feat(agent): mount agent http-proxy credentials as secret (#1517)

Author: francesco-furlan

charts/agent/Chart.yaml

@@ -30,4 +30,4 @@ sources:
 - https://app.sysdigcloud.com/#/settings/user
 - https://github.com/draios/sysdig
 type: application
-version: 1.17.3
+version: 1.18.0

charts/agent/templates/_helpers.tpl

@@ -183,6 +183,16 @@ Return the default only if the value is not defined in sysdig.settings.<agent_se
 The following helper functions are all designed to use global values where
 possible, but accept overrides from the chart values.
 */}}
+
+{{- define "agent.httpProxyCredentials" -}}
+    {{- if hasKey .Values.sysdig.settings "http_proxy" -}}
+        {{- if and (hasKey .Values.sysdig.settings.http_proxy "proxy_user") (hasKey .Values.sysdig.settings.http_proxy "proxy_password") -}}
+proxy_user: {{ .Values.sysdig.settings.http_proxy.proxy_user | toString | b64enc | quote }}
+proxy_password: {{ .Values.sysdig.settings.http_proxy.proxy_password | toString | b64enc | quote }}
+        {{- end }}
+    {{- end }}
+{{- end -}}
+
 {{- define "agent.accessKey" -}}
     {{- required "A valid accessKey is required" (.Values.sysdig.accessKey | default .Values.global.sysdig.accessKey) -}}
 {{- end -}}

charts/agent/templates/configmap.yaml

@@ -26,6 +26,13 @@ data:
 {{- if .Values.global.sysdig.tags }}
     tags: {{ include "agent.tags" . }}
 {{- end }}
+{{/*
+  Unset proxy_user and proxy_password if present and gke autopilot is disabled.
+*/}}
+{{- if and (hasKey .Values.sysdig.settings "http_proxy") (not (include "agent.gke.autopilot" .)) }}
+  {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_user" -}}
+  {{- $_ := unset .Values.sysdig.settings.http_proxy "proxy_password" -}}
+{{- end }}
 {{/*
   Checking here the user is using Custom CA and if http_proxy.ssl = true
   If these conditions are true, then we use the agent.sslCaFileName for the http_proxy.ca_certificate

charts/agent/templates/daemonset.yaml

@@ -249,6 +249,10 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
+            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+            - mountPath: /opt/draios/etc/secrets/http_proxy
+              name: sysdig-agent-http-proxy-secrets
+            {{- end }}
             - mountPath: /etc/podinfo
               name: podinfo
 
@@ -369,6 +373,11 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
+        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+        - name: sysdig-agent-http-proxy-secrets
+          secret:
+            secretName: {{ template "agent.fullname" . }}-proxy
+        {{- end }}
         - name: podinfo
           downwardAPI:
             defaultMode: 420

charts/agent/templates/deployment.yaml

@@ -128,6 +128,10 @@ spec:
               name: sysdig-agent-config
             - mountPath: /opt/draios/etc/kubernetes/secrets
               name: sysdig-agent-secrets
+            {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+            - mountPath: /opt/draios/etc/secrets/http_proxy
+              name: sysdig-agent-http-proxy-secrets
+            {{- end }}
             - mountPath: /etc/podinfo
               name: podinfo
             {{- if eq (include "sysdig.custom_ca.enabled"  (dict "global" .Values.global.ssl "component" .Values.ssl)) "true" }}
@@ -252,6 +256,11 @@ spec:
             {{- else }}
             secretName: {{ include "agent.accessKeySecret" . }}
             {{- end }}
+        {{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+        - name: sysdig-agent-http-proxy-secrets
+          secret:
+            secretName: {{ template "agent.fullname" . }}-proxy
+        {{- end }}
         - name: podinfo
           downwardAPI:
             defaultMode: 420

charts/agent/templates/secrets.yaml

@@ -36,3 +36,16 @@ metadata:
 data:
   {{ include "sysdig.custom_ca.keyName" (dict "global" .Values.global.ssl "component" .Values.ssl) }}: {{ include "sysdig.custom_ca.cert" (dict "global" .Values.global.ssl "component" .Values.ssl "Files" .Subcharts.common.Files) | b64enc | quote }}
 {{- end }}
+{{- if and (include "agent.httpProxyCredentials" .) (not (include "agent.gke.autopilot" .)) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "agent.fullname" . }}-proxy
+  namespace: {{ include "agent.namespace" $ }}
+  labels:
+{{ include "agent.labels" $ | indent 4 }}
+type: Opaque
+data:
+{{ include "agent.httpProxyCredentials" . | indent 2 }}
+{{- end }}

charts/agent/tests/api_endpoint_region_test.yaml

@@ -510,3 +510,18 @@ tests:
     asserts:
       - failedTemplate:
           errorMessage: "global.sysdig.region=us7 provided is not recognized."
+
+  - it: Checking proxy_user and proxy_password are not set
+    set:
+      sysdig:
+        settings:
+          http_proxy:
+            proxy_user: "user"
+            proxy_password: "password"
+    asserts:
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: .*username.*
+      - notMatchRegex:
+          path: data['dragent.yaml']
+          pattern: .*password.*

charts/agent/tests/secrets_test.yaml

@@ -53,3 +53,39 @@ tests:
           path: data.sysdig-new-password-key1
           value: bXlwYXNzd29yZA==
         documentIndex: 2
+
+  - it: Should create proxy secret with http_proxy settings
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+    asserts:
+      - isKind:
+          of: Secret
+      - equal:
+          path: data.proxy_user
+          value: dXNlcm5hbWU=
+        documentIndex: 1
+      - equal:
+          path: data.proxy_password
+          value: cGFzc3dvcmQ=
+        documentIndex: 1
+
+  - it: Should not create proxy secret with http_proxy settings and autopilot enabled
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+      gke:
+        autopilot: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Secret

charts/agent/tests/volumes_test.yaml

@@ -1,6 +1,7 @@
 suite: Host volumes are available for agent
 templates:
-  - templates/daemonset.yaml
+  - daemonset.yaml
+  - deployment.yaml
 tests:
   - it: Ensure /var/run host volume is mounted as /host/var/run in container
     asserts:
@@ -10,6 +11,9 @@ tests:
       - equal:
           path: spec.template.spec.volumes[?(@.name == "varrun-vol")].hostPath.path
           value: /var/run
+    templates:
+      - daemonset.yaml
+
   - it: Ensure /var/lib host volume is mounted as /host/var/lib in container
     asserts:
       - equal:
@@ -18,6 +22,9 @@ tests:
       - equal:
           path: spec.template.spec.volumes[?(@.name == "varlib-vol")].hostPath.path
           value: /var/lib
+    templates:
+      - daemonset.yaml
+
   - it: Ensure /var/lib host volume is not mounted as /host/var/lib in container when running on gke.autopilot
     set:
       gke:
@@ -27,6 +34,9 @@ tests:
           path: spec.template.spec.containers[*].volumeMounts[?(@.name == "varlib-vol")]
       - isNull:
           path: spec.template.spec.volumes[?(@.name == "varlib-vol")]
+    templates:
+      - daemonset.yaml
+
   - it: Ensure /var/lib host volume is not mounted as /host/var/lib in container when running on global.gke.autopilot
     set:
       global:
@@ -37,3 +47,63 @@ tests:
           path: spec.template.spec.containers[*].volumeMounts[?(@.name == "varlib-vol")]
       - isNull:
           path: spec.template.spec.volumes[?(@.name == "varlib-vol")]
+    templates:
+      - daemonset.yaml
+
+  - it: Ensure agent http proxy volume is not mounted when http_proxy settings is not set
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+      delegatedAgentDeployment:
+        enabled: true
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")]
+      - isNull:
+          path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")]
+    templates:
+      - deployment.yaml
+      - daemonset.yaml
+
+  - it: Ensure agent http proxy volume is not mounted when http_proxy settings is set and autopilot is enabled
+    set:
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+      delegatedAgentDeployment:
+        enabled: true
+      gke:
+        autopilot: true
+    asserts:
+      - isNull:
+          path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")]
+      - isNull:
+          path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")]
+    templates:
+      - deployment.yaml
+      - daemonset.yaml
+
+  - it: Ensure agent http proxy volume is mounted when http_proxy settings is set
+    set:
+      delegatedAgentDeployment:
+        enabled: true
+      sysdig:
+        accessKey: AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE
+        settings:
+          http_proxy:
+            proxy_user: username
+            proxy_password: password
+    asserts:
+      - equal:
+          path: spec.template.spec.volumes[?(@.name == "sysdig-agent-http-proxy-secrets")].secret
+          value:
+            secretName: RELEASE-NAME-agent-proxy
+      - equal:
+          path: spec.template.spec.containers[*].volumeMounts[?(@.name == "sysdig-agent-http-proxy-secrets")].mountPath
+          value: /opt/draios/etc/secrets/http_proxy
+    templates:
+      - deployment.yaml
+      - daemonset.yaml

charts/sysdig-deploy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: sysdig-deploy
 description: A chart with various Sysdig components for Kubernetes
 type: application
-version: 1.32.1
+version: 1.33.0
 maintainers:
   - name: AlbertoBarba
     email: [email protected]
@@ -26,7 +26,7 @@ dependencies:
   - name: agent
     # repository: https://charts.sysdig.com
     repository: file://../agent
-    version: ~1.17.3
+    version: ~1.18.0
     alias: agent
     condition: agent.enabled
   - name: common