diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml index 90da6e087..d36cab486 100644 --- a/charts/shield/Chart.yaml +++ b/charts/shield/Chart.yaml @@ -13,5 +13,5 @@ maintainers: - name: mavimo email: marcovito.moscaritolo@sysdig.com type: application -version: 1.12.2 +version: 1.13.0 appVersion: "1.0.0" diff --git a/charts/shield/templates/host/_helpers.tpl b/charts/shield/templates/host/_helpers.tpl index 4021c8ed0..88d3a00d0 100644 --- a/charts/shield/templates/host/_helpers.tpl +++ b/charts/shield/templates/host/_helpers.tpl @@ -277,3 +277,8 @@ true true {{- end }} {{- end }} + +{{/* Return the name of the local forwarder secret */}} +{{- define "host.local_forwarder_secret_name" }} +{{- include "host.fullname" . | trunc 46 | trimSuffix "-" | printf "%s-local-forwarder" }} +{{- end }} diff --git a/charts/shield/templates/host/configmap.yaml b/charts/shield/templates/host/configmap.yaml index a7bf36449..e7906acec 100644 --- a/charts/shield/templates/host/configmap.yaml +++ b/charts/shield/templates/host/configmap.yaml @@ -10,11 +10,6 @@ data: {{- include "host.host_shield_config" . | nindent 4 }} dragent.yaml: | {{- include "host.configmap" . | nindent 4 }} - {{- if .Values.features.investigations.event_forwarder.enabled }} - local_forwarder_config.yaml: | - integrations: - {{- toYaml .Values.features.investigations.event_forwarder.integrations | nindent 6 }} - {{- end }} {{- if (include "host.prometheus_enabled" .Values.features) }} prometheus.yaml: | {{- with .Values.features }} diff --git a/charts/shield/templates/host/daemonset.yaml b/charts/shield/templates/host/daemonset.yaml index bc8c08ae6..c059c0f4b 100644 --- a/charts/shield/templates/host/daemonset.yaml +++ b/charts/shield/templates/host/daemonset.yaml @@ -328,8 +328,7 @@ spec: {{- end }} {{- if .Values.features.investigations.event_forwarder.enabled }} - name: local-forwarder-config - configMap: - name: {{ include "host.fullname" . }} - optional: true + secret: + secretName: {{ include "host.local_forwarder_secret_name" . }} {{- end }} {{- include "host.volumes" . | nindent 8 }} diff --git a/charts/shield/templates/host/secrets.yaml b/charts/shield/templates/host/secrets.yaml index c34edf423..086e37852 100644 --- a/charts/shield/templates/host/secrets.yaml +++ b/charts/shield/templates/host/secrets.yaml @@ -11,3 +11,17 @@ type: Opaque data: password: {{ (include "host.rapid_response_password" .) | b64enc | quote }} {{- end }} + +{{- if .Values.features.investigations.event_forwarder.enabled }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "host.local_forwarder_secret_name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "host.labels" . | nindent 4 }} +data: + local_forwarder_config.yaml: {{ pick .Values.features.investigations.event_forwarder "integrations" | toYaml | b64enc | quote }} +{{- end }} diff --git a/charts/shield/tests/host/configmap-host-shield-config_test.yaml b/charts/shield/tests/host/configmap-host-shield-config_test.yaml index e1ba054cf..8f39ab01c 100644 --- a/charts/shield/tests/host/configmap-host-shield-config_test.yaml +++ b/charts/shield/tests/host/configmap-host-shield-config_test.yaml @@ -345,3 +345,29 @@ tests: in_use: enabled: false integration_enabled: false + + - it: Ensure Local Forwarder + set: + features: + investigations: + event_forwarder: + enabled: true + integrations: + - channels: + - SECURE_EVENTS_POLICIES + - ACTIVITY_AUDIT + configuration: + output: stdout + type: LOCAL + transmit_message_types: + - POLICY_EVENTS + - SECURE_AUDIT + asserts: + - matchRegex: + path: data['dragent.yaml'] + pattern: | + local_forwarder: + enabled: true + transmit_message_types: + - POLICY_EVENTS + - SECURE_AUDIT diff --git a/charts/shield/tests/host/configmap-local-forwarder_test.yaml b/charts/shield/tests/host/configmap-local-forwarder_test.yaml deleted file mode 100644 index aa371efc0..000000000 --- a/charts/shield/tests/host/configmap-local-forwarder_test.yaml +++ /dev/null @@ -1,61 +0,0 @@ -suite: Host - Local Forwarder -templates: - - templates/host/configmap.yaml - - templates/host/daemonset.yaml -release: - name: release-name - namespace: shield-namespace -values: - - ../values/base.yaml -tests: - - it: No Local Forwarder items if not enabled - asserts: - - notExists: - path: data["local_forwarder_config.yaml"] - template: host/configmap.yaml - - notExists: - path: spec.template.spec.volumes[?(@.name == "local-forwarder-config")] - template: host/daemonset.yaml - - notExists: - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "local-forwarder-config")] - template: host/daemonset.yaml - - it: Local Forwarder Configured as needed - set: - features: - investigations: - event_forwarder: - enabled: true - transmit_message_types: - - POLICY_EVENTS - - SECURE_AUDIT - integrations: - - channels: - - SECURE_EVENTS_POLICIES - - ACTIVITY_AUDIT - configuration: - output: stdout - type: LOCAL - asserts: - - exists: - path: data["local_forwarder_config.yaml"] - template: host/configmap.yaml - - matchRegex: - path: data["dragent.yaml"] - pattern: | - local_forwarder: - enabled: true - transmit_message_types: - - POLICY_EVENTS - - SECURE_AUDIT - template: host/configmap.yaml - - matchRegex: - path: data["local_forwarder_config.yaml"] - pattern: | - integrations: - - channels: - - SECURE_EVENTS_POLICIES - - ACTIVITY_AUDIT - configuration: - output: stdout - type: LOCAL - template: host/configmap.yaml diff --git a/charts/shield/tests/host/daemonset_test.yaml b/charts/shield/tests/host/daemonset_test.yaml index 8a6b9a2e4..1886ed2fc 100644 --- a/charts/shield/tests/host/daemonset_test.yaml +++ b/charts/shield/tests/host/daemonset_test.yaml @@ -737,3 +737,44 @@ tests: - equal: path: spec.template.spec.dnsPolicy value: ClusterFirst + + - it: No Local Forwarder items if not enabled + asserts: + - notExists: + path: spec.template.spec.volumes[?(@.name == "local-forwarder-config")] + template: host/daemonset.yaml + - notExists: + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "local-forwarder-config")] + template: host/daemonset.yaml + + - it: Local Forwarder Configured as needed + set: + features: + investigations: + event_forwarder: + enabled: true + transmit_message_types: + - POLICY_EVENTS + - SECURE_AUDIT + integrations: + - channels: + - SECURE_EVENTS_POLICIES + - ACTIVITY_AUDIT + configuration: + output: stdout + type: LOCAL + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: local-forwarder-config + secret: + secretName: release-name-shield-host-local-forwarder + template: host/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: local-forwarder-config + mountPath: /opt/draios/etc/local_forwarder_config.yaml + subPath: local_forwarder_config.yaml + template: host/daemonset.yaml diff --git a/charts/shield/tests/host/secrets_test.yaml b/charts/shield/tests/host/secrets_test.yaml index be50cc49c..eca90ded0 100644 --- a/charts/shield/tests/host/secrets_test.yaml +++ b/charts/shield/tests/host/secrets_test.yaml @@ -45,3 +45,40 @@ tests: path: data.password decodeBase64: true value: "abc123" + + - it: Test Local Forwarder secret is not created when disabled + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: release-name-shield-host-local-forwarder + namespace: shield-namespace + not: true + template: host/secrets.yaml + + - it: Test Local Forwarder secret is created when enabled + set: + features: + investigations: + event_forwarder: + enabled: true + integrations: + - channels: + - SECURE_EVENTS_POLICIES + - ACTIVITY_AUDIT + configuration: + output: stdout + type: LOCAL + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: release-name-shield-host-local-forwarder + namespace: shield-namespace + - exists: + path: data["local_forwarder_config.yaml"] + template: host/secrets.yaml + - matchRegex: + path: data["local_forwarder_config.yaml"] + pattern: aW50ZWdyYXRpb25zOgotIGNoYW5uZWxzOgogIC0gU0VDVVJFX0VWRU5UU19QT0xJQ0lFUwogIC0gQUNUSVZJVFlfQVVESVQKICBjb25maWd1cmF0aW9uOgogICAgb3V0cHV0OiBzdGRvdXQKICB0eXBlOiBMT0NBTA== + template: host/secrets.yaml