Merge pull request armosec#60 from armosec/dev

Adding many functionalities using values

README.md

@@ -1,21 +1,74 @@
 # ARMO cluster components
 ARMO Vulnerability Scanning
 
+![Version: 1.7.7](https://img.shields.io/badge/Version-1.7.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.7](https://img.shields.io/badge/AppVersion-v1.7.7-informational?style=flat-square)
 
-# Installing ARMO cluster components in a Kubernetes cluster Using Helm:
-=============================================================
+## [Docs](https://hub.armo.cloud/docs/installation-of-armo-in-cluster)
+
+## Installing ARMO cluster components in a Kubernetes cluster Using Helm:
 
 1. Add the Vulnerability Scanning Helm Repo
 ```
 helm repo add armo https://armosec.github.io/armo-helm/
 ```
 
-2. Get Your Account ID from ARMO
+2. Update helm repo
 ```
-kubescape config local get customerGUID
+helm repo update
 ```
 
 3. Install the Helm Chart, use your account ID and give your cluster a name 
+
+if you ran kubescape cli tool and submitted, you cam get your Account ID from the local cache: 
+```
+kubescape config view | grep -i accountID
 ```
-helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context`
+Otherwise, get the account ID from the [kubescape SaaS](https://hub.armo.cloud/docs/installation-of-armo-in-cluster#install-a-pre-registered-cluster)
+
+Run the install command:
+```
+helm upgrade --install armo  armo/armo-cluster-components -n armo-system --create-namespace --set accountGuid=<my_account_guid> --set clusterName=`kubectl config current-context` 
 ```
+
+> Add `--set clientID=<generated client id> --set secretKey=<generated secret key>` if you have [generated an auth key](https://hub.armo.cloud/docs/authentication)
+
+> Add `--set armoKubescape.serviceMonitor.enabled=true` for installing the Prometheus service monitor, [read more about Prometheus integration](https://hub.armo.cloud/docs/prometheus-exporter)
+ 
+## Chart support
+
+### Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| armoCollector.enabled | bool | `true` | enable/disable the armoCollector |
+| armoCollector.env[0] | object | `{"name":"PRINT_REPORT","value":"false"}` | print in verbose mode (print all reported data) |
+| armoCollector.image.repository | string | `"quay.io/armosec/cluster-collector"` | [source code](https://github.com/armosec/k8s-armo-collector) (private repo) |
+| armoKubescape.downloadArtifacts | bool | `true` | download policies every scan, we recommend it should remain true, you should change to 'false' when running in an air-gapped environment or when scanning with high frequency (when running with Prometheus) |
+| armoKubescape.enableHostScan | bool | `true` | enable [host scanner feature](https://hub.armo.cloud/docs/host-sensor) |
+| armoKubescape.enabled | bool | `true` | enable/disable kubescape scanning |
+| armoKubescape.image.repository | string | `"quay.io/armosec/kubescape"` | [source code](https://github.com/armosec/kubescape/tree/master/httphandler) (public repo) |
+| armoKubescape.serviceMonitor.enabled | bool | `false` | enable/disable service monitor for prometheus (operator) integration |
+| armoKubescape.skipUpdateCheck | bool | `false` | skip check for a newer version  |
+| armoKubescape.submit | bool | `true` | submit results to ARMO SaaS: https://portal.armo.cloud/ |
+| armoKubescapeScanScheduler.enabled | bool | `true` | enable/disable a kubescape scheduled scan using a CronJob |
+| armoKubescapeScanScheduler.image.repository | string | `"quay.io/armosec/http_request"` | [source code](https://github.com/armosec/http-request) (public repo) |
+| armoKubescapeScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
+| armoNotificationService.enabled | bool | `true` | enable/disable passing notifications from ARMO SaaS to the armo-web-socket microservice. The notifications are the onDemand scanning and the scanning schedule settings |
+| armoNotificationService.image.repository | string | `"quay.io/armosec/notification-server"` | [source code](https://github.com/armosec/capostman) (private repo) |
+| armoScanScheduler.enabled | bool | `true` | enable/disable image vulnerability a schedule scan using a CronJob |
+| armoScanScheduler.image.repository | string | `"curlimages/curl"` | image: curlimages/curl |
+| armoScanScheduler.scanSchedule | string | `"0 0 * * *"` | scan schedule frequency |
+| armoVulnScanner.enabled | bool | `true` | enable/disable image vulnerability scanning |
+| armoVulnScanner.image.repository | string | `"quay.io/armosec/images-vulnerabilities-scan"` | [source code](https://github.com/armosec/ca-vuln-scan) (private repo) |
+| armoWebsocket.enabled | bool | `true` | enable/disable kubescape and image vulnerability scanning |
+| armoWebsocket.image.repository | string | `"quay.io/armosec/action-trigger"` | [source code](https://github.com/armosec/k8s-ca-websocket) (private repo) |
+| aws_iam_role_arn | string | `nil` | AWS IAM arn role |
+| clientID | string | `""` | client ID, [read more](https://hub.armo.cloud/docs/authentication) |
+| cloudRegion | string | `nil` | cloud region |
+| cloud_provider_engine | string | `nil` | cloud provider engine |
+| gkeProject | string | `nil` | GKE project |
+| gke_service_account | string | `nil` | GKE service account |
+| secretKey | string | `""` | secret key, [read more](https://hub.armo.cloud/docs/authentication) |
+| triggerNewImageScan | string | `"disable"` | enable/disable trigger image scan for new images |
+
+

charts/armo-components/Chart.yaml

@@ -1,44 +1,30 @@
 apiVersion: v2
 name: armo-cluster-components
 description:
-  A Helm chart for ARMO cluster components
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+  ARMO Vulnerability Scanning
+
 type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.6
+version: 1.7.7
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.7.6"
+appVersion: "v1.7.7"
 
 maintainers:
 - name: Ben Hirschberg
   email: ben@armosec.io
+  url: https://www.linkedin.com/in/benyamin-ben-hirschberg-66141890
 - name: David Wertenteil
   email: dw@armosec.io
+  url: https://www.linkedin.com/in/david-wertenteil-0ba277b9
 - name: Bezalel Brandwine
   email: bez@armosec.io
+  url: https://www.linkedin.com/in/bezalel-brandwine
 
 home: https://www.armosec.io/
-
-
-# List all charts to deploy
-#dependencies:
-#  - name: armo-global
-#    version: "1.0.0"
-#  - name: armo-websocket
-#    version: "1.0.0"
-#    condition: armoWebsocket.enabled

charts/armo-components/templates/_helpers.tpl

@@ -11,16 +11,20 @@ gke
 {{- end }}
 
 {{- define "account_guid" -}}
-  {{- if .Values.accountGuid -}}
-  {{- else -}}
-    {{- fail "value for accountGuid is not defined: please register at https://portal.armo.cloud to get yours and re-run with  --set accountGuid=<your Guid>" }}
-  {{- end -}}
+  {{- if .Values.armoKubescape.submit }}
+    {{- if .Values.accountGuid -}}
+    {{- else -}}
+      {{- fail "submitting is enabled but value for accountGuid is not defined: please register at https://portal.armo.cloud to get yours and re-run with  --set accountGuid=<your Guid>" }}
+    {{- end -}}
+  {{- end }}
 {{- end }}
 
 {{- define "cluster_name" -}}
-  {{- if .Values.clusterName -}}
-  {{- else -}}
-    {{- fail "value for clusterName is not defined: re-run with  --set clusterName=<your cluster name>" }}
-  {{- end -}}
+  {{- if .Values.armoKubescape.submit }}
+    {{- if .Values.clusterName -}}
+    {{- else -}}
+      {{- fail "value for clusterName is not defined: re-run with  --set clusterName=<your cluster name>" }}
+    {{- end -}}
+  {{- end }}
 {{- end }}
 

charts/armo-components/templates/armo-collector-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.armoCollector.enabled  }}
+{{- if and .Values.armoCollector.enabled .Values.armoKubescape.submit }}
 {{ template "account_guid" . }}
 {{ template "cluster_name" . }}
 apiVersion: apps/v1
@@ -47,6 +47,8 @@ spec:
           resources:
 {{ toYaml .Values.armoCollector.resources | indent 12 }}
           env:
+            - name: ACTIVATE_CVE_SCAN_ON_NEW_IMAGE_FEATURE
+              value: {{ .Values.triggerNewImageScan }}
             {{- range .Values.armoCollector.env }}
             - name: {{ .name  }}
               value: "{{ .value }}"

charts/armo-components/templates/armo-kubescape-configmap.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.armoKubescape.enabled  }}
 {{ template "account_guid" . }}
 {{ template "cluster_name" . }}
 kind: ConfigMap 
@@ -10,10 +11,11 @@ metadata:
     tier: {{ .Values.global.namespaceTier }}  
 data:
   clusterName: {{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}  # deprecate
-  customerGUID: {{ .Values.accountGuid }} # deprecate
   config.json: |
     {
-      "customerGUID": "{{ .Values.accountGuid }}",
       "accountID": "{{ .Values.accountGuid }}",
-      "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}"
-    }
+      "clusterName": "{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}",
+      "clientID": "{{ .Values.clientID }}",
+      "secretKey": "{{ .Values.secretKey }}"
+    }
+{{- end }}

charts/armo-components/templates/armo-kubescape-deployment.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.armoKubescape.enabled  }}
 {{- $cloud_provider := (include "cloud_provider" .) -}}
 apiVersion: apps/v1
 kind: Deployment
@@ -28,6 +29,10 @@ spec:
       - name: kubescape
         image: "{{ .Values.armoKubescape.image.repository }}:{{ .Values.armoKubescape.image.tag }}"
         imagePullPolicy: "{{ .Values.armoKubescape.image.pullPolicy }}"
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
         livenessProbe:
           httpGet:
             path: /livez
@@ -93,3 +98,4 @@ spec:
       - name: host-scanner-definition
         configMap:
           name: host-scanner-definition
+{{- end }}

charts/armo-components/templates/armo-kubescape-service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.armoKubescape.enabled  }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,8 +9,10 @@ metadata:
 spec:
   type: {{ .Values.armoKubescape.service.type }}
   ports:
-    - port: {{ .Values.armoKubescape.service.port }}
-      targetPort: {{ .Values.armoKubescape.service.targetPort }}
-      protocol: {{ .Values.armoKubescape.service.protocol }}
+    - name: http
+      port: {{ .Values.armoKubescape.service.port }}
+      targetPort: 8080
+      protocol: TCP
   selector:
-    app: {{ .Values.armoKubescape.name }}
+    app: {{ .Values.armoKubescape.name }}
+{{ end }}

charts/armo-components/templates/armo-kubescape-servicemonitor.yaml

@@ -0,0 +1,24 @@
+{{ if and .Values.armoKubescape.serviceMonitor.enabled .Values.armoKubescape.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ .Values.armoKubescape.name }}-monitor
+  {{- if .Values.armoKubescape.serviceMonitor.namespace }}
+  namespace: {{ .Values.armoKubescape.serviceMonitor.namespace }}
+  {{- end }}
+  labels:
+    app: {{ .Values.armoKubescape.name }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+spec:
+  namespaceSelector:
+    matchNames:
+      -  {{ .Values.armoNameSpace }}
+  selector:
+    matchLabels:
+      app: {{ .Values.armoKubescape.name }}
+  endpoints:
+    - port: http
+      path: /v1/metrics
+      interval: 120s
+      scrapeTimeout: 100s
+{{ end }}

charts/armo-components/templates/armo-kubescapeScanScheduler-configmap.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoKubescapeScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }}
 kind: ConfigMap 
 apiVersion: v1 
 metadata:
@@ -9,4 +10,4 @@ metadata:
 data:
   request-body.json: |-
     {"commands":[{"CommandName":"kubescapeScan","args":{"scanV1": {}}}]}
-    
+{{- end }}

charts/armo-components/templates/armo-kubescapeScanScheduler-cronjob.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoKubescapeScanScheduler.enabled .Values.armoKubescape.enabled .Values.armoKubescape.submit }}
 {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
 apiVersion: batch/v1
 {{- else }}
@@ -42,4 +43,4 @@ spec:
           - name: {{ .Values.armoKubescapeScanScheduler.name }}
             configMap:
               name: {{ .Values.armoKubescapeScanScheduler.name }}
- 
+{{- end }}

charts/armo-components/templates/armo-notification-service-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.armoNotificationService.enabled  }}
+{{- if and .Values.armoNotificationService.enabled .Values.armoKubescape.submit }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/armo-components/templates/armo-notification-service-service.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.armoNotificationService.enabled  }}
+{{- if and .Values.armoNotificationService.enabled .Values.armoKubescape.submit }}
 apiVersion: v1
 kind: Service
 metadata:

charts/armo-components/templates/armo-scanScheduler-configmap.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }}
 kind: ConfigMap 
 apiVersion: v1 
 metadata:
@@ -9,4 +10,5 @@ metadata:
 data:
   trigger-script.sh: |-
     #!/bin/sh
-    curl -X POST http://{{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}/v1/triggerAction -H 'Content-Type: application/json' -d '{"commands":[{"CommandName": "scan", "WildWlid": "wlid://cluster-{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}"}]}'
+    curl -X POST http://{{ .Values.armoWebsocket.name }}:{{ .Values.armoWebsocket.service.port }}/v1/triggerAction -H 'Content-Type: application/json' -d '{"commands":[{"CommandName": "scan", "WildWlid": "wlid://cluster-{{ regexReplaceAll "\\W+" .Values.clusterName "-" | lower  }}"}]}'
+{{- end }}

charts/armo-components/templates/armo-scanScheduler-cronjob.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoScanScheduler.enabled .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }}
 {{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
 apiVersion: batch/v1
 {{- else if .Capabilities.APIVersions.Has "batch/v1beta1/CronJob" }}
@@ -40,4 +41,5 @@ spec:
           - name: {{ .Values.armoScanScheduler.name }}-volume
             configMap:
               defaultMode: 0777
-              name: {{ .Values.armoScanScheduler.name }}-config
+              name: {{ .Values.armoScanScheduler.name }}-config
+{{- end }}

charts/armo-components/templates/armo-vuln-scanner-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.armoVulnScanner.enabled  }}
+{{- if and .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }}
 {{ template "account_guid" . }}
 {{ template "cluster_name" . }}
 apiVersion: apps/v1

charts/armo-components/templates/armo-vuln-scanner-service.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoVulnScanner.enabled .Values.armoKubescape.submit }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -17,4 +18,5 @@ spec:
       protocol: TCP
       name: "readiness-port"
   selector:
-    app: {{ .Values.armoVulnScanner.name }}
+    app: {{ .Values.armoVulnScanner.name }}
+{{- end }}

charts/armo-components/templates/armo-websocket-deployment.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.armoWebsocket.enabled  }}
+{{- if and .Values.armoWebsocket.enabled .Values.armoKubescape.submit }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/armo-components/templates/armo-websocket-service.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.armoWebsocket.enabled .Values.armoKubescape.submit }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -12,4 +13,5 @@ spec:
       targetPort: {{ .Values.armoWebsocket.service.targetPort }}
       protocol: {{ .Values.armoWebsocket.service.protocol }}
   selector:
-    app: {{ .Values.armoWebsocket.name }}
+    app: {{ .Values.armoWebsocket.name }}
+{{- end }}