AC auto-update (#397)

* version port

* rename version port to status port

* undo replica set

* manager deployment

* bump minor

* remove watch

* autp update args

* create manager only in auto upadte enabled

* bump app version

* cronjob

* comment

* undo defaultMode: 444

* fix rolebinding

* fix values.yaml

* remove probes

* cr fix

* cr fix

* manager service account

* fix error

* remove from values

* event creator role

* fix

* cr fix

* fix error

* istio sidecar

* fix merge

* use controller.isEnforcerEnabled and inline it

* fix

* use common args and env

* cr fix

* update comment

Author: nitzanzuler

wiz-admission-controller/Chart.yaml

@@ -7,10 +7,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.6.1
+version: 3.7.0-preview
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.6"
+appVersion: "2.7"

wiz-admission-controller/templates/_helpers.tpl

@@ -40,6 +40,19 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-admission-controller-manager.name" -}}
+{{- if .Values.wizManager.nameOverride }}
+{{- .Values.wizManager.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := "wiz-admission-controller-manager" }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- define "wiz-hpa-enforcer.name" -}}
 {{- printf "%s-hpa" (include "wiz-admission-controller.fullname" .) | trunc 63 | trimSuffix "-" }}
 {{- end }}
@@ -99,6 +112,13 @@ Wiz kubernetes audit logs webhook server selector labels
 app.kubernetes.io/name: {{ include "wiz-kubernetes-audit-log-collector.name" . }}
 {{- end }}
 
+{{/*
+Wiz manager selector labels
+*/}}
+{{- define "wiz-admission-controller-manager.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
+{{- end }}
+
 {{- define "wiz-admission-controller-enforcement.labels" -}}
 {{ include "wiz-admission-controller.labels" . }}
 {{ include "wiz-admission-controller-enforcement.selectorLabels" . }}
@@ -109,6 +129,11 @@ app.kubernetes.io/name: {{ include "wiz-kubernetes-audit-log-collector.name" . }
 {{ include "wiz-kubernetes-audit-log-collector.selectorLabels" . }}
 {{- end }}
 
+{{- define "wiz-admission-controller-manager.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+{{ include "wiz-admission-controller-manager.selectorLabels" . }}
+{{- end }}
+
 {{/*
 Wiz Horizontal Pod Autoscaler labels
 */}}
@@ -133,6 +158,11 @@ Create the name of the service account to use
 {{ coalesce (.Values.serviceAccount.name) (include "wiz-admission-controller.fullname" .) }}
 {{- end }}
 
+{{- define "wiz-admission-controller.manager.serviceAccountName" -}}
+{{ coalesce (.Values.wizManager.serviceAccount.name) (include "wiz-admission-controller-manager.name" .) }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller.secretApiTokenName" -}}
 {{ coalesce (.Values.global.wizApiToken.secret.name) (.Values.wizApiToken.secret.name) (printf "%s-%s" .Release.Name "api-token") }}
 {{- end }}
@@ -249,3 +279,124 @@ scaleDown:
     periodSeconds: 300
 {{- end -}}
 {{- end -}}
+
+{{- define "autoUpdate.deployments" -}}
+{{- $list := list -}}
+{{- if eq (include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower) "true" }}
+{{- $list = append $list (include "wiz-admission-controller.fullname" . ) -}}
+{{- end -}}
+{{- if .Values.kubernetesAuditLogsWebhook.enabled -}}
+{{- $list = append $list (include "wiz-kubernetes-audit-log-collector.name" . ) -}}
+{{- end -}}
+{{- $list | toJson -}}
+{{- end -}}
+
+{{/*
+Clean the list of deployments for the auto-update flag, removing quotes and brackets
+*/}}
+{{- define "autoUpdate.deployments.arg" -}}
+{{- $deployments := include "autoUpdate.deployments" .  -}}
+{{- $deployments = replace "[" "" $deployments -}}
+{{- $deployments = replace "]" "" $deployments -}}
+{{- $deployments = replace "\"" "" $deployments -}}
+- "--update-deployments={{ $deployments }}"
+{{- end -}}
+
+{{- define "spec.common.commandArgs" -}}
+# Cluster identification flags
+- "--cluster-external-id={{ coalesce .Values.global.clusterExternalId .Values.webhook.clusterExternalId .Values.opaWebhook.clusterExternalId }}"
+- "--subscription-external-id={{ coalesce .Values.global.subscriptionExternalId .Values.webhook.subscriptionExternalId }}"
+{{- with (coalesce .Values.global.clusterTags .Values.webhook.clusterTags) }}
+- --cluster-tags
+- {{ . | toJson | quote }}
+{{- end }}
+{{- with (coalesce .Values.global.subscriptionTags .Values.webhook.subscriptionTags) }}
+- --subscription-tags
+- {{ . | toJson | quote }}
+{{- end }}
+{{- end -}}
+
+{{- define "spec.admissionControllerRunner.commandArgs" -}}
+# Server flags
+- "--port={{ .Values.service.targetPort }}"
+- "--tls-private-key-file=/var/server-certs/tls.key"
+- "--tls-cert-file=/var/server-certs/tls.crt"
+- "--readiness-port={{ .Values.healthPort }}"
+# Kubernetes API server flags
+- "--namespace-cache-ttl={{ .Values.kubernetesApiServer.cacheNamespaceLabelsTTL }}"
+{{- end -}}
+
+{{- define "spec.common.envVars" -}}
+{{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+- name: WIZ_CLIENT_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }}
+      key: clientId
+      optional: false
+- name: WIZ_CLIENT_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }}
+      key: clientToken
+      optional: false
+{{- end }}
+- name: WIZ_ENV
+  value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
+{{- if or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled }}
+- name: HTTP_PROXY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+      key: httpProxy
+      optional: false
+- name: HTTPS_PROXY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+      key: httpsProxy
+      optional: false
+- name: NO_PROXY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+      key: noProxyAddress
+      optional: false
+{{- end }}
+{{- if .Values.logLevel }}
+- name: LOG_LEVEL
+  value: {{ .Values.logLevel }}
+{{- end }}
+{{- with .Values.podCustomEnvironmentVariables }}
+{{- toYaml . | nindent 14 }}
+{{- end }}
+{{- with .Values.global.podCustomEnvironmentVariables }}
+{{- toYaml . | nindent 14 }}
+{{- end }}
+{{- if .Values.podCustomEnvironmentVariablesFile }}
+- name: CLI_ENV_FILE
+  value: {{ .Values.podCustomEnvironmentVariablesFile }}
+- name: USE_CLI_ENV_FILE
+  value: "true"
+{{- end }}
+- name: WIZ_RUNTIME_METADATA_POD_NAME
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+- name: WIZ_RUNTIME_METADATA_NODE_NAME
+  valueFrom:
+    fieldRef:
+      fieldPath: spec.nodeName
+- name: K8S_NAMESPACE
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.namespace
+- name: WIZ_TERMINATION_GRACE_PERIOD
+  value: "{{ .Values.global.podTerminationGracePeriodSeconds }}s"
+{{- if .Values.global.istio.enabled }}
+- name: WIZ_ISTIO_PROXY_ENABLED
+  value: "true"
+- name: WIZ_ISTIO_PROXY_PORT
+  value: "{{ .Values.global.istio.proxySidecarPort }}"
+{{- end }}
+{{- end -}}

wiz-admission-controller/templates/cronjobmanager.yaml

@@ -0,0 +1,96 @@
+{{ if and .Values.wizManager.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "wiz-admission-controller-manager.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-admission-controller-manager.labels" . | nindent 4 }}
+spec:
+  schedule: "{{ .Values.wizManager.schedule }}"
+  concurrencyPolicy: Forbid  # Ensures only one job instance runs at a time
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: {{ .Values.wizManager.timeoutSeconds }}
+      ttlSecondsAfterFinished: {{ .Values.wizManager.cleanupJobSeconds }}
+      template:
+        metadata:
+          annotations:
+            rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }}
+            rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }}
+            {{- with (coalesce .Values.global.podAnnotations .Values.podAnnotations) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          labels:
+            {{- include "wiz-admission-controller-manager.labels" . | nindent 12 }}
+            {{- with (coalesce .Values.global.podLabels .Values.podLabels) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+        spec:
+          restartPolicy: Never
+          {{- if .Values.priorityClassName }}
+          priorityClassName: {{ .Values.priorityClassName }}
+          {{- end }}
+          {{- with (coalesce .Values.global.imagePullSecrets .Values.imagePullSecrets) }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          serviceAccountName: {{ include "wiz-admission-controller.manager.serviceAccountName" . }}
+          securityContext:
+            {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
+              {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }}
+            {{- else }}
+              {{- toYaml .Values.podSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- if .Values.hostNetwork }}
+          hostNetwork: true
+          {{- end }}
+          terminationGracePeriodSeconds: {{ .Values.global.podTerminationGracePeriodSeconds }}
+          containers:
+            - name: {{ .Chart.Name }}
+              securityContext:
+                {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
+                {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }}
+                {{- else }}
+                {{- toYaml .Values.securityContext | nindent 16 }}
+                {{- end }}
+              image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              command:
+              - "/usr/bin/wiz-admission-controller"
+              - "manager"
+              {{- include "spec.common.commandArgs" . | trim | nindent 14 }}
+              {{- include "autoUpdate.deployments.arg" . | trim | nindent 14 }}
+              # Auto update flags
+              - "--auto-update-enabled={{ .Values.wizManager.autoRolloutRestart.enabled }}"
+              - "--release-namespace={{ .Release.Namespace }}"
+              env:
+              {{- include "spec.common.envVars" . | trim | nindent 14 }}
+              resources:
+              {{- include "wiz-admission-controller.resources" . | trim | nindent 16 }}
+              {{- with .Values.customVolumeMounts }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+              {{- with .Values.global.customVolumeMounts }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+          volumes:
+            {{- with .Values.customVolumes }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.global.customVolumes }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with (coalesce .Values.global.affinity .Values.affinity) }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with (coalesce .Values.global.tolerations .Values.tolerations) }}
+          tolerations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+{{- end }}