Update charts with latest changes (#647)

Author: circleci-wiz

wiz-kubernetes-integration/Chart.yaml

@@ -2,9 +2,10 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.101
+version: 0.2.102
 appVersion: ""
-# Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
+
+#    Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
 dependencies:
   - name: wiz-kubernetes-connector
     repository: https://wiz-sec.github.io/charts
@@ -16,5 +17,5 @@ dependencies:
     condition: wiz-admission-controller.enabled
   - name: wiz-sensor
     repository: https://wiz-sec.github.io/charts
-    version: ">=1.0.6816"
+    version: ">=1.0.7326"
     condition: wiz-sensor.enabled

wiz-sensor/Chart.yaml

@@ -3,5 +3,7 @@ name: wiz-sensor
 description: Wiz Sensor helm chart
 type: application
 home: https://www.wiz.io/
-version: 1.0.6816
-appVersion: 1.0.6816
+version: 1.0.7326
+appVersion: 1.0.7326
+annotations:
+  diskScanAppVersion: 1.1.20

wiz-sensor/templates/_helpers.tpl

@@ -32,12 +32,26 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Sensor image tag
+*/}}
+{{- define "wiz-sensor.imageTag" -}}
+{{- coalesce .Values.image.tag .Chart.AppVersion }}
+{{- end }}
+
+{{/*
+Disk scanner image tag
+*/}}
+{{- define "wiz-sensor.diskScanTag" -}}
+{{- coalesce .Values.image.diskScanTag .Chart.Annotations.diskScanAppVersion }}
+{{- end }}
+
 {{/*
 Common labels
 */}}
 {{- define "wiz-sensor.labels" -}}
-{{- $imageparts:= split "@" .Values.image.tag }}
-{{- $dsimageparts:= split "@" .Values.image.diskScanTag }}
+{{- $imageparts:= split "@" (include "wiz-sensor.imageTag" .) }}
+{{- $dsimageparts:= split "@" (include "wiz-sensor.diskScanTag" .) }}
 helm.sh/chart: {{ include "wiz-sensor.chart" . }}
 image/tag: {{ $imageparts._0 }}
 dsimage/tag: {{ $dsimageparts._0 }}

wiz-sensor/templates/daemonset.yaml

@@ -81,10 +81,10 @@ spec:
           {{- if .Values.image.sha256 }}
         image: {{ printf "%s/%s@sha256:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.repository .Values.image.sha256 }}
           {{- else }}
-        image: {{ printf "%s/%s:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.repository .Values.image.tag }}
+        image: {{ printf "%s/%s:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.repository (include "wiz-sensor.imageTag" .) }}
           {{- end }}
         {{- else }}
-        image: {{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
+        image: {{ printf "%s:%s" .Values.image.repository (include "wiz-sensor.imageTag" .) }}
         {{- end }}
         imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
         {{- with .Values.image.args }}
@@ -306,6 +306,10 @@ spec:
         - name: ENABLE_API_SECURITY
           value: "true"
         {{- end}}
+        {{- if .Values.forensics.enabled }}
+        - name: ENABLE_FORENSICS
+          value: "true"
+        {{- end}}
         {{- if .Values.openshift }}
         - name: OPENSHIFT
           value: "true"
@@ -324,6 +328,12 @@ spec:
         - name: FIXED_DEFS_VERSION
           value: {{ .Values.fixedDefsVersion }}
         {{- end }}
+        {{- if not .Values.gkeAutopilot }}
+        - name: HELM_CHART_VERSION
+          value: {{ .Chart.Version }}
+        - name: ALLOW_KUBELET_COMMUNICATION
+          value: {{ .Values.allowKubeletCommunication | quote }}
+        {{- end }}
 
         volumeMounts:
         {{- with .Values.customVolumeMounts }}
@@ -381,9 +391,9 @@ spec:
       {{- if .Values.diskScan.enabled }}
       - name: wiz-disk-scanner
         {{- if (coalesce .Values.global.image.registry .Values.image.registry) }}
-        image: {{ printf "%s/%s:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.diskScanRepository .Values.image.diskScanTag }}
+        image: {{ printf "%s/%s:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.diskScanRepository (include "wiz-sensor.diskScanTag" .) }}
         {{- else }}
-        image: {{ printf "%s:%s" .Values.image.diskScanRepository .Values.image.diskScanTag }}
+        image: {{ printf "%s:%s" .Values.image.diskScanRepository (include "wiz-sensor.diskScanTag" .) }}
         {{- end }}
         imagePullPolicy: {{ .Values.image.diskScanPullPolicy }}
         {{- with .Values.image.diskScanArgs }}

wiz-sensor/templates/gkeallowlistsynchronizer.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.gkeAutopilotUseAllowlist }}
+{{- if and .Values.gkeAutopilotUseAllowlist .Values.gkeAutopilotUseAllowlistSynchronizer }}
 apiVersion: auto.gke.io/v1
 kind: AllowlistSynchronizer
 metadata:

wiz-sensor/values.yaml

@@ -31,6 +31,10 @@ diskScan:
 apiSecurity:
   enabled: false
 
+# Sensor-based forensics (in private preview)
+forensics:
+  enabled: false
+
 # Expose some metrics to be consumed by Prometheus and other Metrics servers.
 # The default port can be changed in case of conflicts
 exposeMetrics: false
@@ -45,7 +49,8 @@ openshift: false
 gkeAutopilot: false
 # Newer GKE autopilot clusters support the use of an allowlist. This is required for some options in the chart
 gkeAutopilotUseAllowlist: false
-gkeAutopilotAllowlist: wiz-sensor-v2
+gkeAutopilotAllowlist: wiz-sensor-v4
+gkeAutopilotUseAllowlistSynchronizer: true
 
 # use a custom SELinux type that is required by flatcar Linux nodes, but is incompatible with some
 # other node types (like AWS bottlerocket)
@@ -104,6 +109,11 @@ subscriptionTags: {} # Optional. List of key: value tags to be added to Subscrip
 # Format: major.minor.patch
 fixedDefsVersion: ""
 
+# The sensor will attempt to communicate with local kubelet instead of api-server for pod information.
+# Note that if kubelet communication fails we will still query api-server for pod information.
+# Non-pod information, like controllers and namespaces are always queried directly from api-server.
+allowKubeletCommunication: false
+
 # enable liveness probe for the sensor container
 livenessProbe:
   enabled: false
@@ -246,15 +256,15 @@ image:
   registry: wizio.azurecr.io
   repository: sensor
   args: {}
-  tag: "v1"
+  tag: "v1" # if not set, the chart's appVersion will be used
   # The sha256 of the image to use. Should not be used normally. Exists for compatibility with GKE Autopilot
   # with private registries. This overrides the tag variable when set.
   sha256: ""
   pullPolicy: Always
   # the default is "wizio.azurecr.io/wiz-app/wiz-workload-scanner:v1"
   diskScanRepository: wiz-app/wiz-workload-scanner
   diskScanArgs: {}
-  diskScanTag: "v1"
+  diskScanTag: "v1" # if not set, the chart's diskScanAppVersion will be used
   diskScanPullPolicy: Always
 
 daemonset: