merge

nitzanzuler · nitzanzuler · commit 791d74eca767 · 2024-11-05T14:12:42.000+02:00
diff --git a/.circleci/package_index.sh b/.circleci/package_index.sh
@@ -6,8 +6,33 @@ PACKAGE_FULL_NAME="${PACKAGE}-${PACKAGE_VERSION}.tgz"
 git config user.email "circleci@wiz.io"
 git config user.name "CircleCI"
 
-# Update package dependencies
-helm dependency update $PACKAGE
+ATTEMPTS=20
+SLEEP_INTERVAL=30
+
+for i in $(seq 1 $ATTEMPTS); do
+    set +e
+    # Try updating package dependencies
+    output=$(helm dependency update $PACKAGE 2>&1)
+    exit_code=$?
+    set -e
+
+    if echo "$output" | grep -q "can't get a valid version"; then
+        echo "Attempt $i/$ATTEMPTS: Dependency not available yet. Retrying in $SLEEP_INTERVAL seconds..."
+        sleep $SLEEP_INTERVAL
+    elif [ $exit_code -eq 0 ]; then
+        echo "Dependency update succeeded."
+        break
+    else
+        echo "Error: $output"
+        exit 1
+    fi
+done
+
+if [ $i -eq $ATTEMPTS ]; then
+    echo "Failed to update dependencies after $ATTEMPTS attempts with the following error:"
+    echo "$output"
+    exit 1
+fi
 
 # Package the chart with diffs
 helm package $PACKAGE
diff --git a/flux2/Chart.yaml b/flux2/Chart.yaml
@@ -8,4 +8,4 @@ name: flux2
 sources:
   - https://github.com/fluxcd-community/helm-charts
 type: application
-version: 2024.10.08-rc
+version: 2024.10.30
diff --git a/git-proxy/Chart.yaml b/git-proxy/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2024.10.08-rc
+version: 2024.10.30
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/git-proxy/values.yaml b/git-proxy/values.yaml
@@ -61,7 +61,7 @@ image:
   namePrefix: wiz-git-proxy
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "89ac334c3c709b3d9ab72ae32234611f82da1b82-multiarch"
+  tag: "85fae5662b6d70b9b7850b5446ccda64ddf5b8ce-multiarch"
 
 imagePullSecrets: []
 nameOverride: ""
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -53,6 +53,14 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "wiz-hpa-enforcer.name" -}}
+{{- printf "%s-hpa" (include "wiz-admission-controller.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "wiz-hpa-audit-logs.name" -}}
+{{- printf "%s-hpa" (include "wiz-kubernetes-audit-log-collector.name" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -126,6 +134,21 @@ app.kubernetes.io/name: {{ include "wiz-admission-controller-manager.name" . }}
 {{ include "wiz-admission-controller-manager.selectorLabels" . }}
 {{- end }}
 
+{{/*
+Wiz Horizontal Pod Autoscaler labels
+*/}}
+
+{{- define "wiz-hpa-enforcer.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+app.kubernetes.io/name: {{ include "wiz-hpa-enforcer.name" . }}
+{{- end }}
+
+{{- define "wiz-hpa-audit-logs.labels" -}}
+{{ include "wiz-admission-controller.labels" . }}
+app.kubernetes.io/name: {{ include "wiz-hpa-audit-logs.name" . }}
+{{- end }}
+
+
 {{/*
 
 {{/*
@@ -220,6 +243,43 @@ Use for debug purpose only.
 {{- . | mustToPrettyJson | printf "\nThe JSON output of the dumped var is: \n%s" | fail }}
 {{- end -}}
 
+{{- define "wiz-admission-controller.resources" -}}
+{{- if hasKey .Values "resources" }}
+{{- toYaml .Values.resources }}
+{{- else -}}
+{{- if .Values.hpa.enabled }}
+requests:
+    cpu: 500m
+    memory: 300Mi
+{{- else }}
+{}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "wiz-admission-controller.isEnforcerEnabled" -}}
+  {{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled }}
+    true
+  {{- else }}
+    false
+  {{- end }}
+{{- end }}
+
+{{- define "wiz-admission-controller.hpaBehavior" -}}
+{{- if hasKey .Values.hpa "behavior" }}
+{{- toYaml .Values.hpa.behavior }}
+{{- else -}}
+scaleUp:
+  stabilizationWindowSeconds: 300
+scaleDown:
+  stabilizationWindowSeconds: 300
+  policies:
+  - type: Pods
+    value: 1
+    periodSeconds: 300
+{{- end -}}
+{{- end -}}
+
 {{- define "autoUpdate.deployments" -}}
 {{- $list := list -}}
 {{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled -}}
diff --git a/wiz-admission-controller/templates/deploymentauditlogs.yaml b/wiz-admission-controller/templates/deploymentauditlogs.yaml
@@ -7,7 +7,9 @@ metadata:
   labels:
     {{- include "wiz-kubernetes-audit-log-collector.labels" . | nindent 4 }}
 spec:
+  {{- if not .Values.hpa.enabled }}
   replicas: {{ .Values.kubernetesAuditLogsWebhook.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }}
@@ -188,7 +190,7 @@ spec:
             value: "{{ .Values.global.istio.proxySidecarPort }}"
           {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- include "wiz-admission-controller.resources" . | nindent 12 }}
           volumeMounts:
           - mountPath: /var/server-certs
             name: server-certs
diff --git a/wiz-admission-controller/templates/deploymentenforcement.yaml b/wiz-admission-controller/templates/deploymentenforcement.yaml
@@ -7,7 +7,9 @@ metadata:
   labels:
     {{- include "wiz-admission-controller-enforcement.labels" . | nindent 4 }}
 spec:
+  {{- if not .Values.hpa.enabled }}
   replicas: {{ .Values.replicaCount }}
+  {{- end }}
   selector:
     matchLabels:
       {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }}
@@ -217,7 +219,7 @@ spec:
             value: "{{ .Values.global.istio.proxySidecarPort }}"
           {{- end }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+            {{- include "wiz-admission-controller.resources" . | nindent 12 }}
           volumeMounts:
           - mountPath: /var/cache
             name: cache
diff --git a/wiz-admission-controller/templates/hpa.yaml b/wiz-admission-controller/templates/hpa.yaml
@@ -0,0 +1,78 @@
+{{- if .Values.hpa.enabled }}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if eq $isEnabled "true" }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "wiz-hpa-enforcer.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wiz-hpa-enforcer.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "wiz-admission-controller.fullname" . }}
+  minReplicas: {{ .Values.hpa.minReplicas }}
+  maxReplicas: {{ .Values.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.hpa.enableCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.hpa.enableMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetMemoryUtilizationPercentage }}
+    {{- end }}
+    {{- with .Values.hpa.customMetrics }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  behavior: {{ include "wiz-admission-controller.hpaBehavior" . | nindent 4 }}
+---
+{{- end }}
+{{ if .Values.kubernetesAuditLogsWebhook.enabled -}}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "wiz-hpa-audit-logs.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "wiz-hpa-audit-logs.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "wiz-kubernetes-audit-log-collector.name" . }}
+  minReplicas: {{ .Values.hpa.minReplicas }}
+  maxReplicas: {{ .Values.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.hpa.enableCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.hpa.enableMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.hpa.targetMemoryUtilizationPercentage }}
+    {{- end }}
+    {{- with .Values.hpa.customMetrics }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  behavior: {{ include "wiz-admission-controller.hpaBehavior" . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/wiz-admission-controller/templates/opawebhook.yaml b/wiz-admission-controller/templates/opawebhook.yaml
@@ -163,7 +163,8 @@ webhooks:
   failurePolicy: {{ .Values.debugWebhook.failurePolicy }}
   sideEffects: {{ .Values.debugWebhook.sideEffects }}
 {{- end }}
-{{- if and (or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.kubernetesAuditLogsWebhook.enabled .Values.debugWebhook.enabled) (not $useCertManagerCerts) }}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if and (eq $isEnabled "true") (not $useCertManagerCerts) }}
 ---
 apiVersion: v1
 kind: Secret
diff --git a/wiz-admission-controller/templates/service.yaml b/wiz-admission-controller/templates/service.yaml
@@ -1,4 +1,5 @@
-{{- if or .Values.opaWebhook.enabled .Values.imageIntegrityWebhook.enabled .Values.debugWebhook.enabled}}
+{{- $isEnabled := include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower }}
+{{- if eq $isEnabled "true" }}
 ---
 apiVersion: v1
 kind: Service
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -39,6 +39,8 @@ httpProxyConfiguration:
   httpsProxy: "" # URL to use as a proxy for outbound HTTPS traffic.
   noProxyAddress: # Comma or space-separated list of machine or domain names.
 
+# When Horizontal Pod Autoscaling (`hpa.enabled`) is enabled (`true`),
+# this field is discarded and set to an empty value.
 replicaCount: 2
 
 # Use PodDisruptionBudget for the admission controller enforcer deployment.
@@ -390,9 +392,15 @@ tlsCertificate:
   tlsCertificate: ""
   tlsKey: ""
 
-resources: {}
-  # The recommended values should vary depending on the load in each cluster, the number of replicas, and more.
-  # To make sure we cover most cases, the following is a suggestion for environments with a high load, we recommend adjusting it based on your needs.
+# Uncomment the `resources` section below to specify custom resource requests and limits.
+# If left blank, and Horizontal Pod Autoscaling (`hpa.enabled`) is enabled, the following defaults will be applied:
+#   requests:
+#     cpu: 500m
+#     memory: 300Mi
+#
+# resources:
+  ## The recommended values should vary depending on the load in each cluster, the number of replicas, and more.
+  ## To make sure we cover most cases, the following is a suggestion for environments with a high load, we recommend adjusting it based on your needs.
   # requests:
   #   cpu: 0.5
   #   memory: 256M
@@ -426,6 +434,30 @@ probes: # Probes config for the container
     timeoutSeconds: 30
     failureThreshold: 3
 
+# Horizontal Pod Autoscaling.
+# Prerequisites: metrics-server installed on the cluster:
+# https://github.com/kubernetes-sigs/metrics-server
+hpa:
+  enabled: false
+  minReplicas: 2
+  maxReplicas: 5
+  enableCPU: true
+  targetCPUUtilizationPercentage: 80
+  enableMemory: false
+  targetMemoryUtilizationPercentage: 80
+  customMetrics: []
+  # Uncomment the `behavior` section below to specify custom scaling policies and behavior.
+  # If left blank, the following default settings are applied:
+  # behavior:
+  #   scaleUp:
+  #     stabilizationWindowSeconds: 300
+  #   scaleDown:
+  #     stabilizationWindowSeconds: 300
+  #     policies:
+  #     - type: Pods
+  #       value: 1
+  #       periodSeconds: 300
+
 wizManager:
   enabled: true # Should the Wiz Manager be deployed.
 
@@ -447,9 +479,6 @@ wizManager:
     # If empty, a name is generated using the nameOverride
     name: ""
 
-
-
-
 # Global values to override chart values.
 global:
   nameOverride: "" # Override the release’s name.
diff --git a/wiz-broker/Chart.yaml b/wiz-broker/Chart.yaml
@@ -4,5 +4,5 @@ description: Wiz Broker for tunneling http traffic to Wiz backend
 
 type: application
 
-version: 2.1.0-preview
+version: 2.1.0
 appVersion: "2.5"
diff --git a/wiz-kubernetes-connector/Chart.yaml b/wiz-kubernetes-connector/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.1.0-preview
+version: 3.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -27,5 +27,5 @@ dependencies:
   - name: wiz-broker
     repository: https://wiz-sec.github.io/charts
 #    repository: "file://../wiz-broker" # Use this line to test the chart locally
-    version: ">=2.1.0-preview"
+    version: ">=2.1.0"
     condition: wiz-broker.enabled
diff --git a/wiz-kubernetes-integration/Chart.yaml b/wiz-kubernetes-integration/Chart.yaml
@@ -2,20 +2,20 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.2-preview
+version: 0.2.11
 appVersion: ""
 
 # Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
 dependencies:
 - name: wiz-kubernetes-connector
   repository: https://wiz-sec.github.io/charts
-  version: ">=3.1.0-preview"
+  version: ">=3.1.0"
   condition: wiz-kubernetes-connector.enabled
 - name: "wiz-admission-controller"
   repository: https://wiz-sec.github.io/charts
-  version:  ">=3.6.0-preview"
+  version:  ">=3.6.0"
   condition: wiz-admission-controller.enabled
 - name: wiz-sensor
   repository: https://wiz-sec.github.io/charts
-  version: ">=1.0.4470"
+  version: ">=1.0.4708"
   condition: wiz-sensor.enabled
diff --git a/wiz-outpost-configuration/Chart.yaml b/wiz-outpost-configuration/Chart.yaml
diff --git a/wiz-outpost-lite/Chart.yaml b/wiz-outpost-lite/Chart.yaml
diff --git a/wiz-sensor/Chart.yaml b/wiz-sensor/Chart.yaml
diff --git a/wiz-sensor/templates/daemonset.yaml b/wiz-sensor/templates/daemonset.yaml
diff --git a/wiz-sensor/templates/openshift.yaml b/wiz-sensor/templates/openshift.yaml
diff --git a/wiz-sensor/values.yaml b/wiz-sensor/values.yaml
