wiz-sec · itshacki · Apr 20, 2023 · Apr 23, 2023
diff --git a/wiz-broker/Chart.yaml b/wiz-broker/Chart.yaml
@@ -1,24 +1,8 @@
 apiVersion: v2
-name: wiz-broker
-description: A Helm chart for Kubernetes
+name: "wiz-broker"
+description: Wiz Broker for tunneling http traffic to Wiz backend
 
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
+version: 1.0.0
+appVersion: "2.0.162274"
diff --git a/wiz-broker/templates/NOTES.txt b/wiz-broker/templates/NOTES.txt
diff --git a/wiz-broker/templates/_helpers.tpl b/wiz-broker/templates/_helpers.tpl
@@ -38,37 +38,31 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
-Create the name of the service account to use
+Create Wiz broker properties to use
 */}}
-{{- define "wiz-broker.serviceAccountName" -}}
-{{- default (include "wiz-broker.name" .) .Values.serviceAccount.name }}
-{{- end }}
 
-{{/*
-Create the name of the service account to use for rbac
-*/}}
-{{- define "wiz-broker.rbacServiceAccountName" -}}
-{{- default (printf "%s-%s" (include "wiz-broker.name" .) "rbac") .Values.rbacServiceAccount.name }}
+{{- define "wiz-broker.wizConnectorSecretData" -}}
+{{- if .Values.global.broker.createSecret }}
+CONNECTOR_ID: {{ required "A valid .Values.global.wizConnector.connectorId entry required!" .Values.global.wizConnector.connectorId | quote}}
+CONNECTOR_TOKEN: {{ required "A valid .Values.global.wizConnector.connectorToken entry required!" .Values.global.wizConnector.connectorToken | quote }}
+TARGET_DOMAIN: {{ required "A valid .Values.global.wizConnector.targetDomain entry required!" .Values.global.wizConnector.targetDomain | quote }}
+TARGET_IP: {{ required "A valid .Values.global.wizConnector.targetIp entry required!" .Values.global.wizConnector.targetIp | quote }}
+TARGET_PORT: {{ required "A valid .Values.global.wizConnector.targetPort entry required!" .Values.global.wizConnector.targetPort | quote }}
+{{- end }}
 {{- end }}
 
 {{/*
-Create Wiz connector properties to use
+Secrets names
 */}}
-{{- define "wiz-broker.wizConnectorID" -}}
-{{ required "A valid .Values.wizConnector.connectorId entry required!" .Values.wizConnector.connectorId }}
-{{- end }}
 
-{{- define "wiz-broker.wizConnectorSecretData" -}}
-CONNECTOR_ID: {{ include "wiz-broker.wizConnectorID" . | quote}}
-CONNECTOR_TOKEN: {{ required "A valid .Values.wizConnector.connectorToken entry required!" .Values.wizConnector.connectorToken | quote }}
-TARGET_DOMAIN: {{ required "A valid .Values.wizConnector.targetDomain entry required!" .Values.wizConnector.targetDomain | quote }}
-TARGET_IP: {{ required "A valid .Values.wizConnector.targetIp entry required!" .Values.wizConnector.targetIp | quote }}
-TARGET_PORT: {{ required "A valid .Values.wizConnector.targetPort entry required!" .Values.wizConnector.targetPort | quote }}
-TUNNEL_SERVER_ADDR: {{ required "A valid .Values.wizConnector.tunnelServerAddress entry required!" .Values.wizConnector.tunnelServerAddress | quote }}
-TUNNEL_SERVER_PORT: {{ required "A valid .Values.wizConnector.tunnelServerPort entry required!" .Values.wizConnector.tunnelServerPort | quote }}
-DISABLE_CUSTOM_TLS_FIRST_BYTE: "true"
-{{- if .Values.wizConnector.httpProxy }}
-HTTP_PROXY: {{ .Values.wizConnector.httpProxy | quote}}
+{{- define "wiz-broker.apiTokenSecretName" -}}
+{{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }}
 {{- end }}
 
+{{- define "wiz-broker.proxySecretName" -}}
+{{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }}
 {{- end }}
+
+{{- define "wiz-broker.connectorSecretName" -}}
+{{ coalesce (.Values.global.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
+{{- end }}
diff --git a/wiz-broker/templates/secret-proxy.yaml b/wiz-broker/templates/secret-proxy.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.global.httpProxyConfiguration.enabled }}
+{{- if .Values.global.httpProxyConfiguration.create }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "wiz-broker.proxySecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- with .Values.global.httpProxyConfiguration.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+data:
+  httpProxy: {{ .Values.global.httpProxyConfiguration.httpProxy | b64enc | quote }}
+  httpsProxy: {{ .Values.global.httpProxyConfiguration.httpsProxy | b64enc | quote }}
+  noProxyAddress: {{ .Values.global.httpProxyConfiguration.noProxyAddress | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/wiz-broker/templates/secrets.yaml b/wiz-broker/templates/secrets.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.global.broker.enabled }}
+{{- if and .Values.global.wizConnector.createSecret .Values.global.broker.createSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "wiz-broker.connectorSecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    {{- with .Values.global.wizConnector.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  {{- include "wiz-broker.wizConnectorSecretData" . | nindent 2 }}
+{{- end }}
+{{- end }}
+
+{{- if and .Values.global.wizApiToken.secret.create .Values.global.broker.createSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-1"
+    {{- with .Values.global.wizApiToken.secret.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.global.wizApiToken.clientId | b64enc | quote }}
+  clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.global.wizApiToken.clientToken | b64enc | quote }}
+{{- end }}
diff --git a/wiz-broker/templates/serviceaccount.yaml b/wiz-broker/templates/serviceaccount.yaml
@@ -1,13 +1,15 @@
-{{- if and .Values.serviceAccount.create .Values.installBroker -}}
+{{- if .Values.global.broker.enabled }}
+{{- if .Values.global.broker.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "wiz-broker.serviceAccountName" . }}
-  namespace: {{ .Values.namespace }}
+  name: {{ .Values.global.broker.serviceAccount.name }}
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-broker.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
+  {{- with .Values.global.broker.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+{{- end }}
diff --git a/wiz-broker/templates/wiz-broker-deployment.yaml b/wiz-broker/templates/wiz-broker-deployment.yaml
@@ -1,56 +1,107 @@
-{{- if .Values.installBroker }}
+{{- if .Values.global.broker.enabled }}
+{{ $mountPath := "/etc/connectorData" }}
+{{ $connectorDataFileName := "data" }}
+{{ $connectorDataFilePath := printf "%s/%s" $mountPath "data" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wiz-broker.name" . }}
-  namespace: {{ .Values.namespace }}
+  name: {{ include "wiz-broker.name" . }}-broker
+  namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-broker.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.replicaCount }}
+  replicas: 1
   selector:
     matchLabels:
       {{- include "wiz-broker.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        rollme: {{ randAlphaNum 5 | quote }}
+        {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{/*
-        `labels` includes `selectorLabels`
-        */}}
-        {{- include "wiz-broker.labels" . | nindent 8 }}
+          `labels` includes `selectorLabels`
+          */}}
+          {{- include "wiz-broker.labels" . | nindent 8 }}
     spec:
+      {{- with .Values.image.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Values.global.broker.serviceAccount.name }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      serviceAccountName: {{ include "wiz-broker.serviceAccountName" . }}
+      volumes:
+        - name: connector-data
+          secret:
+            secretName: {{ include "wiz-broker.connectorSecretName" . | trim }}
+            items:
+              - key: connectorData
+                path: {{ $connectorDataFileName }}
+        {{- with .Values.global.broker.customVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          envFrom:  
-          - secretRef:
-              name: {{ .Values.secretName | default (printf "wiz-tunnel-client-%s-cfg" (include "wiz-broker.wizConnectorID" .))  }}
-
-{{- if not .Values.secretName }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: wiz-tunnel-client-{{ include "wiz-broker.wizConnectorID" . }}-cfg
-  namespace: {{ .Values.namespace }}
-  {{- with .Values.wizConnector.secret.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "wiz-broker.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  {{- include "wiz-broker.wizConnectorSecretData" . | nindent 2 }}
-{{- end }}
+          volumeMounts:
+          - name: connector-data
+            mountPath: {{ $mountPath }}
+            readOnly: true
+          {{- with .Values.global.broker.customVolumeMounts }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          args: [
+            {{ $connectorDataFilePath }}
+          ]
+          env:
+          - name: WIZ_ENV
+            value: {{ .Values.global.wizApiToken.clientEndpoint | quote }}
+          {{- if not .Values.global.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
+                key: clientId
+          - name: WIZ_CLIENT_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.apiTokenSecretName" . | trim }}
+                key: clientToken
+          {{- end }}
+          {{- if .Values.global.broker.podCustomEnvironmentVariablesFile }}
+          - name: CLI_ENV_FILE
+            value: {{ .Values.global.broker.podCustomEnvironmentVariablesFile }}
+          - name: USE_CLI_ENV_FILE
+            value: "true"
+          {{- end }}
+          - name: TARGET_IP
+            value: {{ .Values.global.broker.targetIp }}
+          {{- if .Values.global.httpProxyConfiguration.enabled }}
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "wiz-broker.proxySecretName" . | trim }}
+                key: httpsProxy # The frp project supports only HTTP_PROXY, it uses it for both http and https.  Our broker always uses https, so we're using the httpsProxy value here (See: https://github.com/fatedier/frp/#connecting-to-frps-via-http-proxy)
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/wiz-broker/templates/wiz-rbac.yaml b/wiz-broker/templates/wiz-rbac.yaml