cronjob

Author: nitzanzuler

wiz-admission-controller/templates/_helpers.tpl

@@ -215,7 +215,6 @@ Use for debug purpose only.
 {{- . | mustToPrettyJson | printf "\nThe JSON output of the dumped var is: \n%s" | fail }}
 {{- end -}}
 
-
 {{- define "autoUpdate.deployments" -}}
 {{- $list := list -}}
 {{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled -}}
@@ -224,5 +223,13 @@ Use for debug purpose only.
 {{- if .Values.kubernetesAuditLogsWebhook.enabled -}}
 {{- $list = append $list (include "wiz-kubernetes-audit-log-collector.name" . ) -}}
 {{- end -}}
---auto-update-deployments={{ $list | toJson }}
+{{- $list | toJson -}}
+{{- end -}}
+
+{{- define "autoUpdate.deployments.arg" -}}
+{{- $x := include "autoUpdate.deployments" .  -}}
+{{- $x = replace "[" "" $x -}}
+{{- $x = replace "]" "" $x -}}
+{{- $x = replace "\"" "" $x -}}
+- "--update-deployments={{ $x }}"
 {{- end -}}

wiz-admission-controller/templates/cronjobmanager.yaml

@@ -0,0 +1,205 @@
+{{ if and .Values.wizManager.enabled -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "wiz-admission-controller-manager.name" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-admission-controller-manager.labels" . | nindent 4 }}
+spec:
+  schedule: "{{ .Values.wizManager.schedule }}"
+  concurrencyPolicy: Forbid  # Ensures only one job instance runs at a time
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: {{ .Values.wizManager.timeoutSeconds }}
+      ttlSecondsAfterFinished: {{ .Values.wizManager.cleanupJobSeconds }}
+      template:
+        metadata:
+          annotations:
+            rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }}
+            rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }}
+            rollme.webhookCert: {{ include (print $.Template.BasePath "/opawebhook.yaml") . | sha256sum }}
+            {{- with (coalesce .Values.global.podAnnotations .Values.podAnnotations) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          labels:
+            {{- include "wiz-admission-controller-manager.labels" . | nindent 12 }}
+            {{- with (coalesce .Values.global.podLabels .Values.podLabels) }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+        spec:
+          restartPolicy: Never
+          {{- if .Values.priorityClassName }}
+          priorityClassName: {{ .Values.priorityClassName }}
+          {{- end }}
+          {{- with (coalesce .Values.global.imagePullSecrets .Values.imagePullSecrets) }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          serviceAccountName: {{ include "wiz-admission-controller.serviceAccountName" . }}
+          securityContext:
+            {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
+              {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }}
+            {{- else }}
+              {{- toYaml .Values.podSecurityContext | nindent 12 }}
+            {{- end }}
+          {{- if .Values.hostNetwork }}
+          hostNetwork: true
+          {{- end }}
+          terminationGracePeriodSeconds: {{ .Values.global.podTerminationGracePeriodSeconds }}
+          containers:
+            - name: {{ .Chart.Name }}
+              securityContext:
+                {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }}
+                {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }}
+                {{- else }}
+                {{- toYaml .Values.securityContext | nindent 16 }}
+                {{- end }}
+              image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              readinessProbe:
+                httpGet:
+                  path: /ready
+                  port: {{ .Values.healthPort }}
+                  scheme: HTTPS
+                {{- toYaml .Values.probes.readinessProbe | nindent 16 }}
+              livenessProbe:
+                httpGet:
+                  path: /live
+                  port: {{ .Values.healthPort }}
+                  scheme: HTTPS
+                {{- toYaml .Values.probes.livenessProbe | nindent 16 }}
+              startupProbe:
+                httpGet:
+                  path: /ready
+                  port: {{ .Values.healthPort }}
+                  scheme: HTTPS
+                {{- toYaml .Values.probes.startupProbe | nindent 16 }}
+              command:
+                - "/usr/bin/wiz-admission-controller"
+                - "manager"
+                # Auto update flags
+                - "--wiz-force-update-enabled={{ .Values.wizManager.rolloutRestart.wizForceEnabled }}"
+                - "--periodic-restart-interval={{ .Values.wizManager.rolloutRestart.interval }}"
+                - "--release-namespace={{ .Release.Namespace }}"
+                {{- include "autoUpdate.deployments.arg" . | trim | nindent 16 -}}
+                # Server flags
+                - "--tls-private-key-file=/var/server-certs/tls.key"
+                - "--tls-cert-file=/var/server-certs/tls.crt"
+                # Cluster identification flags
+                - "--cluster-external-id={{ coalesce .Values.global.clusterExternalId .Values.webhook.clusterExternalId }}"
+              {{- with (coalesce .Values.global.subscriptionExternalId .Values.webhook.subscriptionExternalId) }}
+                - --subscription-external-id
+                - {{ . | quote }}
+              {{- end }}
+              {{- with (coalesce .Values.global.clusterTags .Values.webhook.clusterTags) }}
+                - --cluster-tags
+                - {{ . | toJson | quote }}
+              {{- end }}
+              {{- with (coalesce .Values.global.subscriptionTags .Values.webhook.subscriptionTags) }}
+                - --subscription-tags
+                - {{ . | toJson | quote }}
+              {{- end }}
+              env:
+              {{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
+                - name: WIZ_CLIENT_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }}
+                      key: clientId
+                      optional: false
+                - name: WIZ_CLIENT_TOKEN
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }}
+                      key: clientToken
+                      optional: false
+              {{- end }}
+                - name: WIZ_ENV
+                  value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
+              {{- if or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled }}
+                - name: HTTP_PROXY
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+                      key: httpProxy
+                      optional: false
+                - name: HTTPS_PROXY
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+                      key: httpsProxy
+                      optional: false
+                - name: NO_PROXY
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "wiz-admission-controller.proxySecretName" . | trim }}
+                      key: noProxyAddress
+                      optional: false
+              {{- end }}
+              {{- if .Values.logLevel }}
+                - name: LOG_LEVEL
+                  value: {{ .Values.logLevel }}
+              {{- end }}
+              {{- with .Values.podCustomEnvironmentVariables }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+              {{- with .Values.global.podCustomEnvironmentVariables }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+              {{- if .Values.podCustomEnvironmentVariablesFile }}
+                - name: CLI_ENV_FILE
+                  value: {{ .Values.podCustomEnvironmentVariablesFile }}
+                - name: USE_CLI_ENV_FILE
+                  value: "true"
+              {{- end }}
+                - name: WIZ_RUNTIME_METADATA_POD_NAME
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.name
+                - name: WIZ_RUNTIME_METADATA_NODE_NAME
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: spec.nodeName
+                - name: K8S_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.namespace
+                - name: WIZ_TERMINATION_GRACE_PERIOD
+                  value: "{{ .Values.global.podTerminationGracePeriodSeconds }}s"
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+              volumeMounts:
+                - mountPath: /var/server-certs
+                  name: server-certs
+                  readOnly: true
+              {{- with .Values.customVolumeMounts }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+              {{- with .Values.global.customVolumeMounts }}
+                {{- toYaml . | nindent 14 }}
+              {{- end }}
+          volumes:
+            - name: server-certs
+              secret:
+                defaultMode: 444
+                secretName: {{ include "wiz-admission-controller.secretServerCert" . | trim }}
+            {{- with .Values.customVolumes }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.global.customVolumes }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with (coalesce .Values.global.affinity .Values.affinity) }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with (coalesce .Values.global.tolerations .Values.tolerations) }}
+          tolerations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+{{- end }}

wiz-admission-controller/templates/deploymentauditlogs.yaml

@@ -82,7 +82,6 @@ spec:
           command:
           - "/usr/bin/wiz-admission-controller"
           - "--readiness-port={{ .Values.healthPort }}"
-          - "--status-port={{ .Values.statusPort }}"
             # Server flags
           - "--port={{ .Values.service.targetPort }}"
           - "--tls-private-key-file=/var/server-certs/tls.key"
@@ -111,8 +110,6 @@ spec:
           - "--misconfiguration-enabled=false"
           - "--image-integrity-enabled=false"
           env:
-          - name: WIZ_UPLOAD_BACKEND_STORAGE # TODO: remove once this is removed from the code
-            value: "true"
           {{- if not .Values.wizApiToken.usePodCustomEnvironmentVariablesFile }}
           - name: WIZ_CLIENT_ID
             valueFrom:
@@ -199,7 +196,7 @@ spec:
       volumes:
         - name: server-certs
           secret:
-            defaultMode: 444
+            defaultMode: 4
             secretName: {{ include "wiz-admission-controller.secretServerCert" . | trim }}
         {{- with .Values.customVolumes }}
           {{- toYaml . | nindent 8 }}

wiz-admission-controller/templates/deploymentenforcement.yaml

@@ -82,7 +82,6 @@ spec:
           command:
           - "/usr/bin/wiz-admission-controller"
           - "--readiness-port={{ .Values.healthPort }}"
-          - "--status-port={{ .Values.statusPort }}"
           # Server flags
           - "--port={{ .Values.service.targetPort }}"
           - "--tls-private-key-file=/var/server-certs/tls.key"