diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 958bd43..628c2f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: id: get-tag uses: WyriHaximus/github-action-get-previous-tag@v1.4.0 with: - fallback: v1.22.1 + fallback: v1.69.0 - name: Get version id: get-version @@ -31,7 +31,6 @@ jobs: with: cmd: | yq e -i '.version = "${{ steps.get-version.outputs.version }}"' ./helm/runtime-sensor/Chart.yaml - yq e -i '.sensor.image.tag = "${{ steps.get-version.outputs.version }}"' ./helm/runtime-sensor/values.yaml - name: Configure Git run: | diff --git a/helm/runtime-sensor/.helmignore b/helm/runtime-sensor/.helmignore deleted file mode 100644 index 7e96254..0000000 --- a/helm/runtime-sensor/.helmignore +++ /dev/null @@ -1,25 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -# Release related files -release/ diff --git a/helm/runtime-sensor/templates/NOTES.txt b/helm/runtime-sensor/templates/NOTES.txt deleted file mode 100644 index b590015..0000000 --- a/helm/runtime-sensor/templates/NOTES.txt +++ /dev/null @@ -1,2 +0,0 @@ -{{ $.Chart.Name }} has been installed. Check its status by running: - kubectl --namespace {{ .Release.Namespace }} get pods -l "release={{ $.Release.Name }}" diff --git a/helm/runtime-sensor/templates/_helpers.tpl b/helm/runtime-sensor/templates/_helpers.tpl deleted file mode 100644 index 116c6a4..0000000 --- a/helm/runtime-sensor/templates/_helpers.tpl +++ /dev/null @@ -1,87 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "runtime-sensor.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "runtime-sensor.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- printf "%s" $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "runtime-sensor.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "runtime-sensor.labels" -}} -{{ include "runtime-sensor.selectorLabels" . }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "runtime-sensor.selectorLabels" -}} -app.kubernetes.io/name: {{ include "runtime-sensor.name" . }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "runtime-sensor.serviceAccountName" -}} -{{- if .Values.sensor.serviceAccount.create }} -{{- default (include "runtime-sensor.name" .) .Values.sensor.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.sensor.serviceAccount.name }} -{{- end }} -{{- end }} - -{{- define "runtime-sensor.podAnnotations" -}} -{{- if .Values.sensor.podAnnotations }} -{{- .Values.sensor.podAnnotations | toYaml }} -{{- end }} -{{- end }} - -{{- define "runtime-sensor.podLabels" -}} -{{- if .Values.sensor.podLabels }} -{{- .Values.sensor.podLabels | toYaml }} -{{- end }} -{{- end }} - -{{- define "runtime-sensor.additionalVolumes" -}} -{{- if .Values.secretProvider }} -{{- if eq .Values.secretProvider "aws" }} -- name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: {{ include "runtime-sensor.name" . }}-aws-secrets -{{- end }} -{{- end }} -{{- end }} - -{{- define "runtime-sensor.additionalVolumeMounts" -}} -{{- if .Values.secretProvider }} -{{- if eq .Values.secretProvider "aws" }} -- name: secrets-store-inline - mountPath: "/mnt/secrets-store" - readOnly: true -{{- end }} -{{- end }} -{{- end }} diff --git a/helm/runtime-sensor/templates/clusterrole.yaml b/helm/runtime-sensor/templates/clusterrole.yaml deleted file mode 100644 index c68f861..0000000 --- a/helm/runtime-sensor/templates/clusterrole.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{- if .Values.clusterRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "runtime-sensor.labels" . | nindent 4 }} - name: {{ template "runtime-sensor.fullname" . }}-role - namespace: {{ .Release.Namespace }} -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "apps" - resources: - - deployments - - daemonsets - - statefulsets - - replicasets - verbs: - - get - - list - - watch -{{- end }} diff --git a/helm/runtime-sensor/templates/clusterrolebinding.yaml b/helm/runtime-sensor/templates/clusterrolebinding.yaml deleted file mode 100644 index 544844e..0000000 --- a/helm/runtime-sensor/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.clusterRole.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "runtime-sensor.labels" . | nindent 4 }} - name: {{ template "runtime-sensor.fullname" . }}-rolebinding - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "runtime-sensor.fullname" . }}-role -subjects: - - kind: ServiceAccount - name: {{ template "runtime-sensor.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/helm/runtime-sensor/templates/daemonset.yaml b/helm/runtime-sensor/templates/daemonset.yaml deleted file mode 100644 index 6efc0f0..0000000 --- a/helm/runtime-sensor/templates/daemonset.yaml +++ /dev/null @@ -1,106 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - {{- include "runtime-sensor.labels" . | nindent 4 }} - control-plane: runtime-sensor - name: {{ template "runtime-sensor.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "runtime-sensor.selectorLabels" . | nindent 6 }} - control-plane: runtime-sensor - template: - metadata: - annotations: - snyk/runtime-sensor: "true" - {{- include "runtime-sensor.podAnnotations" . | nindent 8 }} - labels: - {{- include "runtime-sensor.selectorLabels" . | nindent 8 }} - {{- include "runtime-sensor.podLabels" . | nindent 8 }} - control-plane: runtime-sensor - spec: - tolerations: - {{- if and .Values.tolerations }} - {{- .Values.tolerations | toYaml | nindent 8 }} - {{- else }} - - operator: Exists - {{- end }} - {{- if and .Values.imagePullSecret }} - imagePullSecrets: - - name: "{{ .Values.imagePullSecret }}" - {{- end }} - containers: - - name: runtime-sensor - imagePullPolicy: IfNotPresent - {{- if .Values.sensor.extraArgs }} - args: - {{- .Values.sensor.extraArgs | toYaml | nindent 12 }} - {{- end }} - {{- if and .Values.sensor.image.repository .Values.sensor.image.tag }} - image: "{{ .Values.sensor.image.repository }}:{{ .Values.sensor.image.tag | default .Chart.AppVersion }}" - {{- else }} - image: "{{ .Values.sensor.image.repository }}" - {{- end }} - resources: - requests: - memory: "{{ .Values.sensor.resources.requests.memory }}" - cpu: "{{ .Values.sensor.resources.requests.cpu }}" - limits: - memory: "{{ .Values.sensor.resources.limits.memory }}" - cpu: "{{ .Values.sensor.resources.limits.cpu }}" - securityContext: - {{- if .Values.securityContext.privileged }} - privileged: true - {{- else }} - capabilities: - add: - {{- with .Values.securityContext.capabilities }} - {{- toYaml . | nindent 16 }} - {{- end }} - drop: - - ALL - {{- end }} - volumeMounts: - - name: boot-host - mountPath: /boot.host - readOnly: true - - name: sysfs - mountPath: /sys - readOnly: true - {{- include "runtime-sensor.additionalVolumeMounts" . | nindent 12 }} - env: - - name: SNYK_TOKEN - valueFrom: - secretKeyRef: - name: {{ required "A snykToken is required! Please provide a value" .Values.secretName }} - key: "snykToken" - - name: GROUPS_SCOPES - valueFrom: - secretKeyRef: - name: {{ .Values.secretName }} - key: "groupsScopes" - optional: true - - name: CLUSTER_NAME - value: "{{ .Values.clusterName }}" - - name: SNYK_GROUP_ID - value: "{{ .Values.snykGroupId }}" - - name: SNYK_API_BASE_URL - value: "{{ .Values.snykAPIBaseURL }}" - - name: SNYK_DEBUG - value: "{{ .Values.debug }}" - envFrom: - - configMapRef: - name: env-config-map - optional: true - hostPID: true - serviceAccountName: {{ template "runtime-sensor.serviceAccountName" . }} - volumes: - - name: boot-host - hostPath: - path: / - - name: sysfs - hostPath: - path: /sys - {{- include "runtime-sensor.additionalVolumes" . | nindent 8 }} diff --git a/helm/runtime-sensor/templates/secretproviderclass.yaml b/helm/runtime-sensor/templates/secretproviderclass.yaml deleted file mode 100644 index 0e6c208..0000000 --- a/helm/runtime-sensor/templates/secretproviderclass.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.secretProvider }} -{{- if eq .Values.secretProvider "aws" }} -apiVersion: secrets-store.csi.x-k8s.io/v1 -kind: SecretProviderClass -metadata: - name: {{ include "runtime-sensor.name" . }}-aws-secrets - namespace: {{ .Release.Namespace }} -spec: - provider: aws - secretObjects: - - secretName: {{ .Values.secretName }} - type: Opaque - data: - - key: snykToken - objectName: "snykToken" - - key: groupsScopes - objectName: "groupsScopes" - parameters: - objects: | - - objectName: "{{ .Values.secretName }}" - objectType: "secretsmanager" - jmesPath: - - path: "snykToken" - objectAlias: "snykToken" - - path: "groupsScopes" - objectAlias: "groupsScopes" -{{- end }} -{{- end }} diff --git a/helm/runtime-sensor/templates/serviceaccount.yaml b/helm/runtime-sensor/templates/serviceaccount.yaml deleted file mode 100644 index 3aa2965..0000000 --- a/helm/runtime-sensor/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.sensor.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "runtime-sensor.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "runtime-sensor.labels" . | nindent 4 }} - {{- with .Values.sensor.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/helm/runtime-sensor/values.schema.json b/helm/runtime-sensor/values.schema.json deleted file mode 100644 index 357a1c2..0000000 --- a/helm/runtime-sensor/values.schema.json +++ /dev/null @@ -1,318 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "http://example.com/example.json", - "type": "object", - "default": {}, - "title": "Root Schema", - "required": [ - "secretName", - "clusterName", - "snykGroupId", - "snykAPIBaseURL", - "nameOverride", - "sensor" - ], - "properties": { - "secretName": { - "default": "snyk-secret", - "type": "string", - "title": "The name of the secret which contains the token for Snyk", - "examples": [ - "snyk-secret", "my-secret" - ] - }, - "secretProvider": { - "default": "none", - "type": "string", - "title": "Use a different provider to pull the snyk-secret from", - "examples": [ - "aws", "none" - ] - }, - "nameOverride": { - "type": "string", - "default": "", - "title": "The nameOverride Schema", - "examples": [ - "" - ] - }, - "clusterName": { - "type": "string", - "default": "", - "title": "The Snyk environment", - "examples": [ - "aws-staging", "gcp-production" - ] - }, - "snykGroupId": { - "type": "string", - "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", - "default": "", - "title": "The Snyk Group ID", - "examples": [ - "ffffffff-ffff-ffff-ffff-fffffffffffff", "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaaa" - ] - }, - "snykAPIBaseURL": { - "type": "string", - "default": "api.snyk.io:443", - "title": "The Snyk API region and port to report to", - "examples": [ - "api.snyk.io:443", "api.us.snyk.io:443" - ] - }, - "sensor": { - "type": "object", - "default": {}, - "title": "The sensor Schema", - "required": [ - "image", - "resources", - "serviceAccount", - "extraArgs" - ], - "properties": { - "image": { - "type": "object", - "default": {}, - "title": "The image Schema", - "required": [ - "repository" - ], - "properties": { - "repository": { - "type": "string", - "default": "snyk/runtime-sensor", - "title": "The repository Schema", - "examples": [ - "snyk/runtime-sensor" - ] - }, - "tag": { - "type": "string", - "default": "1.0.0", - "title": "The tag Schema", - "examples": [ - "0.0.1" - ] - } - }, - "examples": [{ - "repository": "snyk/runtime-sensor", - "tag": "0.0.1" - }] - }, - "resources": { - "type": "object", - "default": {}, - "title": "The resources Schema", - "required": [ - "requests" - ], - "properties": { - "limits": { - "type": "object", - "default": {}, - "title": "The limits Schema", - "required": [ - "cpu", - "memory" - ], - "properties": { - "cpu": { - "type": "string", - "default": "500m", - "title": "The cpu Schema", - "examples": [ - "500m" - ] - }, - "memory": { - "type": "string", - "default": "1024Mi", - "title": "The memory Schema", - "examples": [ - "1024Mi" - ] - } - }, - "examples": [{ - "cpu": "100m", - "memory": "128Mi" - }] - }, - "requests": { - "type": "object", - "default": {}, - "title": "The requests Schema", - "required": [ - "cpu", - "memory" - ], - "properties": { - "cpu": { - "type": "string", - "default": "100m", - "title": "The cpu Schema", - "examples": [ - "100m" - ] - }, - "memory": { - "type": "string", - "default": "512Mi", - "title": "The memory Schema", - "examples": [ - "64Mi" - ] - } - }, - "examples": [{ - "cpu": "100m", - "memory": "512Mi" - }] - } - }, - "examples": [{ - "limits": { - "cpu": "100m", - "memory": "128Mi" - }, - "requests": { - "cpu": "100m", - "memory": "64Mi" - } - }] - }, - "serviceAccount": { - "type": "object", - "default": {}, - "title": "The serviceAccount Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create Schema", - "examples": [ - true - ] - }, - "annotations": { - "type": "object" - } - }, - "examples": [{ - "create": true - }] - }, - "podAnnotations": { - "type": "object" - }, - "extraArgs": { - "type": "array", - "default": [], - "title": "The extraArgs Schema", - "items": {}, - "examples": [ - [] - ] - } - }, - "examples": [{ - "image": { - "repository": "snyk/runtime-sensor", - "tag": "1.0.0" - }, - "resources": { - "limits": { - "cpu": "100m", - "memory": "128Mi" - }, - "requests": { - "cpu": "100m", - "memory": "64Mi" - } - }, - "serviceAccount": { - "create": true - }, - "extraArgs": [] - }] - }, - "role": { - "type": "object", - "default": {}, - "title": "The role Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": true, - "title": "The create Schema", - "examples": [ - true - ] - } - }, - "examples": [{ - "create": true - }] - }, - "clusterRole": { - "type": "object", - "default": {}, - "title": "The clusterRole Schema", - "required": [ - "create" - ], - "properties": { - "create": { - "type": "boolean", - "default": false, - "title": "The create Schema", - "examples": [ - true - ] - } - }, - "examples": [{ - "create": true - }] - } - }, - "examples": [{ - "nameOverride": "", - "sensor": { - "image": { - "repository": "snyk/runtime-sensor", - "tag": "0.0.1" - }, - "resources": { - "limits": { - "cpu": "100m", - "memory": "128Mi" - }, - "requests": { - "cpu": "100m", - "memory": "64Mi" - } - }, - "serviceAccount": { - "create": true - }, - "extraArgs": [] - }, - "role": { - "create": true - }, - "clusterRole": { - "create": true - } - }] -} diff --git a/helm/runtime-sensor/values.yaml b/helm/runtime-sensor/values.yaml deleted file mode 100644 index adcc9f5..0000000 --- a/helm/runtime-sensor/values.yaml +++ /dev/null @@ -1,65 +0,0 @@ -# Default values for runtime-sensor. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -## Provide a name in place of runtime-sensor. -## -nameOverride: "" -clusterName: "dev" -snykGroupId: "ffffffff-ffff-ffff-ffff-fffffffffffff" -snykAPIBaseURL: api.snyk.io:443 -### Provide the name of the secret -secretName: snyk-secret - -# Debug node -debug: "false" - -### Secret provider details -secretProvider: none - -# Tolerations allow pods to be scheduled on nodes with specific taints -tolerations: [] - -## Provide Snyk runtime sensor container image and resources. -sensor: - image: - repository: snyk/runtime-sensor - # -- Create the manager ServiceAccount - resources: - requests: - memory: 512Mi - cpu: 100m - limits: - memory: 1024Mi - cpu: 500m - serviceAccount: - create: true - annotations: {} - # name: nameOverride - podAnnotations: {} - podLabels: {} - ## List of additional cli arguments to configure the sensor - ## for example: --labels, etc. - extraArgs: [] -## Create the provided Roles and RoleBindings -## -role: - create: true -## Create the provided ClusterRoles and ClusterRoleBindings -## -clusterRole: - create: true -securityContext: - # -- Run the pod with elevated privileges - privileged: false - # -- Capabilities for the `runtime-sensor` container - capabilities: - # Basic requirements for eBPF - - BPF - - PERFMON - - SYS_RESOURCE - # Determine if packages are loaded - - DAC_READ_SEARCH - - SYS_PTRACE - # Determine pod networking patterns - - NET_ADMIN