CircleCI: Upload wiz-sensor chart

Author: circleci-wiz

wiz-kubernetes-integration/Chart.yaml

@@ -17,5 +17,5 @@ dependencies:
   condition: wiz-admission-controller.enabled
 - name: wiz-sensor
   repository: https://wiz-sec.github.io/charts
-  version: ">=1.0.5835"
+  version: ">=1.0.6051"
   condition: wiz-sensor.enabled

wiz-sensor/Chart.yaml

@@ -3,5 +3,5 @@ description: Wiz Sensor helm chart
 home: https://www.wiz.io/
 name: wiz-sensor
 type: application
-version: 1.0.5835
+version: 1.0.6051
 appVersion: 1.0.5835

wiz-sensor/templates/_helpers.tpl

@@ -103,7 +103,9 @@ Secrets
 TODO: Backward compatibility - remove
 */}}
 {{- define "wiz-sensor.createSecret" -}}
-{{- if .Values.apikey -}}
+{{- if (or .Values.global.wizApiToken.wizApiTokensVolumeMount .Values.wizApiToken.wizApiTokensVolumeMount) }}
+false
+{{- else if .Values.apikey -}}
 {{- default true .Values.apikey.create -}}
 {{- else if (hasKey .Values.wizApiToken "createSecret") -}}
 {{- .Values.wizApiToken.createSecret -}}

wiz-sensor/templates/clusterrole.yaml

@@ -13,6 +13,7 @@ rules:
     resources: [
       "namespaces", "nodes", "daemonsets", "replicasets", "deployments",
       "jobs", "cronjobs", "statefulsets", "replicationcontrollers", "serviceaccounts",
+      "nodes/proxy"
     ]
     verbs: ["get", "list", "watch"]
 {{- end -}}

wiz-sensor/templates/daemonset.yaml

@@ -327,9 +327,11 @@ spec:
           mountPath: /wiz-sensor-store/
         - name: tmp-store
           mountPath: /tmp/
+        {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
         - name: api-client-secret
           mountPath: /api-client/
-        {{- if not .Values.gkeAutopilot }}
+        {{- end }}
+        {{- if and (not .Values.gkeAutopilot) (not .Values.global.wizApiToken.wizApiTokensVolumeMount) }}
         - name: api-endpoint-name-secret
           mountPath: /api-endpoint-name/
         {{- end }}
@@ -499,10 +501,12 @@ spec:
         - name: host-mount
           mountPath: /host
           readOnly: true
+        {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
         - name: api-client-secret
           mountPath: /api-client/
         - name: api-endpoint-name-secret
           mountPath: /api-endpoint-name/
+        {{- end }}
         - name: sensor-scanner-shared-vol
           mountPath: /wiz-sensor-share/
         - name: sensor-scanner-tmp-store
@@ -543,6 +547,7 @@ spec:
           path: {{ .Values.daemonset.sensorHostCacheFolder }}
           type: DirectoryOrCreate
       {{- end }}
+      {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
       - name: api-client-secret
         secret:
           secretName: {{ include "wiz-sensor.secretName" . }}
@@ -551,7 +556,8 @@ spec:
               path: clientId
             - key: clientToken
               path: clientToken
-      {{- if not .Values.gkeAutopilot }}
+      {{- end }}
+      {{- if and (not .Values.gkeAutopilot) (not .Values.global.wizApiToken.wizApiTokensVolumeMount) }}
       - name: api-endpoint-name-secret
         secret:
           secretName: {{ include "wiz-sensor.secretName" . }}

wiz-sensor/values.yaml

@@ -100,7 +100,7 @@ livenessProbe:
 
 # startup probe for the sensor container
 startupProbe:
-  enabled: true
+  enabled: false
   config:
     # delay before startup probe starts
     initialDelaySeconds: 15
@@ -141,6 +141,22 @@ wizApiToken:
   clientToken: ""
   clientEndpoint: "" # Set custom endpoint - should be "fedramp" for FEDRAMP environments
 
+  # Set the `wizApiTokensVolumeMount` below to a non-empty string if you are passing the Wiz service account
+  # token (client id and client token) via mounts, e.g. when using the Vault operator to inject secrets to Pods.
+  # In this case you are responsible for creating the mounts.
+  # You must also set `.Values.customVolumes` and `.Values.customVolumeMounts`.
+  # The mounts must have at least these 2 files:
+  # clientId - with this content: <wiz service account id>
+  # clientToken - with this content: <wiz service account token>
+  #
+  # e.g. wizApiTokensVolumeMount: "/var/api-client/"
+  #      and this is how the mount looks like on the file system:
+  #      /var/api-client/clientId
+  #      /var/api-client/clientToken
+  #
+  # Implies `secret.enabled: false`.
+  wizApiTokensVolumeMount: ""
+
 httpProxyConfiguration:
   # set to true to enable the use of a proxy. creates a secret with proxy configuration
   enabled: false
@@ -324,6 +340,8 @@ global:
     clientEndpoint: ""
     secret:
       name: ""
+    wizApiTokensVolumeMount: ""
+
 
   httpProxyConfiguration:
     secretName: ""