Skip to content

Commit bf68f6f

Browse files
AlbertoBarbaAlbertoBarba
authored
feat(shield): allow support for alt regions (#2232)
1 parent fde3fd0 commit bf68f6f

File tree

10 files changed

+220
-13
lines changed

10 files changed

+220
-13
lines changed

charts/shield/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,5 @@ maintainers:
1313
- name: mavimo
1414
email: [email protected]
1515
type: application
16-
version: 1.5.0
16+
version: 1.5.1
1717
appVersion: "1.0.0"

charts/shield/templates/cluster/_config.tpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@
6060
"ca_cert_file" (printf "%s%s" (include "cluster.tls_certificates.mount_path" .) (include "cluster.tls_certificates.ca_cert_file_name" .))
6161
) -}}
6262
{{- if (include "cluster.audit_enabled" .) -}}
63-
{{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}}
63+
{{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}}
6464
{{- if semverCompare "< 6.12.0" .Values.on_prem_version -}}
6565
{{- if not (include "common.credentials.has_secure_api_token" . ) -}}
6666
{{- fail "Secure API Token is required for kubernetes audit with On Premise Versions < 6.12.0" -}}
@@ -83,7 +83,7 @@
8383
{{- $_ := set $clusterScannerConfig "leader_election_lock_name" (include "cluster.container_vulnerability_management_lease_name" .) -}}
8484
{{- $_ := set $config "cluster_scanner" $clusterScannerConfig -}}
8585

86-
{{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" (.Values.on_prem_version | default "") -}}
86+
{{- if (include "common.semver.is_valid" (.Values.on_prem_version | default "")) -}}
8787
{{- if semverCompare "< 6.12.0" .Values.on_prem_version -}}
8888
{{- $_ := set $config.features.container_vulnerability_management "platform_services_enabled" false -}}
8989
{{- end -}}

charts/shield/templates/common/_regions.tpl

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,34 +3,66 @@
33
"monitor_api_endpoint" "app.au1.sysdig.com"
44
"secure_api_endpoint" "app.au1.sysdig.com"
55
"secure_ui" "app.au1.sysdig.com/secure")
6+
"au1-alt" (dict "collector_endpoint" "ingest-alt.au1.sysdig.com"
7+
"monitor_api_endpoint" "app.au1.sysdig.com"
8+
"secure_api_endpoint" "app.au1.sysdig.com"
9+
"secure_ui" "app.au1.sysdig.com/secure")
610
"eu1" (dict "collector_endpoint" "ingest-eu1.app.sysdig.com"
711
"monitor_api_endpoint" "eu1.app.sysdig.com"
812
"secure_api_endpoint" "eu1.app.sysdig.com"
913
"secure_ui" "eu1.app.sysdig.com/secure")
14+
"eu1-alt" (dict "collector_endpoint" "ingest-alt-eu1.app.sysdig.com"
15+
"monitor_api_endpoint" "eu1.app.sysdig.com"
16+
"secure_api_endpoint" "eu1.app.sysdig.com"
17+
"secure_ui" "eu1.app.sysdig.com/secure")
1018
"in1" (dict "collector_endpoint" "ingest.in1.sysdig.com"
1119
"monitor_api_endpoint" "app.in1.sysdig.com"
1220
"secure_api_endpoint" "app.in1.sysdig.com"
1321
"secure_ui" "app.in1.sysdig.com/secure")
22+
"in1-alt" (dict "collector_endpoint" "ingest-alt.in1.sysdig.com"
23+
"monitor_api_endpoint" "app.in1.sysdig.com"
24+
"secure_api_endpoint" "app.in1.sysdig.com"
25+
"secure_ui" "app.in1.sysdig.com/secure")
1426
"me2" (dict "collector_endpoint" "ingest.me2.sysdig.com"
1527
"monitor_api_endpoint" "app.me2.sysdig.com"
1628
"secure_api_endpoint" "app.me2.sysdig.com"
1729
"secure_ui" "app.me2.sysdig.com/secure")
30+
"me2-alt" (dict "collector_endpoint" "ingest-alt.me2.sysdig.com"
31+
"monitor_api_endpoint" "app.me2.sysdig.com"
32+
"secure_api_endpoint" "app.me2.sysdig.com"
33+
"secure_ui" "app.me2.sysdig.com/secure")
1834
"us1" (dict "collector_endpoint" "collector.sysdigcloud.com"
1935
"monitor_api_endpoint" "app.sysdigcloud.com"
2036
"secure_api_endpoint" "secure.sysdig.com"
2137
"secure_ui" "secure.sysdig.com")
38+
"us1-alt" (dict "collector_endpoint" "collector-alt.sysdigcloud.com"
39+
"monitor_api_endpoint" "app.sysdigcloud.com"
40+
"secure_api_endpoint" "secure.sysdig.com"
41+
"secure_ui" "secure.sysdig.com")
2242
"us2" (dict "collector_endpoint" "ingest-us2.app.sysdig.com"
2343
"monitor_api_endpoint" "us2.app.sysdig.com"
2444
"secure_api_endpoint" "us2.app.sysdig.com"
2545
"secure_ui" "us2.app.sysdig.com/secure")
46+
"us2-alt" (dict "collector_endpoint" "ingest-alt-us2.app.sysdig.com"
47+
"monitor_api_endpoint" "us2.app.sysdig.com"
48+
"secure_api_endpoint" "us2.app.sysdig.com"
49+
"secure_ui" "us2.app.sysdig.com/secure")
2650
"us3" (dict "collector_endpoint" "ingest.us3.sysdig.com"
2751
"monitor_api_endpoint" "app.us3.sysdig.com"
2852
"secure_api_endpoint" "app.us3.sysdig.com"
2953
"secure_ui" "app.us3.sysdig.com/secure")
54+
"us3-alt" (dict "collector_endpoint" "ingest-alt.us3.sysdig.com"
55+
"monitor_api_endpoint" "app.us3.sysdig.com"
56+
"secure_api_endpoint" "app.us3.sysdig.com"
57+
"secure_ui" "app.us3.sysdig.com/secure")
3058
"us4" (dict "collector_endpoint" "ingest.us4.sysdig.com"
3159
"monitor_api_endpoint" "app.us4.sysdig.com"
3260
"secure_api_endpoint" "app.us4.sysdig.com"
3361
"secure_ui" "app.us4.sysdig.com/secure")
62+
"us4-alt" (dict "collector_endpoint" "ingest-alt.us4.sysdig.com"
63+
"monitor_api_endpoint" "app.us4.sysdig.com"
64+
"secure_api_endpoint" "app.us4.sysdig.com"
65+
"secure_ui" "app.us4.sysdig.com/secure")
3466
"au-syd-monitor" (dict "collector_endpoint" "ingest.au-syd.monitoring.cloud.ibm.com"
3567
"monitor_api_endpoint" "au-syd.monitoring.cloud.ibm.com"
3668
"secure_api_endpoint" "au-syd.security-compliance-secure.cloud.ibm.com"
@@ -213,3 +245,19 @@
213245
{{- .Values.sysdig_endpoint.api_url}}
214246
{{- end }}
215247
{{- end }}
248+
249+
{{- define "common.is_alt_region" -}}
250+
{{- $altRegions := list
251+
"au1-alt"
252+
"eu1-alt"
253+
"in1-alt"
254+
"me2-alt"
255+
"us1-alt"
256+
"us2-alt"
257+
"us3-alt"
258+
"us4-alt"
259+
-}}
260+
{{- if has .Values.sysdig_endpoint.region $altRegions -}}
261+
{{- true -}}
262+
{{- end -}}
263+
{{- end -}}

charts/shield/templates/common/_semver.tpl

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
{{- define "common.semver.is_valid" -}}
2+
{{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . -}}
3+
{{- true -}}
4+
{{- end -}}
5+
{{- end -}}

charts/shield/templates/host/_configmap_helpers.tpl

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -43,13 +43,6 @@
4343
{{- $config | toYaml }}
4444
{{- end }}
4545
46-
{{/* Check if semver. The regex is from the code of the library Helm uses for semver. */}}
47-
{{- define "shield.is_semver" -}}
48-
{{- if regexMatch "^v?([0-9]+)(\\.[0-9]+)?(\\.[0-9]+)?(-([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?(\\+([0-9A-Za-z\\-]+(\\.[0-9A-Za-z\\-]+)*))?$" . }}
49-
true
50-
{{- end -}}
51-
{{- end -}}
52-
5346
{{- define "host.features.netsec_enabled" }}
5447
{{- if or .Values.features.investigations.network_security.enabled
5548
(dig "network_topology" "enabled" false .Values.host.additional_settings) }}
@@ -73,7 +66,7 @@ true
7366
{{/* Calculate the agent mode based on enabled features */}}
7467
{{- define "host.configmap.agent_mode" }}
7568
{{- $mode := "secure_light" }}
76-
{{- if and (include "host.features.netsec_enabled" .) (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }}
69+
{{- if and (include "host.features.netsec_enabled" .) (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.9.0" .Values.host.image.tag) }}
7770
{{- $mode = "secure" }}
7871
{{- end }}
7972
{{- if (include "host.features.monitor_enabled" .) }}
@@ -115,7 +108,7 @@ true
115108
{{- define "host.dragent_yaml.host_scanner" }}
116109
{{- $config := dict }}
117110
{{- $config = merge $config (dict "host_fs_mount_path" "/host") }}
118-
{{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
111+
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
119112
{{- $config = merge $config (dict "verify_certificate" false) }}
120113
{{- end }}
121114
{{- if hasKey .Values.host.additional_settings "host_scanner" }}
@@ -128,7 +121,7 @@ true
128121
{{- $config := dict }}
129122
{{- $respond := get .Values.features (include "host.respond_key" .Values.features) }}
130123
{{- $rapid_response := omit (get $respond "rapid_response") "password" }}
131-
{{- if and (include "shield.is_semver" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
124+
{{- if and (include "common.semver.is_valid" .Values.host.image.tag) (semverCompare "< 13.10.0" .Values.host.image.tag) (not .Values.ssl.verify) }}
132125
{{- $rapid_response = merge $rapid_response (dict "tls_skip_check" true) }}
133126
{{- end }}
134127
{{ $rapid_response | toJson }}
@@ -142,6 +135,9 @@ true
142135
{{- if not .Values.ssl.verify }}
143136
{{- $config = merge $config (dict "ssl_verify_certificate" false) }}
144137
{{- end }}
138+
{{- if (include "common.is_alt_region" .) -}}
139+
{{- $_ := set $config "collector_port" 6443 -}}
140+
{{- end -}}
145141
{{- if .Values.features.kubernetes_metadata.enabled }}
146142
{{- $_ := set $config "k8s_delegated_nodes" (dig "k8s_delegated_nodes" 0 .Values.host.additional_settings) -}}
147143
{{- else if hasKey .Values.host.additional_settings "k8s_delegated_nodes" }}

charts/shield/templates/host/_windows_configmap_helpers.tpl

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,14 @@
4141
{{- $_ := set $sysdigEndpointConfig $k $v -}}
4242
{{- end -}}
4343
{{- end -}}
44+
{{- if (include "common.is_alt_region" .) -}}
45+
{{- if not (include "host.windows.supports_alt_regions" .) -}}
46+
{{- $_ := set $sysdigEndpointConfig "region" "custom" -}}
47+
{{- $_ := set $sysdigEndpointConfig "api_url" (printf "https://%s" (include "common.secure_api_endpoint" .)) -}}
48+
{{- $_ := set $sysdigEndpointConfig.collector "host" (include "common.collector_endpoint" .) -}}
49+
{{- $_ := set $sysdigEndpointConfig.collector "port" 6443 -}}
50+
{{- end -}}
51+
{{- end -}}
4452
{{- $_ := set $config "sysdig_endpoint" $sysdigEndpointConfig -}}
4553
4654
{{- with .Values.features.posture }}
@@ -64,12 +72,25 @@
6472
{{- $finalConfig | toYaml }}
6573
{{- end }}
6674
75+
{{- define "host.windows.supports_alt_regions" -}}
76+
{{- if (include "common.semver.is_valid" (.Values.host_windows.image.tag | default "")) -}}
77+
{{- if semverCompare "> 0.7.1" .Values.host_windows.image.tag -}}
78+
{{- true -}}
79+
{{- end -}}
80+
{{- else -}}
81+
{{- true -}}
82+
{{- end -}}
83+
{{- end -}}
84+
6785
{{/* Generate the 'dragent.yaml' content */}}
6886
{{- define "host.windows.configmap" }}
6987
{{- $config := dict
7088
"k8s_cluster_name" .Values.cluster_config.name
7189
"collector" (include "common.collector_endpoint" .)
7290
}}
91+
{{- if (include "common.is_alt_region" .) -}}
92+
{{- $_ := set $config "collector_port" 6443 -}}
93+
{{- end -}}
7394
{{- if .Values.cluster_config.tags -}}
7495
{{- $tagList := list }}
7596
{{- range $k, $v := .Values.cluster_config.tags }}

charts/shield/tests/host/configmap-dragent-yaml_test.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1343,3 +1343,25 @@ tests:
13431343
host_scanner:
13441344
host_fs_mount_path: /host
13451345
verify_certificate: true
1346+
1347+
- it: Alternative regions
1348+
set:
1349+
sysdig_endpoint:
1350+
region: "eu1-alt"
1351+
asserts:
1352+
- hasDocuments:
1353+
count: 1
1354+
- containsDocument:
1355+
kind: ConfigMap
1356+
apiVersion: v1
1357+
name: release-name-shield-host
1358+
- equal:
1359+
path: metadata.namespace
1360+
value: shield-namespace
1361+
- exists:
1362+
path: data['dragent.yaml']
1363+
- matchRegex:
1364+
path: data['dragent.yaml']
1365+
pattern: |
1366+
collector: ingest-alt-eu1.app.sysdig.com
1367+
collector_port: 6443

charts/shield/tests/host/configmap-windows-dragent-yaml_test.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -707,3 +707,25 @@ tests:
707707
pattern: |
708708
log:
709709
console_priority: debug
710+
711+
- it: Alternative regions
712+
set:
713+
sysdig_endpoint:
714+
region: "eu1-alt"
715+
asserts:
716+
- hasDocuments:
717+
count: 1
718+
- containsDocument:
719+
kind: ConfigMap
720+
apiVersion: v1
721+
name: release-name-shield-host-windows
722+
- equal:
723+
path: metadata.namespace
724+
value: shield-namespace
725+
- exists:
726+
path: data['dragent.yaml']
727+
- matchRegex:
728+
path: data['dragent.yaml']
729+
pattern: |
730+
collector: ingest-alt-eu1.app.sysdig.com
731+
collector_port: 6443

charts/shield/tests/host/configmap-windows-host-shield-config_test.yaml

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -330,3 +330,88 @@ tests:
330330
pattern: |
331331
proxy:
332332
no_proxy: example.com
333+
334+
- it: Alternative regions (default)
335+
set:
336+
sysdig_endpoint:
337+
region: "eu1-alt"
338+
asserts:
339+
- hasDocuments:
340+
count: 1
341+
- containsDocument:
342+
kind: ConfigMap
343+
apiVersion: v1
344+
name: release-name-shield-host-windows
345+
- equal:
346+
path: metadata.namespace
347+
value: shield-namespace
348+
- exists:
349+
path: data["host-shield.yaml"]
350+
- matchRegex:
351+
path: data["host-shield.yaml"]
352+
pattern: |
353+
sysdig_endpoint:
354+
api_url: https://eu1.app.sysdig.com
355+
collector:
356+
host: ingest-alt-eu1.app.sysdig.com
357+
port: 6443
358+
region: custom
359+
360+
- it: Alternative regions (host-shield windows version <= 0.7.1)
361+
set:
362+
sysdig_endpoint:
363+
region: "eu1-alt"
364+
host_windows:
365+
image:
366+
tag: "0.7.1"
367+
asserts:
368+
- hasDocuments:
369+
count: 1
370+
- containsDocument:
371+
kind: ConfigMap
372+
apiVersion: v1
373+
name: release-name-shield-host-windows
374+
- equal:
375+
path: metadata.namespace
376+
value: shield-namespace
377+
- exists:
378+
path: data["host-shield.yaml"]
379+
- matchRegex:
380+
path: data["host-shield.yaml"]
381+
pattern: |
382+
sysdig_endpoint:
383+
api_url: https://eu1.app.sysdig.com
384+
collector:
385+
host: ingest-alt-eu1.app.sysdig.com
386+
port: 6443
387+
region: custom
388+
389+
- it: Alternative regions (host-shield windows version > 0.7.1)
390+
set:
391+
sysdig_endpoint:
392+
region: "eu1-alt"
393+
api_url:
394+
collector:
395+
host:
396+
port:
397+
host_windows:
398+
image:
399+
tag: "0.7.2"
400+
asserts:
401+
- hasDocuments:
402+
count: 1
403+
- containsDocument:
404+
kind: ConfigMap
405+
apiVersion: v1
406+
name: release-name-shield-host-windows
407+
- equal:
408+
path: metadata.namespace
409+
value: shield-namespace
410+
- exists:
411+
path: data["host-shield.yaml"]
412+
- matchRegex:
413+
path: data["host-shield.yaml"]
414+
pattern: |
415+
sysdig_endpoint:
416+
collector: {}
417+
region: eu1-alt

charts/shield/values.schema.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,7 @@
174174
"au-syd-private-secure",
175175
"au-syd-secure",
176176
"au1",
177+
"au1-alt",
177178
"br-sao-monitor",
178179
"br-sao-private-monitor",
179180
"br-sao-private-secure",
@@ -191,7 +192,9 @@
191192
"eu-gb-private-secure",
192193
"eu-gb-secure",
193194
"eu1",
195+
"eu1-alt",
194196
"in1",
197+
"in1-alt",
195198
"jp-osa-monitor",
196199
"jp-osa-private-monitor",
197200
"jp-osa-private-secure",
@@ -201,6 +204,7 @@
201204
"jp-tok-private-secure",
202205
"jp-tok-secure",
203206
"me2",
207+
"me2-alt",
204208
"us-east-monitor",
205209
"us-east-private-monitor",
206210
"us-east-private-secure",
@@ -210,9 +214,13 @@
210214
"us-south-private-secure",
211215
"us-south-secure",
212216
"us1",
217+
"us1-alt",
213218
"us2",
219+
"us2-alt",
214220
"us3",
221+
"us3-alt",
215222
"us4",
223+
"us4-alt",
216224
null
217225
]
218226
},

0 commit comments

Comments
 (0)