fix(nodeAnalyzer): deamonset not being rollout after configuration changes (#1533)

Extended Changelog:

* Fix node-analyzer daemonset rollout not triggered by a change in configuration


Co-authored-by: Marco Vito Moscaritolo <[email protected]>

Author: ProvoK

charts/node-analyzer/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: node-analyzer
 description: Sysdig Node Analyzer
 # currently matching Sysdig's appVersion 1.14.34
-version: 1.20.2
+version: 1.20.3
 appVersion: 12.9.0
 keywords:
   - monitoring

charts/node-analyzer/templates/daemonset-node-analyzer.yaml

@@ -28,8 +28,24 @@ spec:
         app.kubernetes.io/name: {{ include "nodeAnalyzer.name" . }}
 {{ include "daemonset.labels" . | indent 8 }}
 {{ include "nodeAnalyzer.labels" . | indent 8 }}
-{{- if .Values.daemonset.annotations }}
       annotations:
+        checksum/config-benchmark: {{ include (print $.Template.BasePath "/configmap-benchmark-runner.yaml") . | sha256sum | quote  }}
+        checksum/config-host-analyzer: {{ include (print $.Template.BasePath "/configmap-host-analyzer.yaml") . | sha256sum | quote  }}
+        checksum/config-image-analyzer: {{ include (print $.Template.BasePath "/configmap-image-analyzer.yaml") . | sha256sum | quote  }}
+        {{- if and .Values.nodeAnalyzer.deploy (not .Values.gke.autopilot) (include "nodeAnalyzer.deployHostScanner" .) }}
+        checksum/config-host-scanner: {{ include (print $.Template.BasePath "/configmap-host-scanner.yaml") . | sha256sum | quote  }}
+        {{- end }}
+        {{- if .Values.global.kspm.deploy }}
+        checksum/config-kspm-analyzer: {{ include (print $.Template.BasePath "/configmap-kspm-analyzer.yaml") . | sha256sum | quote  }}
+        {{- end }}
+        {{- if include "nodeAnalyzer.deployRuntimeScanner" . }}
+        checksum/config-runtime-scanner: {{ include (print $.Template.BasePath "/runtimeScanner/runtime-scanner-configmap.yaml") . | sha256sum | quote  }}
+        {{- end }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum | quote  }}
+        checksum/clusterrole: {{ include (print $.Template.BasePath "/clusterrole-node-analyzer.yaml") . | sha256sum | quote  }}
+        checksum/clusterrolebinding: {{ include (print $.Template.BasePath "/clusterrolebinding-node-analyzer.yaml") . | sha256sum | quote  }}
+        checksum/serviceaccount: {{ include (print $.Template.BasePath "/serviceaccount-node-analyzer.yaml") . | sha256sum | quote  }}
+{{- if .Values.daemonset.annotations }}
         {{ toYaml .Values.daemonset.annotations | nindent 8 }}
 {{- end }}
     spec:

charts/node-analyzer/tests/agent_tags_test.yaml

@@ -1,6 +1,19 @@
 suite: Test node-analyzer Agent Tags
 templates:
   - daemonset-node-analyzer.yaml
+  # For checksums
+  - clusterrole-node-analyzer.yaml
+  - clusterrolebinding-node-analyzer.yaml
+  - configmap-benchmark-runner.yaml
+  - configmap-host-analyzer.yaml
+  - configmap-host-scanner.yaml
+  - configmap-image-analyzer.yaml
+  - configmap-kspm-analyzer.yaml
+  - secrets.yaml
+  - serviceaccount-node-analyzer.yaml
+values:
+  - ./default_required_values.yaml
+
 tests:
   - it: Check agent tags are set from global.settings.tags
     set:
@@ -10,6 +23,7 @@ tests:
             tag: value
         kspm:
           deploy: true
+      clusterName: "test"
     asserts:
       - contains:
           path: spec.template.spec.containers[0].env
@@ -23,6 +37,7 @@ tests:
       global:
         kspm:
           deploy: true
+      clusterName: "test"
     asserts:
       - notContains:
           path: spec.template.spec.containers[0].env

charts/node-analyzer/tests/annotations_test.yaml

@@ -1,13 +1,24 @@
 suite: Test specifying annotations to the Node Analyzer DaemonSet
 templates:
-  - templates/daemonset-node-analyzer.yaml
-tests:
-  - it: Test no annotations by default
-    asserts:
-      - isNull:
-          path: template.metadata.annotations
+  - daemonset-node-analyzer.yaml
+  # For checksums
+  - clusterrole-node-analyzer.yaml
+  - clusterrolebinding-node-analyzer.yaml
+  - configmap-benchmark-runner.yaml
+  - configmap-host-analyzer.yaml
+  - configmap-host-scanner.yaml
+  - configmap-image-analyzer.yaml
+  - configmap-kspm-analyzer.yaml
+  - secrets.yaml
+  - serviceaccount-node-analyzer.yaml
+  - runtimeScanner/runtime-scanner-configmap.yaml
+values:
+  - ./default_required_values.yaml
 
-  - it: Test annotations are added as expected
+tests:
+  - it: Test additional annotations are added as expected
+    templates:
+      - daemonset-node-analyzer.yaml
     set:
       daemonset:
         annotations:
@@ -16,3 +27,49 @@ tests:
       - equal:
           path: spec.template.metadata.annotations['super']
           value: annotation
+  - it: Test checksum annotations
+    templates:
+      - daemonset-node-analyzer.yaml
+    asserts:
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/config-benchmark']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/config-host-analyzer']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/config-image-analyzer']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/secret']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/clusterrole']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/clusterrolebinding']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/serviceaccount']
+      # NOTE: not enabled with default config
+      - notExists:
+          path: spec.template.metadata.annotations['checksum/config-host-scanner']
+      - notExists:
+          path: spec.template.metadata.annotations['checksum/config-runtime-scanner']
+      - notExists:
+          path: spec.template.metadata.annotations['checksum/config-kspm-analyzer']
+  - it: Test checksum annotations for new scanning engine
+    templates:
+      - daemonset-node-analyzer.yaml
+    set:
+      secure:
+        vulnerabilityManagement:
+          newEngineOnly: true
+      global:
+        clusterConfig:
+          name: "test"
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/clusterrole']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/config-host-scanner']
+      - isNotEmpty:
+          path: spec.template.metadata.annotations['checksum/config-runtime-scanner']

charts/node-analyzer/tests/ca_cert_test.yaml

@@ -5,6 +5,19 @@ templates:
   - runtimeScanner/eveconnector-api-deployment.yaml
   - runtimeScanner/sysdig-eve-secret.yaml
   - runtimeScanner/eveconnector-api-configmap.yaml
+  # For checksums
+  - clusterrole-node-analyzer.yaml
+  - clusterrolebinding-node-analyzer.yaml
+  - configmap-benchmark-runner.yaml
+  - configmap-host-analyzer.yaml
+  - configmap-host-scanner.yaml
+  - configmap-image-analyzer.yaml
+  - configmap-kspm-analyzer.yaml
+  - serviceaccount-node-analyzer.yaml
+  - runtimeScanner/runtime-scanner-configmap.yaml
+values:
+  - ./default_required_values.yaml
+
 tests:
   - it: Checking node-analyzer CA Cert Secret
     set:
@@ -13,6 +26,9 @@ tests:
       secure:
         vulnerabilityManagement:
           newEngineOnly: true
+      global:
+        clusterConfig:
+          name: "test"
       sysdig:
         accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
       nodeAnalyzer:
@@ -40,6 +56,9 @@ tests:
       secure:
         vulnerabilityManagement:
           newEngineOnly: true
+      global:
+        clusterConfig:
+          name: "test"
       sysdig:
         accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
       nodeAnalyzer:
@@ -108,6 +127,8 @@ tests:
         vulnerabilityManagement:
           newEngineOnly: true
       global:
+        clusterConfig:
+          name: "test"
         kspm:
           deploy: false
         ssl:

charts/node-analyzer/tests/conditional_flag_test.yaml

@@ -6,10 +6,23 @@ templates:
   - runtimeScanner/eveconnector-api-service.yaml
   - runtimeScanner/eveconnector-api-deployment.yaml
   - runtimeScanner/sysdig-eve-secret.yaml
+    # For checksums
+  - clusterrole-node-analyzer.yaml
+  - clusterrolebinding-node-analyzer.yaml
+  - configmap-benchmark-runner.yaml
+  - configmap-host-analyzer.yaml
+  - configmap-host-scanner.yaml
+  - configmap-image-analyzer.yaml
+  - secrets.yaml
+  - serviceaccount-node-analyzer.yaml
+  - runtimeScanner/runtime-scanner-configmap.yaml
+
 tests:
   - it: Check global kspm deploy
     set:
       global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
         kspm:
           deploy: true
       clusterName: test-cluster
@@ -23,6 +36,8 @@ tests:
   - it: Check hostPID is true if global.kspm.deploy is true
     set:
       global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
         kspm:
           deploy: true
       clusterName: test-cluster
@@ -34,6 +49,9 @@ tests:
 
   - it: Check hostPID is true if nodeAnalyzer.benchmarkRunner.deploy is true
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         benchmarkRunner:
           deploy: true
@@ -45,17 +63,23 @@ tests:
           value: true
 
   - it: Check global kspm deploy without clusterName
+    templates:
+      - daemonset-node-analyzer.yaml
     set:
       global:
         kspm:
           deploy: true
-    template: configmap-kspm-analyzer.yaml
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
     asserts:
       - failedTemplate:
           errorMessage: "A valid clusterName is required"
 
   - it: Check nodeAnalyzer imageAnalyzer deploy
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         imageAnalyzer:
           deploy: true
@@ -70,6 +94,9 @@ tests:
 
   - it: Check nodeAnalyzer hostAnalyzer deploy
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         hostAnalyzer:
           deploy: true
@@ -84,6 +111,9 @@ tests:
 
   - it: Check nodeAnalyzer benchmarkRunner deploy
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         benchmarkRunner:
           deploy: true
@@ -98,6 +128,11 @@ tests:
 
   - it: Check nodeAnalyzer runtimeScanner deploy
     set:
+      global:
+        clusterConfig:
+          name: "test"
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         runtimeScanner:
           deploy: true
@@ -112,6 +147,9 @@ tests:
 
   - it: Check nodeAnalyzer runtimeScanner eveConnector deploy
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         runtimeScanner:
           deploy: true
@@ -141,6 +179,9 @@ tests:
 
   - it: Check nodeAnalyzer imageAnalyzer deploy set to false
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         imageAnalyzer:
           deploy: false
@@ -155,6 +196,9 @@ tests:
 
   - it: Check nodeAnalyzer hostAnalyzer deploy set to false
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         hostAnalyzer:
           deploy: false
@@ -169,6 +213,9 @@ tests:
 
   - it: Check nodeAnalyzer benchmarkRunner deploy set to false
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         benchmarkRunner:
           deploy: false
@@ -183,6 +230,9 @@ tests:
 
   - it: Check nodeAnalyzer runtimeScanner deploy set to false
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         runtimeScanner:
           deploy: false
@@ -197,6 +247,9 @@ tests:
 
   - it: Check nodeAnalyzer runtimeScanner EVE_INTEGRATION_ENABLED is true even if eveConnector deploy set to false
     set:
+      global:
+        sysdig:
+          accessKey: "AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE"
       nodeAnalyzer:
         runtimeScanner:
           deploy: true