Added wizApiTokensVolumeMount to sensor

Author: ofirc-wiz

wiz-sensor/templates/_helpers.tpl

@@ -103,7 +103,9 @@ Secrets
 TODO: Backward compatibility - remove
 */}}
 {{- define "wiz-sensor.createSecret" -}}
-{{- if .Values.apikey -}}
+{{- if (or .Values.global.wizApiToken.wizApiTokensVolumeMount .Values.wizApiToken.wizApiTokensVolumeMount) }}
+false
+{{- else if .Values.apikey -}}
 {{- default true .Values.apikey.create -}}
 {{- else if (hasKey .Values.wizApiToken "createSecret") -}}
 {{- .Values.wizApiToken.createSecret -}}

wiz-sensor/templates/daemonset.yaml

@@ -327,8 +327,10 @@ spec:
           mountPath: /wiz-sensor-store/
         - name: tmp-store
           mountPath: /tmp/
+        {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
         - name: api-client-secret
           mountPath: /api-client/
+        {{- end }}
         {{- if not .Values.gkeAutopilot }}
         - name: api-endpoint-name-secret
           mountPath: /api-endpoint-name/
@@ -499,8 +501,10 @@ spec:
         - name: host-mount
           mountPath: /host
           readOnly: true
+        {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
         - name: api-client-secret
           mountPath: /api-client/
+        {{- end }}
         - name: api-endpoint-name-secret
           mountPath: /api-endpoint-name/
         - name: sensor-scanner-shared-vol
@@ -543,6 +547,7 @@ spec:
           path: {{ .Values.daemonset.sensorHostCacheFolder }}
           type: DirectoryOrCreate
       {{- end }}
+      {{- if not .Values.global.wizApiToken.wizApiTokensVolumeMount }}
       - name: api-client-secret
         secret:
           secretName: {{ include "wiz-sensor.secretName" . }}
@@ -551,6 +556,7 @@ spec:
               path: clientId
             - key: clientToken
               path: clientToken
+      {{- end }}
       {{- if not .Values.gkeAutopilot }}
       - name: api-endpoint-name-secret
         secret:

wiz-sensor/values.yaml

@@ -141,6 +141,22 @@ wizApiToken:
   clientToken: ""
   clientEndpoint: "" # Set custom endpoint - should be "fedramp" for FEDRAMP environments
 
+  # Set the `wizApiTokensVolumeMount` below to a non-empty string if you are passing the Wiz service account
+  # token (client id and client token) via mounts, e.g. when using the Vault operator to inject secrets to Pods.
+  # In this case you are responsible for creating the mounts.
+  # You must also set `.Values.customVolumes` and `.Values.customVolumeMounts`.
+  # The mounts must have at least these 2 files:
+  # clientId - with this content: <wiz service account id>
+  # clientToken - with this content: <wiz service account token>
+  #
+  # e.g. wizApiTokensVolumeMount: "/var/api-client/"
+  #      and this is how the mount looks like on the file system:
+  #      /var/api-client/clientId
+  #      /var/api-client/clientToken
+  #
+  # Implies `secret.enabled: false`.
+  wizApiTokensVolumeMount: ""
+
 httpProxyConfiguration:
   # set to true to enable the use of a proxy. creates a secret with proxy configuration
   enabled: false