Simplify FedRamp deployment (#429)

* Simplify FedRamp deployment

Set `global.isFedRamp` to true for FedRamp deployments (default is false).

Co-authored-by: nitzanzuler <[email protected]>

Author: ofirc-wiz

wiz-admission-controller/templates/_helpers.tpl

@@ -406,3 +406,11 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
   value: "{{ .Values.global.istio.proxySidecarPort }}"
 {{- end }}
 {{- end -}}
+
+{{- define "wiz-admission-controller.image" -}}
+{{- if .Values.global.isFedRamp -}}
+publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-admission-controller-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
+{{- else -}}
+{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+{{- end -}}
+{{- end -}}

wiz-admission-controller/templates/deploymentauditlogs.yaml

@@ -58,7 +58,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
             {{- end }}
-          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "wiz-admission-controller.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
           - containerPort: {{ .Values.service.targetPort }}

wiz-admission-controller/templates/deploymentenforcement.yaml

@@ -58,7 +58,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
             {{- end }}
-          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "wiz-admission-controller.image" . }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
           - containerPort: {{ .Values.service.targetPort }}

wiz-admission-controller/values.yaml

@@ -10,7 +10,8 @@ commonLabels: {} # Labels applied on all the resources (not used for selection)
 wizApiToken:
   clientId: "" # Client ID of the Wiz Service Account.
   clientToken: "" # Client secret of the Wiz Service Account.
-  clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
+  clientEndpoint: "" # Defaults to commercial.
+                     # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
 
   secret:
     # Should a Secret be created by the chart or not.
@@ -53,12 +54,11 @@ podDisruptionBudget:
 
 image:
   registry: wiziopublic.azurecr.io/wiz-app
-  # Use this if you are deploying on federal environments with FIPS endpoints.
-  # repository: wiz-admission-controller-fips
   repository: wiz-admission-controller
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
+
 imagePullSecrets: [] # Secrets for container image registry keys as described in https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
 
 priorityClassName: ""
@@ -489,7 +489,8 @@ global:
   wizApiToken:
     clientId: "" 
     clientToken: ""
-    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
+    clientEndpoint: "" # Defaults to commercial.
+                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
 
     secret:
       # The name of the Wiz Service Account Secret.
@@ -556,3 +557,6 @@ global:
   #
   # lowPrivilegePodSecurityPolicy: {}
   # lowPrivilegeSecurityPolicy: {}
+
+  # Set to true to use FedRamp endpoints and FIPS-compliant images.
+  isFedRamp: false

wiz-broker/Chart.yaml

@@ -4,5 +4,5 @@ description: Wiz Broker for tunneling http traffic to Wiz backend
 
 type: application
 
-version: 2.1.0
+version: 2.2.0
 appVersion: "2.5"

wiz-broker/templates/_helpers.tpl

@@ -103,3 +103,11 @@ Secrets names
 {{- define "wiz-broker.connectorSecretName" -}}
 {{ coalesce (.Values.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
 {{- end }}
+
+{{- define "wiz-broker.image" -}}
+{{- if .Values.global.isFedRamp -}}
+publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-broker-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
+{{- else -}}
+{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}
+{{- end -}}
+{{- end -}}

wiz-broker/templates/wiz-broker-deployment.yaml

@@ -77,7 +77,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.global.securityContext | nindent 12 }}
             {{- end }}
-          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "wiz-broker.image" . }}
           imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
           volumeMounts:
           - name: connector-data

wiz-broker/values.yaml

@@ -9,8 +9,6 @@ commonLabels: {} # Labels applied on all the resources (not used for selection)
 
 image:
   registry: wiziopublic.azurecr.io/wiz-app
-  # Use this if you are deploying on federal environments with FIPS endpoints.
-  # repository: wiz-broker-fips
   repository: wiz-broker
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
@@ -71,7 +69,8 @@ wizConnector:
 wizApiToken:
   clientId: "" # Client ID of the Wiz Service Account.
   clientToken: "" # Client secret of the Wiz Service Account.
-  clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
+  clientEndpoint: "" # Defaults to commercial.
+                     # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
 
   secret:
     # Should a Secret be created by the chart or not.
@@ -116,8 +115,6 @@ global:
 
   image:
     registry: wiziopublic.azurecr.io/wiz-app
-    # Use this if you are deploying on federal environments with FIPS endpoints.
-    # repository: wiz-broker-fips
     repository: wiz-broker
     pullPolicy: Always  # Always pull the image on every deployment
     # Overrides the image tag whose default is the chart appVersion.
@@ -151,11 +148,15 @@ global:
     runAsUser: 1000
 
   wizApiToken:
-    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
+    clientEndpoint: "" # Defaults to commercial.
+                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
     secret:
       name: "" # Override with parent secret name
 
   httpProxyConfiguration:
     enabled: false # Should the components use a proxy.
     create: false # Secret created by wiz-broker.
     secretName: "" # The name of the proxy Secret.
+
+  # Set to true to use FedRamp endpoints and FIPS-compliant images.
+  isFedRamp: false

wiz-kubernetes-connector/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.1.1
+version: 3.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

wiz-kubernetes-connector/templates/_helpers.tpl

@@ -225,3 +225,11 @@ delete-kubernetes-connector
   - >
     {{- printf "%s" $output | nindent 2 }}
 {{- end }}
+
+{{- define "wiz-broker.image" -}}
+{{- if .Values.global.isFedRamp -}}
+publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-broker-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
+{{- else -}}
+{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+{{- end -}}
+{{- end -}}