registry/recipes/mirror/#configure-the-docker-daemon and https://docs.docker.com/registry/insecure/ .
229+
#
230+
# Example:
231+
#
232+
# mirrors:
233+
# registryMirrors:
234+
# - insecure.mirror.acme.com
235+
# - secure.mirror.acme.com
236+
# insecureRegistries:
237+
# - insecure.mirror.acme.com
238+
mirrors: {}
239+
221240
# Chart name override
222241
nameOverride: ""
223242
# Chart full name override

charts/sysdig-deploy/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: sysdig-deploy
33
description: A chart with various Sysdig components for Kubernetes
44
type: application
5-
version: 1.23.10
5+
version: 1.24.0
66
maintainers:
77
- name: AlbertoBarba
88
email: [email protected]
@@ -42,7 +42,7 @@ dependencies:
4242
- name: cluster-scanner
4343
# repository: https://charts.sysdig.com
4444
repository: file://../cluster-scanner
45-
version: ~0.6.1
45+
version: ~0.7.0
4646
alias: clusterScanner
4747
condition: clusterScanner.enabled
4848
- name: kspm-collector

0 commit comments

Comments
 (0)