Update charts with latest changes

Author: circleci-wiz

wiz-kubernetes-integration/Chart.yaml

@@ -17,5 +17,5 @@ dependencies:
   condition: wiz-admission-controller.enabled
 - name: wiz-sensor
   repository: https://wiz-sec.github.io/charts
-  version: ">=1.0.6440"
+  version: ">=1.0.6572"
   condition: wiz-sensor.enabled

wiz-outpost-configuration/templates/networkAnalyzer.job.yaml

@@ -0,0 +1,163 @@
+
+{{- if .Values.networkAnalyzer.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  {{- if .Values.networkAnalyzer.rollingUpdate }}
+  name: "{{ .Values.networkAnalyzer.name }}-{{ now | unixEpoch }}"
+  {{else}}
+  name: "{{ .Values.networkAnalyzer.name }}"
+  {{- end }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-outpost-configuration.labels" . | nindent 4 }}
+  annotations:
+    "meta.helm.sh/release-name": "{{ .Release.Name }}"
+    "meta.helm.sh/release-namespace": "{{ .Release.Namespace }}"
+    "helm.sh/hook": "pre-install,pre-upgrade"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+spec:
+  ttlSecondsAfterFinished: 0
+  manualSelector: true
+  selector:
+    matchLabels:
+      {{- include "wiz-outpost-configuration.selectorLabels" . | nindent 6 }}
+  backoffLimit: 1
+  template:
+    metadata:
+      {{- with (coalesce .Values.podAnnotations) }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "wiz-outpost-configuration.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "wiz-outpost-configuration.serviceAccountName" . | trim }}
+      restartPolicy: "Never"
+      securityContext:
+        fsGroup: 1000
+        supplementalGroups:
+          - 1000
+      containers:
+        - name: wiz-network-analyzer
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            privileged: false
+            allowPrivilegeEscalation: false
+          image: "{{ .Values.networkAnalyzer.image.repository }}/{{ .Values.networkAnalyzer.image.namePrefix}}:{{ .Values.networkAnalyzer.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.networkAnalyzer.image.pullPolicy }}
+          command:
+            - "wiz-network-analyzer"
+          args:
+            - analyze
+            - --output
+            - /tmp
+            {{- with .Values.networkAnalyzer.outpostId }}
+            - --outpost-id
+            - {{ . | quote }}
+            {{- end }}
+            - --region
+            - {{ .Values.networkAnalyzer.wizRegion }}
+            {{- with .Values.networkAnalyzer.forceHttp1 }}
+            - --http1
+            {{- end }}
+          env:
+          - name: LOG_LEVEL
+            value: "info"
+          {{- with .Values.networkAnalyzer.env }}
+          - name: ENV
+            value: {{ . | quote }}
+          {{- end}}
+          {{- with .Values.networkAnalyzer.outpostId }}
+          - name: WIZ_OUTPOST_ID
+            value: {{ . | quote }}
+          {{- end }}
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.agentCredsSecretName }}
+                key: clientId
+          - name: WIZ_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.agentCredsSecretName }}
+                key: clientSecret
+          - name: WIZ_DATA_CENTER
+            value: {{ .Values.networkAnalyzer.dataCenter | quote }}
+          - name: http_proxy
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "httpProxy"
+                optional: true
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "httpProxy"
+                optional: true
+          - name: https_proxy
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "httpsProxy"
+                optional: true
+          - name: HTTPS_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "httpsProxy"
+                optional: true
+          - name: no_proxy
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "noProxyAddress"
+                optional: true
+          - name: NO_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.httpProxyConfiguration.name | quote }}
+                key: "noProxyAddress"
+                optional: true
+          - name: SSL_CERT_DIR
+            value: "/usr/local/share/ca-certificates/:/certificates/"
+          volumeMounts:
+          - mountPath: /tmp
+            name: tmp-dir
+          {{- if not .Values.networkAnalyzer.outpostId }}
+          - name: secrets
+            mountPath: /mnt/secrets/
+            readOnly: true
+          {{- end }}
+          resources:
+            {{- toYaml .Values.networkAnalyzer.resources | nindent 12 }}
+      volumes:
+      - name: tmp-dir
+        emptyDir: { }
+      - name: ca-certificate
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.httpProxyConfiguration.name | quote }}
+          items:
+            - key: caCertificate
+              path: root.crt
+          optional: true
+      {{- if not .Values.networkAnalyzer.outpostId }}
+      - name: secrets
+        projected:
+          sources:
+            - secret:
+                name: {{ .Values.agentCredsSecretName }}
+                items:
+                  - key: privateKey
+                    path: WIZ_PRIVATE_KEY
+      {{- end}}
+{{- end}}

wiz-outpost-configuration/templates/nodeHttpProxyConfiguration.gcp.ubuntu.yaml

@@ -72,6 +72,7 @@ metadata:
   name: node-initializer
   labels:
     app: default-init
+    {{- include "wiz-outpost-configuration.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
@@ -81,8 +82,13 @@ spec:
   template:
     metadata:
       labels:
+        {{- include "wiz-outpost-configuration.labels" . | nindent 8 }}
         name: node-initializer
         app: default-init
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     spec:
       hostPID: true
       volumes:

wiz-outpost-configuration/values.yaml

@@ -48,3 +48,23 @@ serviceAccount:
   # The name of the service account to use.
   # If empty, a name is generated using the fullname template
   name: ""
+
+networkAnalyzer:
+  enabled: false
+  name: wiz-network-analyzer
+  outpostId: ""
+  wizRegion: ""
+  env: ""
+  dataCenter: ""
+  forceHttp1: false
+  image:
+    registry: public-registry.wiz.io/wiz-app
+    repository: wiz-network-analyzer
+    pullPolicy: Always
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: "0.1.3"
+
+  podAnnotations: {}
+  imagePullSecrets: []
+  resources: {}
+  rollingUpdate: true

wiz-sensor/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
-description: Wiz Sensor helm chart
-home: https://www.wiz.io/
 name: wiz-sensor
+description: Wiz Sensor helm chart
 type: application
-version: 1.0.6440
-appVersion: 1.0.6349
+home: https://www.wiz.io/
+version: 1.0.6572
+appVersion: 1.0.6572

wiz-sensor/templates/_helpers.tpl

@@ -149,10 +149,36 @@ log levels
 {{- end }}
 {{- end }}
 
+{{/*
+Registry Helpers
+*/}}
+{{- define "wiz-sensor.knownRegistries" -}}
+{{- list "wizio.azurecr.io" "wiziosensor.azurecr.io" "registry.wiz.io" | toJson -}}
+{{- end -}}
+
+{{/*
+Rule Validation
+*/}}
 {{- define "validate.values" -}}
 {{- if .Values.exposeMetrics }}
 {{- if .Values.hostNetwork }}
 {{- fail "Cannot set hostNetwork to true when exposeMetrics is set to true" }}
 {{- end }}
 {{- end }}
+
+{{- if .Values.fixedDefsVersion }}
+{{- if not (regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+$" .Values.fixedDefsVersion) }}
+{{- fail "fixedDefsVersion must be in major.minor.patch format (e.g. 1.2.3)" }}
+{{- end }}
+{{- end }}
+
+
+{{- if .Values.gkeAutopilotUseAllowlist }}
+{{- if empty .Values.image.sha256 }}
+{{- if not (has .Values.image.registry (include "wiz-sensor.knownRegistries" . | fromJsonArray)) }}
+{{- fail "If using gkeAutopilotUseAllowlist and a private repo, make sure to set the image.sha256 value to a specific version" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- end }}

wiz-sensor/templates/daemonset.yaml

@@ -25,7 +25,7 @@ spec:
         prometheus.io/port: "{{ .Values.metricsPort }}"
       {{- end }}
 
-      {{- if or (semverCompare "<1.31" $kubeVersion) (.Values.oldAppArmorAnnotation) }}
+      {{- if and (not .Values.newAppArmorAnnotation) (or (semverCompare "<1.31" $kubeVersion) (.Values.oldAppArmorAnnotation)) }}
         container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined
         {{- if .Values.diskScan.enabled }}
         container.apparmor.security.beta.kubernetes.io/wiz-disk-scanner: unconfined
@@ -78,7 +78,11 @@ spec:
       containers:
       - name: wiz-sensor
         {{- if (coalesce .Values.global.image.registry .Values.image.registry) }}
+          {{- if .Values.image.sha256 }}
+        image: {{ printf "%s/%s@sha256:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.repository .Values.image.sha256 }}
+          {{- else }}
         image: {{ printf "%s/%s:%s" (coalesce .Values.global.image.registry .Values.image.registry) .Values.image.repository .Values.image.tag }}
+          {{- end }}
         {{- else }}
         image: {{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
         {{- end }}
@@ -156,7 +160,7 @@ spec:
         {{- end }}
           readOnlyRootFilesystem: true
 
-          {{- if and (semverCompare ">=1.30" $kubeVersion) (not .Values.oldAppArmorAnnotation) }}
+          {{- if or (.Values.newAppArmorAnnotation) (and (semverCompare ">=1.30" $kubeVersion) (not .Values.oldAppArmorAnnotation)) }}
           appArmorProfile:
             type: Unconfined
           {{- end }}
@@ -316,6 +320,10 @@ spec:
         {{- with .Values.global.podCustomEnvironmentVariables }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- if .Values.fixedDefsVersion }}
+        - name: FIXED_DEFS_VERSION
+          value: {{ .Values.fixedDefsVersion }}
+        {{- end }}
 
         volumeMounts:
         {{- with .Values.customVolumeMounts }}
@@ -428,7 +436,7 @@ spec:
           runAsGroup: 2202
         {{- end }}
           readOnlyRootFilesystem: true
-          {{- if and (semverCompare ">=1.30" $kubeVersion) (not .Values.oldAppArmorAnnotation) }}
+          {{- if or (.Values.newAppArmorAnnotation) (and (semverCompare ">=1.30" $kubeVersion) (not .Values.oldAppArmorAnnotation)) }}
           appArmorProfile:
             type: Unconfined
           {{- end }}

wiz-sensor/values.yaml

@@ -75,6 +75,8 @@ debug: false
 
 # Force old-style annotation for AppArmor profile (compatibility with some gitops tools)
 oldAppArmorAnnotation: false
+# Force the use of an appArmorProfile element in the securityContext, and remove the old-style annotation, even for old Kubernetes versions
+newAppArmorAnnotation: false
 
 # The Sensor will sometimes cause its container to restart in order to check if a new docker image
 # version is available. Such a restart puts some increased load on the API-server and the node.
@@ -91,6 +93,10 @@ subscriptionExternalId: "" # Optional. Used to associate the installation with a
 clusterTags: {} # Optional. List of key: value tags to be added to KubernetesCluster object associated with this installation
 subscriptionTags: {} # Optional. List of key: value tags to be added to Subscription object associated with this installation
 
+# A fixed version of the definitions to use. Won't upgrade even when a new version is available.
+# Format: major.minor.patch
+fixedDefsVersion: ""
+
 # enable liveness probe for the sensor container
 livenessProbe:
   enabled: false
@@ -234,6 +240,9 @@ image:
   repository: sensor
   args: {}
   tag: "v1"
+  # The sha256 of the image to use. Should not be used normally. Exists for compatibility with GKE Autopilot
+  # with private registries. This overrides the tag variable when set.
+  sha256: ""
   pullPolicy: Always
   # the default is "wizio.azurecr.io/wiz-app/wiz-workload-scanner:v1"
   diskScanRepository: wiz-app/wiz-workload-scanner