WZ-61859-remediation sa (#570)

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

* WZ-61859-remediation sa

Author: orrshamli2

.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml

@@ -0,0 +1,194 @@
+---
+# Source: wiz-outpost-lite/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-remediation-aws-rds-003
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "remediation-aws-rds-003"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: wiz-outpost-lite/templates/credentials.secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: outpost-lite-agent-creds
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+stringData:
+  clientId: "client-1"
+  clientSecret: "secret-2"
+---
+# Source: wiz-outpost-lite/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: release-test-wiz-outpost-lite-remediation-aws-rds-003
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "remediation-aws-rds-003"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9090
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "remediation-aws-rds-003"
+---
+# Source: wiz-outpost-lite/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: release-test-wiz-outpost-lite-remediation-aws-rds-003
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "remediation-aws-rds-003"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-outpost-lite
+      app.kubernetes.io/instance: release-test
+      wiz.io/runner: "remediation-aws-rds-003"
+  template:
+    metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-remediation-aws-rds-003: unconfined
+      labels:
+        app.kubernetes.io/name: wiz-outpost-lite
+        app.kubernetes.io/instance: release-test
+        wiz.io/runner: "remediation-aws-rds-003"
+    spec:
+      serviceAccountName: sa-remediation-aws-rds-003
+      restartPolicy: Always
+      containers:
+        - name: wiz-outpost-lite-remediation-aws-rds-003
+          image: "wizio.azurecr.io/outpost-lite-runner-remediation:0.1-latest"
+          command: [ "/entrypoint"]
+          imagePullPolicy: Always
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: K8S_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: K8S_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: OUTPOST
+            value: "1"
+          - name: WIZ_OUTPOST_ID
+            value: "my-outpost-id"
+          - name: WIZ_OUTPOST_RUNNER_ID
+            value: "remediation-aws-rds-003"
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientId
+          - name: WIZ_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientSecret
+          - name: OUTPOST_LITE_RUNNER_REGION
+            value: "partition-1"
+          - name: OUTPOST_LITE_RUNNER_METRICS_PORT
+            value: "9090"
+          - name: OUTPOST_LITE_RUNNER_AUTO_UPDATE
+            value: "1"
+          - name: http_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: https_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: HTTPS_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: no_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: NO_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: SSL_CERT_DIR
+            value: "/usr/local/share/ca-certificates/:/certificates/"
+          ports:
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          resources:
+            limits:
+              memory: 4396M
+            requests:
+              memory: 1024M
+          securityContext:
+            capabilities:
+              add:
+              - SYS_ADMIN
+            seLinuxOptions:
+              type: spc_t
+          volumeMounts:
+            - mountPath: /var/wiz
+              name: working-dir
+            - mountPath: /usr/local/share/ca-certificates/
+              name: ca-certificate
+              readOnly: true
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: working-dir
+          emptyDir: {}
+        - name: ca-certificate
+          secret:
+            defaultMode: 420
+            secretName: "wiz-http-proxy-configuration"
+            items:
+              - key: caCertificate
+                path: root.crt
+            optional: true

.circleci/tests/testfiles/wiz-outpost-lite/remediation.yaml

@@ -0,0 +1,11 @@
+agent:
+  secretName: outpost-lite-agent-creds
+  clientId: "client-1"
+  clientSecret: "secret-2"
+  outpostId: "my-outpost-id"
+
+runners:
+  remediation-aws-rds-003:
+    enabled: true
+    serviceAccount:
+      create: true

wiz-outpost-lite/templates/deployment.yaml

@@ -25,6 +25,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: sa-{{ .runner }}
+      {{- end }}
       restartPolicy: Always
       {{- if .Values.affinity }}
       affinity:

wiz-outpost-lite/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }}
+{{- with merge $values (omit $ "Values") }}
+{{- if and .Values.enabled .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-{{ .runner }}
+  labels:
+    {{- include "wiz-outpost-lite.labels" . | nindent 4 }}
+---
+{{- end }}
+{{- end }}
+{{- end }}

wiz-outpost-lite/values.yaml

@@ -71,6 +71,9 @@ httpProxyConfiguration:
 
 terminationGracePeriodSeconds: 30
 
+serviceAccount:
+    create: false
+
 runners:
   container-registry:
     enabled: false