Add account to storage & node-agent (#324)

* add account to storage & node-agent Signed-off-by: Amir Malka <amirm@armosec.io> * bump operator versions Signed-off-by: Amir Malka <amirm@armosec.io> * update snapshot Signed-off-by: Amir Malka <amirm@armosec.io> * load account from secret Signed-off-by: Amir Malka <amirm@armosec.io> --------- Signed-off-by: Amir Malka <amirm@armosec.io>
kubescape · Nov 1, 2023 · 23c8030 · 23c8030
1 parent 8d8535e
commit 23c8030
Show file tree

Hide file tree

Showing 10 changed files with 70 additions and 16 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.vscode
+
diff --git a/charts/kubescape-operator/assets/host-scanner-definition.yaml b/charts/kubescape-operator/assets/host-scanner-definition.yaml
@@ -56,7 +56,10 @@ spec:
           value: "{{ .Values.logger.name }}"
         {{- if $components.otelCollector.enabled }}
         - name: ACCOUNT_ID
-          value: "{{ .Values.account }}"
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.global.cloudSecret }}
+              key: account
         - name: CLUSTER_NAME
           value: "{{ regexReplaceAll "\\W+" .Values.clusterName "-" }}"
         - name: OTEL_COLLECTOR_SVC

diff --git a/charts/kubescape-operator/templates/gateway/deployment.yaml b/charts/kubescape-operator/templates/gateway/deployment.yaml
@@ -89,7 +89,10 @@ spec:
               value: "{{ .Values.gateway.httpService.port }}"
             {{- if $components.otelCollector.enabled }}
             - name: ACCOUNT_ID
-              value: "{{ .Values.account }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.cloudSecret }}
+                  key: account
             - name: OTEL_COLLECTOR_SVC
               value: "otel-collector:4317"
             {{- end }}

diff --git a/charts/kubescape-operator/templates/kollector/statefulset.yaml b/charts/kubescape-operator/templates/kollector/statefulset.yaml
@@ -77,7 +77,10 @@ spec:
                   fieldPath: metadata.namespace
             {{- if $components.otelCollector.enabled }}
             - name: ACCOUNT_ID
-              value: "{{ .Values.account }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.cloudSecret }}
+                  key: account
             - name: OTEL_COLLECTOR_SVC
               value: "otel-collector:4317"
             {{- end }}

diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml
@@ -125,7 +125,10 @@ spec:
         {{- end }}
         {{- if $components.otelCollector.enabled }}
         - name: ACCOUNT_ID
-          value: "{{ .Values.account }}"
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.global.cloudSecret }}
+              key: account
         - name: OTEL_COLLECTOR_SVC
           value: "otel-collector:4317"
         {{- end }}

diff --git a/charts/kubescape-operator/templates/kubevuln/deployment.yaml b/charts/kubescape-operator/templates/kubevuln/deployment.yaml
@@ -81,7 +81,10 @@ spec:
             {{- end }}
             {{- if $components.otelCollector.enabled }}
             - name: ACCOUNT_ID
-              value: "{{ .Values.account }}"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.cloudSecret }}
+                  key: account
             - name: OTEL_COLLECTOR_SVC
               value: "otel-collector:4317"
             {{- end }}

diff --git a/charts/kubescape-operator/templates/node-agent/daemonset.yaml b/charts/kubescape-operator/templates/node-agent/daemonset.yaml
@@ -39,6 +39,9 @@ spec:
       automountServiceAccountToken: true
       hostPID: true
       volumes:
+        - name: {{ .Values.global.cloudSecret }}
+          secret:
+            secretName: {{ .Values.global.cloudSecret }}
         - name: {{ .Values.global.cloudConfig }}
           configMap:
             name: {{ .Values.global.cloudConfig }}
@@ -127,6 +130,9 @@ spec:
             seLinuxOptions:
               type: spc_t
           volumeMounts:
+          - name: {{ .Values.global.cloudSecret }}
+            mountPath: /etc/credentials
+            readOnly: true
           - name: {{ .Values.global.cloudConfig }}
             mountPath: /etc/config/clusterData.json
             readOnly: true

diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml
@@ -48,6 +48,11 @@ spec:
           - name: "GOMEMLIMIT"
             value: "{{ .Values.storage.resources.requests.memory }}B"
           {{- if $components.otelCollector.enabled }}
+          - name: ACCOUNT_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.cloudSecret }}
+                key: account
           - name: OTEL_COLLECTOR_SVC
             value: "otel-collector:4317"
           {{- end }}

diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap
@@ -225,7 +225,10 @@ matches the snapshot:
                 - name: HTTP_PORT
                   value: "8002"
                 - name: ACCOUNT_ID
-                  value: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0
+                  valueFrom:
+                    secretKeyRef:
+                      key: account
+                      name: cloud-secret
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
               image: quay.io/kubescape/gateway:v0.1.17
@@ -575,7 +578,10 @@ matches the snapshot:
                     fieldRef:
                       fieldPath: metadata.namespace
                 - name: ACCOUNT_ID
-                  value: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0
+                  valueFrom:
+                    secretKeyRef:
+                      key: account
+                      name: cloud-secret
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
                 - name: PRINT_REPORT
@@ -969,7 +975,10 @@ matches the snapshot:
                 - name: LARGE_CLUSTER_SIZE
                   value: "1500"
                 - name: ACCOUNT_ID
-                  value: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0
+                  valueFrom:
+                    secretKeyRef:
+                      key: account
+                      name: cloud-secret
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
               image: quay.io/kubescape/kubescape:v3.0.0
@@ -1095,7 +1104,10 @@ matches the snapshot:
                 - name: KS_LOGGER_NAME
                   value: "zap"
                 - name: ACCOUNT_ID
-                  value: "9e6c0c2c-6bd0-4919-815b-55030de7c9a0"
+                  valueFrom:
+                    secretKeyRef:
+                      name: cloud-secret
+                      key: account
                 - name: CLUSTER_NAME
                   value: "kind-kind"
                 - name: OTEL_COLLECTOR_SVC
@@ -1414,7 +1426,10 @@ matches the snapshot:
                 - name: CA_MAX_VULN_SCAN_ROUTINES
                   value: "1"
                 - name: ACCOUNT_ID
-                  value: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0
+                  valueFrom:
+                    secretKeyRef:
+                      key: account
+                      name: cloud-secret
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
               image: quay.io/kubescape/kubevuln:v0.2.129
@@ -1700,7 +1715,7 @@ matches the snapshot:
                 - name: HOST_ROOT
                   value: /host
                 - name: NodeName
-              image: quay.io/kubescape/node-agent:v0.1.112
+              image: quay.io/kubescape/node-agent:v0.1.113
               imagePullPolicy: IfNotPresent
               name: node-agent
               resources:
@@ -1725,6 +1740,9 @@ matches the snapshot:
                 seLinuxOptions:
                   type: spc_t
               volumeMounts:
+                - mountPath: /etc/credentials
+                  name: cloud-secret
+                  readOnly: true
                 - mountPath: /etc/config/clusterData.json
                   name: ks-cloud-config
                   readOnly: true
@@ -1756,6 +1774,9 @@ matches the snapshot:
             kubernetes.io/os: linux
           serviceAccountName: node-agent
           volumes:
+            - name: cloud-secret
+              secret:
+                secretName: cloud-secret
             - configMap:
                 items:
                   - key: clusterData
@@ -1933,7 +1954,7 @@ matches the snapshot:
                   value: zap
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
-              image: quay.io/kubescape/operator:v0.1.57
+              image: quay.io/kubescape/operator:v0.1.58
               imagePullPolicy: IfNotPresent
               livenessProbe:
                 httpGet:
@@ -2545,9 +2566,14 @@ matches the snapshot:
             - env:
                 - name: GOMEMLIMIT
                   value: 400MiB
+                - name: ACCOUNT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      key: account
+                      name: cloud-secret
                 - name: OTEL_COLLECTOR_SVC
                   value: otel-collector:4317
-              image: quay.io/kubescape/storage:v0.0.30
+              image: quay.io/kubescape/storage:v0.0.32
               imagePullPolicy: IfNotPresent
               name: apiserver
               resources:

diff --git a/charts/kubescape-operator/values.yaml b/charts/kubescape-operator/values.yaml
@@ -200,7 +200,7 @@ operator:
   image:
     # -- source code: https://github.com/kubescape/operator
     repository: quay.io/kubescape/operator
-    tag: v0.1.57
+    tag: v0.1.58
     pullPolicy: IfNotPresent
 
   service:
@@ -513,7 +513,7 @@ storage:
   replicaCount: 1
   image:
     repository: quay.io/kubescape/storage
-    tag: v0.0.30
+    tag: v0.0.32
     pullPolicy: IfNotPresent
 
 grypeOfflineDB:
@@ -538,7 +538,7 @@ nodeAgent:
   name: node-agent
   image:
     repository: quay.io/kubescape/node-agent
-    tag: v0.1.112
+    tag: v0.1.113
     pullPolicy: IfNotPresent
 
   config: