From 2fc04c33f6b7d46bd16f3f268162c4121095b821 Mon Sep 17 00:00:00 2001
From: "isaac.schnitzer" <isaac.schnitzer@wiz.io>
Date: Sun, 23 Apr 2023 13:59:06 +0300
Subject: [PATCH] review comments

review comments
---
 wiz-broker-v2/.helmignore                     |  23 ----
 wiz-broker-v2/Chart.yaml                      |   8 --
 wiz-broker-v2/templates/_helpers.tpl          |  68 ----------
 wiz-broker-v2/templates/serviceaccount.yaml   |  15 ---
 .../templates/wiz-broker-deployment.yaml      | 107 ----------------
 wiz-broker-v2/values.yaml                     |  43 -------
 wiz-broker/Chart.yaml                         |  24 +---
 wiz-broker/templates/NOTES.txt                |   9 --
 wiz-broker/templates/_helpers.tpl             |  42 +++----
 .../templates/secret-proxy.yaml               |   0
 wiz-broker/templates/secrets.yaml             |  40 ++++++
 wiz-broker/templates/serviceaccount.yaml      |  12 +-
 .../templates/wiz-broker-deployment.yaml      | 115 ++++++++++++-----
 wiz-broker/templates/wiz-rbac.yaml            |  55 --------
 wiz-broker/values.yaml                        | 118 +++++++++++-------
 wiz-kubernetes-connector/Chart.yaml           |   7 +-
 wiz-kubernetes-connector/templates/NOTES.txt  |   4 +-
 .../templates/_helpers.tpl                    |   4 +-
 .../templates/job-create-connector.yaml       |   6 +-
 .../templates/secrets.yaml                    |   4 +-
 .../service-account-create-connector.yaml     |   4 +-
 wiz-kubernetes-connector/values.yaml          |  34 ++---
 22 files changed, 257 insertions(+), 485 deletions(-)
 delete mode 100644 wiz-broker-v2/.helmignore
 delete mode 100644 wiz-broker-v2/Chart.yaml
 delete mode 100644 wiz-broker-v2/templates/_helpers.tpl
 delete mode 100644 wiz-broker-v2/templates/serviceaccount.yaml
 delete mode 100644 wiz-broker-v2/templates/wiz-broker-deployment.yaml
 delete mode 100644 wiz-broker-v2/values.yaml
 delete mode 100644 wiz-broker/templates/NOTES.txt
 rename {wiz-broker-v2 => wiz-broker}/templates/secret-proxy.yaml (100%)
 create mode 100644 wiz-broker/templates/secrets.yaml
 delete mode 100644 wiz-broker/templates/wiz-rbac.yaml

diff --git a/wiz-broker-v2/.helmignore b/wiz-broker-v2/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/wiz-broker-v2/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/wiz-broker-v2/Chart.yaml b/wiz-broker-v2/Chart.yaml
deleted file mode 100644
index 2b077cd0..00000000
--- a/wiz-broker-v2/Chart.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: v2
-name: "wiz-broker-v2"
-description: Wiz Broker for tunneling http traffic to Wiz backend
-
-type: application
-
-version: 1.0.0
-appVersion: "2.0.162274"
diff --git a/wiz-broker-v2/templates/_helpers.tpl b/wiz-broker-v2/templates/_helpers.tpl
deleted file mode 100644
index 9e253b34..00000000
--- a/wiz-broker-v2/templates/_helpers.tpl
+++ /dev/null
@@ -1,68 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "wiz-broker.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "wiz-broker.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "wiz-broker.labels" -}}
-helm.sh/chart: {{ include "wiz-broker.chart" . }}
-{{ include "wiz-broker.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- if .Values.commonLabels }}
-{{- range $index, $content := .Values.commonLabels }}
-{{ $index }}: {{ tpl $content $ }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "wiz-broker.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "wiz-broker.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create Wiz broker properties to use
-*/}}
-
-{{- define "wiz-broker.wizConnectorSecretData" -}}
-{{- if not .Values.global.autoCreateConnector }}
-CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
-CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
-TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
-TARGET_IP: {{ required "A valid .Values.global.wizConnector.targetIp entry required!" .Values.global.wizConnector.targetIp | quote }}
-TARGET_PORT: {{ required "A valid .Values.global.wizConnector.targetPort entry required!" .Values.global.wizConnector.targetPort | quote }}
-{{- end }}
-{{- end }}
-
-{{/*
-Secrets names
-*/}}
-
-{{- define "wiz-broker.apiTokenSecretName" -}}
-{{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
-{{- end }}
-
-{{- define "wiz-broker.proxySecretName" -}}
-{{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
-{{- end }}
-
-{{- define "wiz-broker.connectorSecretName" -}}
-{{ coalesce (.Values.global.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
-{{- end }}
\ No newline at end of file
diff --git a/wiz-broker-v2/templates/serviceaccount.yaml b/wiz-broker-v2/templates/serviceaccount.yaml
deleted file mode 100644
index f5778000..00000000
--- a/wiz-broker-v2/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-{{- if .Values.broker.enabled }}
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Values.serviceAccount.name }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
-{{- end }}
diff --git a/wiz-broker-v2/templates/wiz-broker-deployment.yaml b/wiz-broker-v2/templates/wiz-broker-deployment.yaml
deleted file mode 100644
index 3257dbbe..00000000
--- a/wiz-broker-v2/templates/wiz-broker-deployment.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
-{{- if .Values.broker.enabled }}
-{{ $mountPath := "/etc/connectorData" }}
-{{ $connectorDataFileName := "data" }}
-{{ $connectorDataFilePath := printf "%s/%s" $mountPath "data" }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "wiz-broker.name" . }}-broker
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "wiz-broker.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-        rollme: {{ randAlphaNum 5 | quote }}
-        {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      labels:
-        {{/*
-          `labels` includes `selectorLabels`
-          */}}
-          {{- include "wiz-broker.labels" . | nindent 8 }}
-    spec:
-      {{- with .Values.image.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ .Values.serviceAccount.name }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      volumes:
-        - name: connector-data
-          secret:
-            secretName: {{ include "wiz-broker.connectorSecretName" . | trim }}
-            items:
-              - key: connectorData
-                path: {{ $connectorDataFileName }}
-        {{- with .Values.broker.customVolumes }}
-          {{- toYaml . | nindent 8 }}
-        {{- end }}
-      containers:
-        - name: {{ .Chart.Name }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          volumeMounts:
-          - name: connector-data
-            mountPath: {{ $mountPath }}
-            readOnly: true
-          {{- with .Values.broker.customVolumeMounts }}
-            {{- toYaml . | nindent 10 }}
-          {{- end }}
-          args: [
-            {{ $connectorDataFilePath }}
-          ]
-          env:
-          - name: WIZ_ENV
-            value: {{ .Values.global.wizApiToken.clientEndpoint | quote }}
-          {{- if not .Values.global.wizApiToken.usePodCustomEnvironmentVariablesFile }}
-          - name: WIZ_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
-                key: clientId
-          - name: WIZ_CLIENT_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
-                key: clientToken
-          {{- end }}
-          {{- if .Values.broker.podCustomEnvironmentVariablesFile }}
-          - name: CLI_ENV_FILE
-            value: {{ .Values.broker.podCustomEnvironmentVariablesFile }}
-          - name: USE_CLI_ENV_FILE
-            value: "true"
-          {{- end }}
-          - name: TARGET_IP
-            value: {{ .Values.broker.targetIp }}
-          {{- if .Values.global.httpProxyConfiguration.enabled }}
-          - name: HTTP_PROXY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "wiz-broker.proxySecretName" . | trim }}
-                key: httpsProxy # The frp project supports only HTTP_PROXY, it uses it for both http and https.  Our broker always uses https, so we're using the httpsProxy value here (See: https://github.com/fatedier/frp/#connecting-to-frps-via-http-proxy)
-          {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}
diff --git a/wiz-broker-v2/values.yaml b/wiz-broker-v2/values.yaml
deleted file mode 100644
index cb2d9187..00000000
--- a/wiz-broker-v2/values.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-# Default values for wiz-broker.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-# override default application name
-nameOverride: "wiz-broker"
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
-
-  # Annotations to add to the service account
-  annotations: {}
-
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: "wiz-broker"
-
-  # Create RBAC resources for our service account.
-  # Needed to fetch kubernetes metadata from the api-server
-  rbac: true
-
-image:
-  registry: wiziopublic.azurecr.io/wiz-app
-  repository: wiz-broker
-  pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
-  tag: ""
-  imagePullSecrets: []
-
-broker:
-  enabled: true
-  targetIp: ""
-  podCustomEnvironmentVariablesFile: ""
-
-  customVolumes: []
-  customVolumeMounts: []
-
-podAnnotations: {}
-
-podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
diff --git a/wiz-broker/Chart.yaml b/wiz-broker/Chart.yaml
index 5fa52a08..046fa896 100644
--- a/wiz-broker/Chart.yaml
+++ b/wiz-broker/Chart.yaml
@@ -1,24 +1,8 @@
 apiVersion: v2
-name: wiz-broker
-description: A Helm chart for Kubernetes
+name: "wiz-broker"
+description: Wiz Broker for tunneling http traffic to Wiz backend
 
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 1.0.0
+appVersion: "2.0.162274"
diff --git a/wiz-broker/templates/NOTES.txt b/wiz-broker/templates/NOTES.txt
deleted file mode 100644
index efccdb30..00000000
--- a/wiz-broker/templates/NOTES.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-0. Install service account with read permission using .Values.installRbac flag
-1. Get the service account connector properties by running these commands:
-   SECRET_NAME="{{ include "wiz-broker.rbacServiceAccountName" . }}-token"
-   echo "Service account CA certificate:"
-   kubectl get secrets -n "{{ .Values.namespace }}" "$SECRET_NAME" -o go-template='{{ "{{" }} index .data "ca.crt" }}'
-   echo "\nService account token:"
-   kubectl get secrets -n "{{ .Values.namespace }}" "$SECRET_NAME" -o go-template="{{ "{{" }} .data.token | base64decode }}"
-2. Create Wiz kubernetes connector using web portal or Wiz Terraform provider
-3. Install Wiz broker deployment using .Values.installBroker flag
\ No newline at end of file
diff --git a/wiz-broker/templates/_helpers.tpl b/wiz-broker/templates/_helpers.tpl
index d9fc4c3c..2505c2ac 100644
--- a/wiz-broker/templates/_helpers.tpl
+++ b/wiz-broker/templates/_helpers.tpl
@@ -38,37 +38,31 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Create the name of the service account to use
+Create Wiz broker properties to use
 */}}
-{{- define "wiz-broker.serviceAccountName" -}}
-{{- default (include "wiz-broker.name" .) .Values.serviceAccount.name }}
-{{- end }}
 
-{{/*
-Create the name of the service account to use for rbac
-*/}}
-{{- define "wiz-broker.rbacServiceAccountName" -}}
-{{- default (printf "%s-%s" (include "wiz-broker.name" .) "rbac") .Values.rbacServiceAccount.name }}
+{{- define "wiz-broker.wizConnectorSecretData" -}}
+{{- if not .Values.global.autoCreateConnector.enabled }}
+CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
+CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
+TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
+TARGET_IP: {{ required "A valid .Values.global.wizConnector.targetIp entry required!" .Values.global.wizConnector.targetIp | quote }}
+TARGET_PORT: {{ required "A valid .Values.global.wizConnector.targetPort entry required!" .Values.global.wizConnector.targetPort | quote }}
+{{- end }}
 {{- end }}
 
 {{/*
-Create Wiz connector properties to use
+Secrets names
 */}}
-{{- define "wiz-broker.wizConnectorID" -}}
-{{ required "A valid .Values.wizConnector.connectorId entry required!" .Values.wizConnector.connectorId }}
-{{- end }}
 
-{{- define "wiz-broker.wizConnectorSecretData" -}}
-CONNECTOR_ID: {{ include "wiz-broker.wizConnectorID" . | quote}}
-CONNECTOR_TOKEN: {{ required "A valid .Values.wizConnector.connectorToken entry required!" .Values.wizConnector.connectorToken | quote }}
-TARGET_DOMAIN: {{ required "A valid .Values.wizConnector.targetDomain entry required!" .Values.wizConnector.targetDomain | quote }}
-TARGET_IP: {{ required "A valid .Values.wizConnector.targetIp entry required!" .Values.wizConnector.targetIp | quote }}
-TARGET_PORT: {{ required "A valid .Values.wizConnector.targetPort entry required!" .Values.wizConnector.targetPort | quote }}
-TUNNEL_SERVER_ADDR: {{ required "A valid .Values.wizConnector.tunnelServerAddress entry required!" .Values.wizConnector.tunnelServerAddress | quote }}
-TUNNEL_SERVER_PORT: {{ required "A valid .Values.wizConnector.tunnelServerPort entry required!" .Values.wizConnector.tunnelServerPort | quote }}
-DISABLE_CUSTOM_TLS_FIRST_BYTE: "true"
-{{- if .Values.wizConnector.httpProxy }}
-HTTP_PROXY: {{ .Values.wizConnector.httpProxy | quote}}
+{{- define "wiz-broker.apiTokenSecretName" -}}
+{{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
 {{- end }}
 
+{{- define "wiz-broker.proxySecretName" -}}
+{{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
 {{- end }}
+
+{{- define "wiz-broker.connectorSecretName" -}}
+{{ coalesce (.Values.global.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
+{{- end }}
\ No newline at end of file
diff --git a/wiz-broker-v2/templates/secret-proxy.yaml b/wiz-broker/templates/secret-proxy.yaml
similarity index 100%
rename from wiz-broker-v2/templates/secret-proxy.yaml
rename to wiz-broker/templates/secret-proxy.yaml
diff --git a/wiz-broker/templates/secrets.yaml b/wiz-broker/templates/secrets.yaml
new file mode 100644
index 00000000..2c62aa2d
--- /dev/null
+++ b/wiz-broker/templates/secrets.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.global.broker.enabled }}
+{{- if and .Values.global.wizConnector.createSecret .Values.global.broker.createSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    {{- with .Values.global.wizConnector.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  {{- include "wiz-kubernetes-connector.wizConnectorSecretData" . | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.global.wizApiToken.secret.create .Values.global.broker.createSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    {{- with .Values.global.wizApiToken.secret.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.global.wizApiToken.clientId | b64enc | quote }}
+  clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.global.wizApiToken.clientToken | b64enc | quote }}
+{{- end }}
diff --git a/wiz-broker/templates/serviceaccount.yaml b/wiz-broker/templates/serviceaccount.yaml
index 40ed593d..72a6adbc 100644
--- a/wiz-broker/templates/serviceaccount.yaml
+++ b/wiz-broker/templates/serviceaccount.yaml
@@ -1,13 +1,15 @@
-{{- if and .Values.serviceAccount.create .Values.installBroker -}}
+{{- if .Values.global.broker.enabled }}
+{{- if .Values.global.broker.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "wiz-broker.serviceAccountName" . }}
-  namespace: {{ .Values.namespace }}
+  name: {{ .Values.global.broker.serviceAccount.name }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+    {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
+  {{- with .Values.global.broker.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+{{- end }}
diff --git a/wiz-broker/templates/wiz-broker-deployment.yaml b/wiz-broker/templates/wiz-broker-deployment.yaml
index 9312dd89..968696ce 100644
--- a/wiz-broker/templates/wiz-broker-deployment.yaml
+++ b/wiz-broker/templates/wiz-broker-deployment.yaml
@@ -1,56 +1,107 @@
-{{- if .Values.installBroker }}
+{{- if .Values.global.broker.enabled }}
+{{ $mountPath := "/etc/connectorData" }}
+{{ $connectorDataFileName := "data" }}
+{{ $connectorDataFilePath := printf "%s/%s" $mountPath "data" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wiz-broker.name" . }}
-  namespace: {{ .Values.namespace }}
+  name: {{ include "wiz-broker.name" . }}-broker
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-broker.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
+  replicas: 1
   selector:
     matchLabels:
       {{- include "wiz-broker.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        rollme: {{ randAlphaNum 5 | quote }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{/*
-        `labels` includes `selectorLabels`
-        */}}
-        {{- include "wiz-broker.labels" . | nindent 8 }}
+          `labels` includes `selectorLabels`
+          */}}
+          {{- include "wiz-broker.labels" . | nindent 8 }}
     spec:
+      {{- with .Values.image.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Values.global.broker.serviceAccount.name }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      serviceAccountName: {{ include "wiz-broker.serviceAccountName" . }}
+      volumes:
+        - name: connector-data
+          secret:
+            secretName: {{ include "wiz-broker.connectorSecretName" . | trim }}
+            items:
+              - key: connectorData
+                path: {{ $connectorDataFileName }}
+        {{- with .Values.global.broker.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          envFrom:  
-          - secretRef:
-              name: {{ .Values.secretName | default (printf "wiz-tunnel-client-%s-cfg" (include "wiz-broker.wizConnectorID" .))  }}
-
-{{- if not .Values.secretName }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wiz-tunnel-client-{{ include "wiz-broker.wizConnectorID" . }}-cfg
-  namespace: {{ .Values.namespace }}
-  {{- with .Values.wizConnector.secret.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  {{- include "wiz-broker.wizConnectorSecretData" . | nindent 2 }}
-{{- end }}
+          volumeMounts:
+          - name: connector-data
+            mountPath: {{ $mountPath }}
+            readOnly: true
+          {{- with .Values.global.broker.customVolumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          args: [
+            {{ $connectorDataFilePath }}
+          ]
+          env:
+          - name: WIZ_ENV
+            value: {{ .Values.global.wizApiToken.clientEndpoint | quote }}
+          {{- if not .Values.global.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
+                key: clientId
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
+                key: clientToken
+          {{- end }}
+          {{- if .Values.global.broker.podCustomEnvironmentVariablesFile }}
+          - name: CLI_ENV_FILE
+            value: {{ .Values.global.broker.podCustomEnvironmentVariablesFile }}
+          - name: USE_CLI_ENV_FILE
+            value: "true"
+          {{- end }}
+          - name: TARGET_IP
+            value: {{ .Values.global.broker.targetIp }}
+          {{- if .Values.global.httpProxyConfiguration.enabled }}
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.proxySecretName" . | trim }}
+                key: httpsProxy # The frp project supports only HTTP_PROXY, it uses it for both http and https.  Our broker always uses https, so we're using the httpsProxy value here (See: https://github.com/fatedier/frp/#connecting-to-frps-via-http-proxy)
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/wiz-broker/templates/wiz-rbac.yaml b/wiz-broker/templates/wiz-rbac.yaml
deleted file mode 100644
index 2e4a46a6..00000000
--- a/wiz-broker/templates/wiz-rbac.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-{{- if .Values.installRbac }}
-{{- $rbacServiceAccountName := include "wiz-broker.rbacServiceAccountName" . -}}
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $rbacServiceAccountName }}
-  namespace: {{ .Values.namespace }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-  {{- with .Values.rbacServiceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  namespace: {{ .Values.namespace }}
-  name: {{ $rbacServiceAccountName }}-token
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-  annotations:
-    kubernetes.io/service-account.name: {{ $rbacServiceAccountName }}
-    {{- with .Values.rbacSecret.annotations }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-type: kubernetes.io/service-account-token
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $rbacServiceAccountName }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["get", "list", "watch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $rbacServiceAccountName }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name:  {{ $rbacServiceAccountName }}
-subjects:
-- kind: ServiceAccount
-  name: {{ $rbacServiceAccountName }}
-  namespace: {{ .Values.namespace }}
-{{- end }}
diff --git a/wiz-broker/values.yaml b/wiz-broker/values.yaml
index fff6a342..69e1c85b 100644
--- a/wiz-broker/values.yaml
+++ b/wiz-broker/values.yaml
@@ -2,36 +2,16 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+# override default application name
 nameOverride: "wiz-broker"
-namespace: "kube-system"
-
-installRbac: false
-installBroker: false
-
-rbacServiceAccount:
-  name: "wiz-kube-connector"
-  annotations: {}
-
-rbacSecret:
-  annotations: {}
-
-serviceAccount:
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  name: wiz-broker
 
 image:
-  repository: wizsec/tunnel-client
-  pullPolicy: Always
+  registry: wiziopublic.azurecr.io/wiz-app
+  repository: wiz-broker
+  pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
-
-replicaCount: 1
-
-# Labels applied on all the resources (not used for selection)
-commonLabels: {}
+  tag: ""
+  imagePullSecrets: []
 
 podAnnotations: {}
 
@@ -39,24 +19,72 @@ podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
 
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-  allowPrivilegeEscalation: false
-
-# required arguments
-wizConnector:
-  connectorId: ""
-  connectorToken: ""
-  targetDomain: ""
-  targetIp: ""
-  targetPort: ""
-  tunnelServerAddress: ""
-  tunnelServerPort: ""
-  httpProxy: ""
-  # Annotation to be set on the secret created
-  secret:
+global:
+
+  broker:
+    enabled: true
+    # Specifies whether the connector/api-token secrets should be create by the sub-chart
+    createSecret: true
+    targetIp: ""
+    serviceAccount:
+      create: true
+      # Annotations to add to the service account
+      annotations: { }
+      # The name of the service account to use.
+      name: "wiz-broker"
+
+    podCustomEnvironmentVariablesFile: ""
+
+    customVolumes: [ ]
+    customVolumeMounts: [ ]
+
+  httpProxyConfiguration:
+    enabled: false
+
+    # Specifies whether a proxy secret should be created
+    # If create is false you need to:
+    #  1. Create secret with httpProxy, httpsProxy and noProxyAddress.
+    #  2. Set secretName to reference your secret
+    create: true
+    annotations: {}
+    secretName: "" # Overriding default name for proxy secret name (.Release.Name + "-proxy-configuration" by default)
+
+    httpProxy: "" # http(s)://user:password@your-proxy:port (user, password and port are optional)
+    httpsProxy: "" # http(s)://user:password@your-proxy:port (user, password and port are optional)
+    noProxyAddress: "" # comma or space separated list of machine or domain names
+
+  wizApiToken:
+    clientId: ""
+    clientToken: ""
+    clientEndpoint: "" # Set custom endpoint (gov for example)
+
+    secret:
+      # Specifies whether an api token secret should be created
+      # If create is false you need to create it with clientId, clientToken
+      create: true
+      # Annotations to add to the secret
+      annotations: {}
+      # The name of the secret to use.
+      # If not set, a name is generated using the fullname template
+      name: ""
+
+    # API token should be read from an environment file, which is specified in podCustomEnvironmentVariablesFile
+    usePodCustomEnvironmentVariablesFile: false
+
+  wizConnector: # Relevant only for broker.enabled = true & autoCreateConnector = false
+    # Specifies whether a proxy secret should be created
+    # If createSecret is false you need to:
+    #  1. Create secret with this keys:
+    #     CONNECTOR_ID, CONNECTOR_TOKEN, TARGET_DOMAIN, TARGET_IP, TARGET_PORT
+    #  2. Set secretName to reference your secret
+    createSecret: true
+    # Annotations to add to the secret
     annotations: {}
+    secretName: ""
 
-# optional arguments
-secretName:
+    # Required arguments for autoCreateConnector = false
+    connectorId: ""
+    connectorToken: ""
+    targetDomain: ""
+    targetIp: ""
+    targetPort: ""
diff --git a/wiz-kubernetes-connector/Chart.yaml b/wiz-kubernetes-connector/Chart.yaml
index eace5b17..7bc8e40e 100644
--- a/wiz-kubernetes-connector/Chart.yaml
+++ b/wiz-kubernetes-connector/Chart.yaml
@@ -25,8 +25,7 @@ appVersion: "2.0.162274"
 
 # Add wiz-broker dependency to the chart
 dependencies:
-  - name: "wiz-broker-v2"
+  - name: "wiz-broker"
     version: "1.0.0"
-#    repository: "https://wiz-sec.github.io/charts"
-    repository: "file://../wiz-broker-v2"
-    condition: broker.enabled
\ No newline at end of file
+    repository: "https://wiz-sec.github.io/charts"
+    condition: global.broker.enabled
\ No newline at end of file
diff --git a/wiz-kubernetes-connector/templates/NOTES.txt b/wiz-kubernetes-connector/templates/NOTES.txt
index 96f7f59e..6438523c 100644
--- a/wiz-kubernetes-connector/templates/NOTES.txt
+++ b/wiz-kubernetes-connector/templates/NOTES.txt
@@ -7,13 +7,13 @@
    echo "\nService account token:"
    kubectl get secrets -n "{{ .Values.namespace }}" "$SECRET_NAME" -o go-template="{{ "{{" }} .data.token | base64decode }}"
 2. Create a Wiz Kubernetes connector using the web portal or the Wiz Terraform provider
-3. Install Wiz broker deployment using .Values.broker.enabled flag
+3. Install Wiz broker deployment using .Values.global.broker.enabled flag
 {{- end }}
 
 For uninstalling the wiz kubernetes connector you need to delete helm hooks resources manually.
 Please run the following commands:
 helm uninstall {{ .Release.Name | quote }} -n {{ .Release.Namespace | quote }}
-{{- if .Values.broker.enabled }}
+{{- if .Values.global.broker.enabled }}
 {{- if .Values.global.wizConnector.createSecret }}
 kubectl delete secret {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }} -n {{ .Release.Namespace | quote }}
 {{- end }}
diff --git a/wiz-kubernetes-connector/templates/_helpers.tpl b/wiz-kubernetes-connector/templates/_helpers.tpl
index 4759a0ae..a4f0faf6 100644
--- a/wiz-kubernetes-connector/templates/_helpers.tpl
+++ b/wiz-kubernetes-connector/templates/_helpers.tpl
@@ -42,7 +42,7 @@ Create Wiz connector properties to use
 */}}
 
 {{- define "wiz-kubernetes-connector.wizConnectorSecretData" -}}
-{{- if not .Values.global.autoCreateConnector }}
+{{- if not .Values.autoCreateConnector.enabled }}
 CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
 CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
 TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
@@ -75,7 +75,7 @@ Secrets names
 Input parameters
 */}}
 {{- define "wiz-kubernetes-connector.apiServerEndpoint" -}}
-  {{- if and .Values.global.autoCreateConnector (not .Values.broker.enabled) }}
+  {{- if and .Values.autoCreateConnector.enabled (not .Values.global.broker.enabled) }}
     {{- required "A valid .Values.autoCreateConnector.apiServerEndpoint entry required!" .Values.autoCreateConnector.apiServerEndpoint -}}
   {{- else -}}
     {{ if .Values.autoCreateConnector.apiServerEndpoint }}
diff --git a/wiz-kubernetes-connector/templates/job-create-connector.yaml b/wiz-kubernetes-connector/templates/job-create-connector.yaml
index 0b26c3ab..e508020a 100644
--- a/wiz-kubernetes-connector/templates/job-create-connector.yaml
+++ b/wiz-kubernetes-connector/templates/job-create-connector.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.autoCreateConnector }}
+{{- if .Values.autoCreateConnector.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -55,11 +55,11 @@ spec:
             {{ .Release.Namespace | quote }},
             "--service-account-token-secret-name",
             {{ include "wiz-kubernetes-connector.clusterReaderToken" . | quote }},
-            {{- if .Values.broker.enabled }}
+            {{- if .Values.global.broker.enabled }}
             "--output-secret-name",
             {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim | quote | nindent 12 }},
             {{- end }}
-            "--is-on-prem={{ .Values.broker.enabled }}",
+            "--is-on-prem={{ .Values.global.broker.enabled }}",
             {{ with .Values.autoCreateConnector.connectorName }}
             "--connector-name",
             {{ . | quote }},
diff --git a/wiz-kubernetes-connector/templates/secrets.yaml b/wiz-kubernetes-connector/templates/secrets.yaml
index 6084adab..35d9c73a 100644
--- a/wiz-kubernetes-connector/templates/secrets.yaml
+++ b/wiz-kubernetes-connector/templates/secrets.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.broker.enabled }}
+{{- if .Values.global.broker.enabled }}
 {{- if .Values.global.wizConnector.createSecret }}
 apiVersion: v1
 kind: Secret
@@ -19,7 +19,7 @@ stringData:
 {{- end }}
 {{- end }}
 
-{{- if and .Values.global.wizApiToken.secret.create .Values.global.autoCreateConnector }}
+{{- if and .Values.global.wizApiToken.secret.create .Values.autoCreateConnector.enabled }}
 ---
 apiVersion: v1
 kind: Secret
diff --git a/wiz-kubernetes-connector/templates/service-account-create-connector.yaml b/wiz-kubernetes-connector/templates/service-account-create-connector.yaml
index ae993f30..826d4ff7 100644
--- a/wiz-kubernetes-connector/templates/service-account-create-connector.yaml
+++ b/wiz-kubernetes-connector/templates/service-account-create-connector.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.global.autoCreateConnector .Values.autoCreateConnector.serviceAccount.create }}
+{{- if and .Values.autoCreateConnector.enabled .Values.autoCreateConnector.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -13,7 +13,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
-{{- if and .Values.global.autoCreateConnector .Values.autoCreateConnector.serviceAccount.createRbac }}
+{{- if and .Values.autoCreateConnector.enabled .Values.autoCreateConnector.serviceAccount.createRbac }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
diff --git a/wiz-kubernetes-connector/values.yaml b/wiz-kubernetes-connector/values.yaml
index 9408ecd4..02dd2181 100644
--- a/wiz-kubernetes-connector/values.yaml
+++ b/wiz-kubernetes-connector/values.yaml
@@ -25,6 +25,7 @@ clusterReader:
     annotations: {}
 
 autoCreateConnector:
+  enabled: true
 
   connectorName: "" # optional
   clusterFlavor: "" # optional (EKS, AKS, GKE, OKE, OpenShift, Kubernetes)
@@ -44,21 +45,6 @@ autoCreateConnector:
   customVolumes: []
   customVolumeMounts: []
 
-broker:
-  enabled: true
-  targetIp: "kubernetes.default.svc.cluster.local"
-  serviceAccount:
-    create: true
-    # Annotations to add to the service account
-    annotations: {}
-    # The name of the service account to use.
-    name: "wiz-broker"
-
-  podCustomEnvironmentVariablesFile: ""
-
-  customVolumes: []
-  customVolumeMounts: []
-
 # Labels applied on all the resources (not used for selection)
 commonLabels: {}
 
@@ -93,10 +79,26 @@ affinity: {}
 
 global:
 
-  autoCreateConnector: true
+  broker:
+    enabled: true
+    # Specifies whether the connector/api-token secrets should be create by the sub-chart
+    createSecret: false
+    targetIp: "kubernetes.default.svc.cluster.local"
+    serviceAccount:
+      create: true
+      # Annotations to add to the service account
+      annotations: {}
+      # The name of the service account to use.
+      name: "wiz-broker"
+
+    podCustomEnvironmentVariablesFile: ""
+
+    customVolumes: []
+    customVolumeMounts: []
 
   # The API key identifying this installation (for comm with Wiz portal)
   wizApiToken:
+
     clientId: ""
     clientToken: ""
     clientEndpoint: "" # Set custom endpoint (gov for example)