From e8c5822221afb4dc8b7434f1e6d494757d7f9f96 Mon Sep 17 00:00:00 2001 From: Ben Date: Mon, 3 Feb 2025 20:30:40 +0200 Subject: [PATCH] Add support for mapping extra CA certificates in Kubescape Helm chart Signed-off-by: Ben --- charts/kubescape-operator/README.md | 4 +++- .../templates/kubescape/deployment.yaml | 9 +++++++++ .../templates/kubevuln/deployment.yaml | 9 +++++++++ .../templates/node-agent/daemonset.yaml | 12 +++++++++++- .../templates/operator/deployment.yaml | 9 +++++++++ .../templates/synchronizer/deployment.yaml | 10 ++++++++++ charts/kubescape-operator/values.yaml | 3 +++ 7 files changed, 54 insertions(+), 2 deletions(-) diff --git a/charts/kubescape-operator/README.md b/charts/kubescape-operator/README.md index f36a1113..71afb3a9 100644 --- a/charts/kubescape-operator/README.md +++ b/charts/kubescape-operator/README.md @@ -94,6 +94,8 @@ However, we recommend that you give Kubescape no less than 500m CPU no matter th | global.proxySecretFile | string | `""` | Set proxy certificate / RootCA file content (not the file path) for all components to be used for proxy configured in global.httpsProxy | | global.overrideDefaultCaCertificates.enabled | bool | `false` | Use to enable custom CA Certificates | | global.overrideDefaultCaCertificates.caCertificates | string | `""` | Set the custom CA Certificates file in all container | +| global.extraCaCertificates.enabled | bool | `false` | Use to enable mapping extra CA Certificate files | +| global.extraCaCertificates.secretName | bool | `""` | Name of the secret that contents will be mapped to `/etc/ssl/certs` in each workload | | customScheduling.affinity | yaml | | Use the `affinity` sub-section to define affinity rules that will apply to all of the workloads managed by the kubescape-operator | | customScheduling.nodeSelector | yaml | | Configure `nodeSelector` rules under the nodeSelector sub-section that will apply to all of the workloads managed by the kubescape-operator | | customScheduling.tolerations | yaml | | Define `tolerations` in the tolerations sub-section that will apply to all of the workloads managed by the kubescape-operator | @@ -234,7 +236,7 @@ graph TB sync1("Synchronizer (In-cluster)") store1(Storage) end; - + dashboard --> event --> masterSync masterSync .- sync1 masterSync .- sync2 diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml index 86976d3f..624d87d2 100644 --- a/charts/kubescape-operator/templates/kubescape/deployment.yaml +++ b/charts/kubescape-operator/templates/kubescape/deployment.yaml @@ -203,6 +203,10 @@ spec: - name: custom-ca-certificates mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt +{{- end }} +{{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + mountPath: /etc/ssl/certs/ {{- end }} volumes: - name: {{ $components.cloudSecret.name }} @@ -218,6 +222,11 @@ spec: secret: secretName: {{ $components.customCaCertificates.name }} {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + secret: + secretName: {{ .Values.global.extraCaCertificates.secretName }} + {{- end }} - name: {{ .Values.global.cloudConfig }} configMap: name: {{ .Values.global.cloudConfig }} diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml index 72f32510..8d827b07 100644 --- a/charts/kubescape-operator/templates/kubevuln/deployment.yaml +++ b/charts/kubescape-operator/templates/kubevuln/deployment.yaml @@ -129,6 +129,10 @@ spec: - name: custom-ca-certificates mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt +{{- end }} +{{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + mountPath: /etc/ssl/certs/ {{- end }} volumes: - name: {{ $components.cloudSecret.name }} @@ -143,6 +147,11 @@ spec: - name: custom-ca-certificates secret: secretName: {{ $components.customCaCertificates.name }} + {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + secret: + secretName: {{ .Values.global.extraCaCertificates.secretName }} {{- end }} - name: tmp-dir emptyDir: {} diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml index bd6acfc2..1c24f03f 100644 --- a/charts/kubescape-operator/templates/node-agent/daemonset.yaml +++ b/charts/kubescape-operator/templates/node-agent/daemonset.yaml @@ -57,7 +57,7 @@ spec: initContainers: - name: startup-jitter image: "busybox:latest" - command: + command: - /bin/sh - -c - | @@ -107,6 +107,11 @@ spec: secret: secretName: {{ $components.customCaCertificates.name }} {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + secret: + secretName: {{ .Values.global.extraCaCertificates.secretName }} + {{- end }} containers: {{- if $components.clamAV.enabled }} - name: {{ .Values.clamav.name }} @@ -242,6 +247,11 @@ spec: mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + mountPath: /etc/ssl/certs/ + subPath: {{ .Values.global.extraCaCertificates.secretName }} + {{- end }} nodeSelector: {{- if .Values.nodeAgent.nodeSelector }} {{- toYaml .Values.nodeAgent.nodeSelector | nindent 8 }} diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml index 20fb23a7..ae79cac0 100644 --- a/charts/kubescape-operator/templates/operator/deployment.yaml +++ b/charts/kubescape-operator/templates/operator/deployment.yaml @@ -143,6 +143,10 @@ spec: mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + mountPath: /etc/ssl/certs/ + {{- end }} {{- if eq .Values.capabilities.admissionController "enable" }} - name: tls-certs mountPath: /etc/certs @@ -173,6 +177,11 @@ spec: secret: secretName: {{ $components.customCaCertificates.name }} {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + secret: + secretName: {{ .Values.global.extraCaCertificates.secretName }} + {{- end }} {{- if eq .Values.capabilities.admissionController "enable" }} - name: tls-certs secret: diff --git a/charts/kubescape-operator/templates/synchronizer/deployment.yaml b/charts/kubescape-operator/templates/synchronizer/deployment.yaml index 1407089e..0bbdab96 100644 --- a/charts/kubescape-operator/templates/synchronizer/deployment.yaml +++ b/charts/kubescape-operator/templates/synchronizer/deployment.yaml @@ -112,6 +112,11 @@ spec: mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + mountPath: /etc/ssl/certs/ + subPath: {{ .Values.global.extraCaCertificates.secretName }} + {{- end }} - name: config mountPath: /etc/config/config.json readOnly: true @@ -140,6 +145,11 @@ spec: - name: custom-ca-certificates secret: secretName: {{ $components.customCaCertificates.name }} + {{- end }} + {{- if .Values.global.extraCaCertificates.enabled }} + - name: extra-ca-certificates + secret: + secretName: {{ .Values.global.extraCaCertificates.secretName }} {{- end }} - name: {{ .Values.global.cloudConfig }} configMap: diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml index 2158ad81..cf62ab9b 100644 --- a/charts/kubescape-operator/values.yaml +++ b/charts/kubescape-operator/values.yaml @@ -201,6 +201,9 @@ global: overrideDefaultCaCertificates: enabled: false caCertificates: "" + extraCaCertificates: + enabled: false + secretName: "" openshift: # Openshift Security Context Constraint support scc: enabled: false