Skip to content

feat: Config and Argument configuration plus tests for these features #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hawksight merged 2 commits into from
Sep 25, 2023
Merged

feat: Config and Argument configuration plus tests for these features #464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3b0b6e7
feat: Config and container arg passing with tests
hawksight Sep 15, 2023
85e98ce
fix: close #463 as chart should use v1 or cronjobs now, mathcin SaaS …
hawksight Sep 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/chart-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Chart Testing

on:
push:
branches-ignore:
- master
pull_request:
branches:
- "*"

jobs:
unittest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: d3adb5/helm-unittest-action@v2
with:
flags: "--color --strict"
charts: deploy/charts/jetstack-agent
helm-version: v3.12.3
# This has to be second as helm may not be installed until after above action
# source: https://github.com/marketplace/actions/helm-unit-tests#examples
- run: helm lint deploy/charts/jetstack-agent
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,5 @@ terraform.tfstate
terraform.tfstate.backup
bom.xml
predicate.json
privatekey.pem

1 change: 1 addition & 0 deletions deploy/charts/jetstack-agent/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
tests
6 changes: 3 additions & 3 deletions deploy/charts/jetstack-agent/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
apiVersion: v2
name: jetstack-agent
description: Jetstack Secure Agent
description: TLS Protect for Kubernetes Agent
type: application
version: 0.2.1
appVersion: "v0.1.39"
version: 0.3.0
appVersion: "v0.1.40"
home: https://github.com/jetstack/jetstack-secure
maintainers:
- name: JSCP and CRE Team
Expand Down
15 changes: 10 additions & 5 deletions deploy/charts/jetstack-agent/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# jetstack-agent

Jetstack Secure Agent
TLS Protect for Kubernetes Agent

![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.39](https://img.shields.io/badge/AppVersion-v0.1.39-informational?style=flat-square)
![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.40](https://img.shields.io/badge/AppVersion-v0.1.40-informational?style=flat-square)

## Additional Information

Expand Down Expand Up @@ -137,19 +137,24 @@ kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kube
| authentication.secretKey | string | `"credentials.json"` | Key name in secret |
| authentication.secretName | string | `"agent-credentials"` | Name of the secret containing agent credentials.json |
| authentication.secretValue | string | `""` | Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true |
| authentication.type | string | `"file"` | Type can be "file"/"token" which dictates whether a credential file or token is used |
| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
| authentication.type | string | `"file"` | Type can be "file"/"token" determining how the agent should authenticate the to the backend |
| command | list | `[]` | |
| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":"","configmap":{"key":"","name":""},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself |
| config.cluster | string | `""` | REQUIRED - Your Jetstack Secure Cluster Name |
| config.dataGatherers | object | `{"custom":[],"default":true}` | Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration |
| config.dataGatherers.custom | list | `[]` | A list of data gatherers to limit agent scope |
| config.dataGatherers.default | bool | `true` | Use the standard full set of data gatherers |
| config.organisation | string | `""` | REQUIRED - Your Jetstack Secure Organisation Name |
| config.override | object | `{"config":"","configmap":{"key":"","name":""},"enabled":false}` | Provide an Override to allow completely custom agent configuration |
| config.override.config | string | `""` | Embed the agent configuration here in the chart values |
| config.override.configmap | object | `{"key":"","name":""}` | Sepcify ConfigMap details to load config from existing ConfigMap |
| config.override.enabled | bool | `false` | Override disabled by default |
| config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed |
| config.server | string | `"https://platform.jetstack.io"` | Overrides the server if using a proxy between agent and Jetstack Secure |
| fullnameOverride | string | `""` | Helm default setting, use this to shorten install name |
| image.pullPolicy | string | `"IfNotPresent"` | Defaults to only pull if not already present |
| image.repository | string | `"quay.io/jetstack/preflight"` | Default to Open Source image repository |
| image.tag | string | `"v0.1.39"` | Overrides the image tag whose default is the chart appVersion |
| image.tag | string | `"v0.1.40"` | Overrides the image tag whose default is the chart appVersion |
| imagePullSecrets | list | `[]` | Specify image pull credentials if using a prviate registry |
| nameOverride | string | `""` | Helm default setting to override release name, leave blank |
| nodeSelector | object | `{}` | |
Expand Down
11 changes: 9 additions & 2 deletions deploy/charts/jetstack-agent/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{ if not (and .Values.config.override.enabled .Values.config.override.configmap.name) }}
---
apiVersion: v1
kind: ConfigMap
Expand All @@ -6,8 +7,12 @@ metadata:
labels:
{{- include "jetstack-agent.labels" . | nindent 4 }}
data:
{{- if .Values.config.override.config }}
config.yaml: |-
server: {{ .Values.config.server }}
{{- toYaml .Values.config.override.config | nindent 4 }}
{{- else }}
config.yaml: |-
server: {{ .Values.config.server | quote }}
organization_id: {{ required "Organisation is a required input value" .Values.config.organisation }}
cluster_id: {{ required "Cluster is a required input value" .Values.config.cluster }}
data-gatherers:
Expand Down Expand Up @@ -68,7 +73,7 @@ data:
name: "k8s/cronjobs"
config:
resource-type:
version: v1beta1
version: v1
resource: cronjobs
group: batch
- kind: "k8s-dynamic"
Expand Down Expand Up @@ -205,3 +210,5 @@ data:
version: v1alpha1
resource: venafiissuers
{{- end }}
{{- end }}
{{- end }}
26 changes: 23 additions & 3 deletions deploy/charts/jetstack-agent/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,27 +40,40 @@ spec:
name: {{ default "agent-credentials" .Values.authentication.secretName }}
key: {{ default "apitoken" .Values.authentication.secretKey }}
{{- end }}
{{- if not (empty .Values.command) }}
command:
{{- range .Values.command }}
- {{ . | quote }}
{{- end }}
{{- end }}
args:
- "agent"
- "-c"
{{- if .Values.config.override.enabled }}
- "/etc/jetstack-secure/agent/config/{{ default "config.yaml" .Values.config.override.configmap.key }}"
{{- else }}
- "/etc/jetstack-secure/agent/config/config.yaml"
{{- end }}
{{- if eq .Values.authentication.type "file" }}
- "-k"
- "/etc/jetstack-secure/agent/credentials/{{ default "credentials.json" .Values.authentication.secretKey}}"
{{- end }}
- "-p"
- "0h1m0s"
{{- range .Values.extraArgs }}
- {{ . | quote }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: "/etc/jetstack-secure/agent/config"
readOnly: true
{{- if eq .Values.authentication.type "file" }}
- name: credentials
mountPath: /etc/jetstack-secure/agent/credentials
mountPath: "/etc/jetstack-secure/agent/credentials"
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -74,10 +87,17 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.config.override.enabled }}
- name: config
configMap:
name: {{ default "agent-config" .Values.config.override.configmap.name }}
optional: false
{{- else }}
- name: config
configMap:
name: agent-config
optional: false
{{- end }}
- name: credentials
secret:
secretName: {{ default "agent-credentials" .Values.authentication.secretName }}
Expand Down
196 changes: 196 additions & 0 deletions deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
render correctly when only required config is given:
1: |
apiVersion: v1
data:
config.yaml: |-
server: "https://platform.jetstack.io"
organization_id: test_org
cluster_id: test_cluster
data-gatherers:
# gather k8s apiserver version information
- kind: "k8s-discovery"
name: "k8s-discovery"
# pods data is used in the pods and application_versions packages
- kind: "k8s-dynamic"
name: "k8s/pods"
config:
resource-type:
resource: pods
version: v1
# gather services for pod readiness probe rules
- kind: "k8s-dynamic"
name: "k8s/services"
config:
resource-type:
resource: services
version: v1
# gather higher level resources to ensure data to determine ownership is present
- kind: "k8s-dynamic"
name: "k8s/deployments"
config:
resource-type:
version: v1
resource: deployments
group: apps
- kind: "k8s-dynamic"
name: "k8s/replicasets"
config:
resource-type:
version: v1
resource: replicasets
group: apps
- kind: "k8s-dynamic"
name: "k8s/statefulsets"
config:
resource-type:
version: v1
resource: statefulsets
group: apps
- kind: "k8s-dynamic"
name: "k8s/daemonsets"
config:
resource-type:
version: v1
resource: daemonsets
group: apps
- kind: "k8s-dynamic"
name: "k8s/jobs"
config:
resource-type:
version: v1
resource: jobs
group: batch
- kind: "k8s-dynamic"
name: "k8s/cronjobs"
config:
resource-type:
version: v1
resource: cronjobs
group: batch
- kind: "k8s-dynamic"
name: "k8s/ingresses"
config:
resource-type:
group: networking.k8s.io
version: v1
resource: ingresses
- kind: "k8s-dynamic"
name: "k8s/secrets"
config:
resource-type:
version: v1
resource: secrets
- kind: "k8s-dynamic"
name: "k8s/certificates"
config:
resource-type:
group: cert-manager.io
version: v1
resource: certificates
- kind: "k8s-dynamic"
name: "k8s/certificaterequests"
config:
resource-type:
group: cert-manager.io
version: v1
resource: certificaterequests
- kind: "k8s-dynamic"
name: "k8s/issuers"
config:
resource-type:
group: cert-manager.io
version: v1
resource: issuers
- kind: "k8s-dynamic"
name: "k8s/clusterissuers"
config:
resource-type:
group: cert-manager.io
version: v1
resource: clusterissuers
- kind: "k8s-dynamic"
name: "k8s/googlecasissuers"
config:
resource-type:
group: cas-issuer.jetstack.io
version: v1beta1
resource: googlecasissuers
- kind: "k8s-dynamic"
name: "k8s/googlecasclusterissuers"
config:
resource-type:
group: cas-issuer.jetstack.io
version: v1beta1
resource: googlecasclusterissuers
- kind: "k8s-dynamic"
name: "k8s/awspcaissuer"
config:
resource-type:
group: awspca.cert-manager.io
version: v1beta1
resource: awspcaissuers
- kind: "k8s-dynamic"
name: "k8s/awspcaclusterissuers"
config:
resource-type:
group: awspca.cert-manager.io
version: v1beta1
resource: awspcaclusterissuers
- kind: "k8s-dynamic"
name: "k8s/mutatingwebhookconfigurations"
config:
resource-type:
group: admissionregistration.k8s.io
version: v1
resource: mutatingwebhookconfigurations
- kind: "k8s-dynamic"
name: "k8s/validatingwebhookconfigurations"
config:
resource-type:
group: admissionregistration.k8s.io
version: v1
resource: validatingwebhookconfigurations
- kind: "k8s-dynamic"
name: "k8s/gateways"
config:
resource-type:
group: networking.istio.io
version: v1alpha3
resource: gateways
- kind: "k8s-dynamic"
name: "k8s/virtualservices"
config:
resource-type:
group: networking.istio.io
version: v1alpha3
resource: virtualservices
- kind: "k8s-dynamic"
name: "k8s/routes"
config:
resource-type:
version: v1
group: route.openshift.io
resource: routes
- kind: "k8s-dynamic"
name: "k8s/venaficlusterissuers"
config:
resource-type:
group: jetstack.io
version: v1alpha1
resource: venaficlusterissuers
- kind: "k8s-dynamic"
name: "k8s/venafiissuers"
config:
resource-type:
group: jetstack.io
version: v1alpha1
resource: venafiissuers
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: jetstack-agent
app.kubernetes.io/version: v0.1.40
helm.sh/chart: jetstack-agent-0.3.0
name: agent-config
Loading