Merge pull request #488 from kubescape/bump

prepare next release
kubescape · Aug 29, 2024 · 405307e · 405307e
2 parents 751d1cf + 9051bd4
commit 405307e
Show file tree

Hide file tree

Showing 18 changed files with 1,862 additions and 1,367 deletions.
diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml
@@ -9,14 +9,14 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.20.6
+version: 1.21.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 
-appVersion: 1.20.6
+appVersion: 1.21.0
 
 maintainers:
 - name: Ben Hirschberg

diff --git a/charts/kubescape-operator/templates/_common.tpl b/charts/kubescape-operator/templates/_common.tpl
@@ -8,7 +8,6 @@ capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.g
 cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | sha256sum }}
 cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | sha256sum }}
 hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | sha256sum }}
-matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | sha256sum }}
 nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | sha256sum }}
 operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | sha256sum }}
 otelConfig: {{ include (printf "%s/otel-collector/configmap.yaml" $.Template.BasePath) . | sha256sum }}
@@ -98,6 +97,3 @@ autoUpdater:
 {{- $certData := dict "ca" $ca "cert" $cert -}}
 {{- toYaml $certData -}}
 {{- end -}}
-
-
-
diff --git a/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml b/charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml
@@ -43,7 +43,6 @@ data:
       "keepLocal": {{ not $components.serviceDiscovery.enabled }},
       "scanTimeout": "{{ .Values.kubevuln.config.scanTimeout }}",
       "vexGeneration": {{ eq .Values.capabilities.vexGeneration "enable" }},
-      "continuousPostureScan": {{ $configurations.continuousScan }},
 {{- if not (empty .Values.kubevuln.config.grypeDbListingURL) }}
       "listingURL": "{{ .Values.kubevuln.config.grypeDbListingURL }}",
 {{- end }}

diff --git a/charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml b/charts/kubescape-operator/templates/configs/matchingRules-configmap.yaml
diff --git a/charts/kubescape-operator/templates/gateway/deployment.yaml b/charts/kubescape-operator/templates/gateway/deployment.yaml
@@ -74,7 +74,13 @@ spec:
 {{ toYaml .Values.gateway.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
-              value: "{{ .Values.gateway.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/hooks/hook-delete-before-upgrade.yaml b/charts/kubescape-operator/templates/hooks/hook-delete-before-upgrade.yaml
@@ -0,0 +1,91 @@
+{{ $hookName := "label-selector-force-replace" -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $hookName }}
+  namespace: {{ .Values.ksNamespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-20"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+  labels:
+    app: {{ $hookName }}
+rules:
+  - apiGroups:
+      - "apps"
+    resources:
+      - daemonsets
+      - deployments
+      - statefulsets
+    verbs:
+      - "delete"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $hookName }}
+  namespace: {{ .Values.ksNamespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-15"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+  labels:
+    app: {{ $hookName }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $hookName }}
+  namespace: {{ .Values.ksNamespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-14"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+  labels:
+    app: {{ $hookName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $hookName }}
+    namespace: {{ .Values.ksNamespace }}
+roleRef:
+  kind: Role
+  name: {{ $hookName }}
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $hookName }}
+  namespace: {{ .Values.ksNamespace }}
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+  labels:
+    app: {{ $hookName }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ $hookName }}
+      containers:
+        - name: {{ $hookName }}
+          image: "docker.io/bitnami/kubectl:1.30.3"
+          imagePullPolicy: "IfNotPresent"
+          command:
+            - /bin/sh
+            - -e
+            - -x
+            - -c
+            - >-
+              kubectl -n {{ .Values.ksNamespace }} delete daemonset node-agent --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment gateway --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment kubescape --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment kubevuln --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment operator --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment otel-collector --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment storage --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete deployment synchronizer --ignore-not-found=true;
+              kubectl -n {{ .Values.ksNamespace }} delete statefulset kollector --ignore-not-found=true;
+      restartPolicy: Never
+  backoffLimit: 6
diff --git a/charts/kubescape-operator/templates/kollector/statefulset.yaml b/charts/kubescape-operator/templates/kollector/statefulset.yaml
@@ -66,7 +66,13 @@ spec:
 {{ toYaml .Values.kollector.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
-              value: "{{ .Values.kollector.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml
@@ -76,7 +76,13 @@ spec:
           periodSeconds: 3
         env:
         - name: GOMEMLIMIT
-          value: "{{ .Values.kubescape.resources.requests.memory }}B"
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
         - name: KS_LOGGER_LEVEL
           value: "{{ .Values.logger.level }}"
         - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml
@@ -65,7 +65,13 @@ spec:
 {{ toYaml .Values.kubevuln.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
-              value: "{{ .Values.kubevuln.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml
@@ -130,7 +130,13 @@ spec:
 {{ toYaml .Values.nodeAgent.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
-              value: "{{ .Values.nodeAgent.gomemlimit }}"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: HOST_ROOT
               value: "/host"
             - name: KS_LOGGER_LEVEL

diff --git a/charts/kubescape-operator/templates/operator/deployment.yaml b/charts/kubescape-operator/templates/operator/deployment.yaml
@@ -29,7 +29,6 @@ spec:
         checksum/cloud-secret: {{ $checksums.cloudSecret }}
         checksum/cloud-config: {{ $checksums.cloudConfig }}
         checksum/capabilities-config: {{ $checksums.capabilitiesConfig }}
-        checksum/matching-rules-config: {{ $checksums.matchingRulesConfig }}
       {{- if ne .Values.global.proxySecretFile "" }}
         checksum/proxy-config: {{ $checksums.proxySecret }}
       {{- end }}
@@ -85,7 +84,13 @@ spec:
             - name: HELM_RELEASE
               value: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
             - name: GOMEMLIMIT
-              value: "{{ .Values.operator.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME
@@ -128,10 +133,6 @@ spec:
               mountPath: /etc/config/capabilities.json
               readOnly: true
               subPath: "capabilities.json"
-            - name: {{ .Values.continuousScanning.configMapName }}
-              mountPath: /etc/config/matchingRules.json
-              readOnly: true
-              subPath: "matchingRules.json"
             - name: config
               mountPath: /etc/config/config.json
               readOnly: true
@@ -200,12 +201,6 @@ spec:
             items:
             - key: "config.json"
               path: "config.json"
-        - name: {{ .Values.continuousScanning.configMapName }}
-          configMap:
-            name: {{ .Values.continuousScanning.configMapName }}
-            items:
-              - key: "matchingRules.json"
-                path: "matchingRules.json"
 {{- if .Values.volumes }}
 {{ toYaml .Values.volumes | indent 8 }}
 {{- end }}

diff --git a/charts/kubescape-operator/templates/otel-collector/deployment.yaml b/charts/kubescape-operator/templates/otel-collector/deployment.yaml
@@ -64,7 +64,13 @@ spec:
               name: {{ .Values.global.cloudConfig }}
               key: metrics
         - name: GOMEMLIMIT
-          value: "{{ .Values.otelCollector.resources.requests.memory }}B"
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.memory
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              resource: limits.cpu
         - name: GOGC
           value: "80"
         {{- if ne .Values.global.httpsProxy "" }}

diff --git a/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml b/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml
@@ -52,7 +52,13 @@ spec:
 {{ toYaml .Values.prometheusExporter.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
-              value: "{{ .Values.prometheusExporter.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml
@@ -51,8 +51,14 @@ spec:
         env:
           - name: "CLEANUP_INTERVAL"
             value: "{{ .Values.storage.cleanupInterval }}"
-          - name: "GOMEMLIMIT"
-            value: "{{ .Values.storage.gomemlimit }}"
+          - name: GOMEMLIMIT
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.memory
+          - name: GOMAXPROCS
+            valueFrom:
+              resourceFieldRef:
+                resource: limits.cpu
           - name: KS_LOGGER_LEVEL
             value: "{{ .Values.logger.level }}"
           - name: KS_LOGGER_NAME

diff --git a/charts/kubescape-operator/templates/synchronizer/deployment.yaml b/charts/kubescape-operator/templates/synchronizer/deployment.yaml
@@ -62,7 +62,13 @@ spec:
             - name: HELM_RELEASE
               value: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
             - name: GOMEMLIMIT
-              value: "{{ .Values.synchronizer.resources.requests.memory }}B"
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
             - name: KS_LOGGER_LEVEL
               value: "{{ .Values.logger.level }}"
             - name: KS_LOGGER_NAME