Update charts with latest changes

Author: circleci-wiz

wiz-broker/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: "wiz-broker"
 description: Wiz Broker for tunneling http traffic to Wiz backend
 type: application
-version: 2.4.1
+version: 2.4.2
 appVersion: "2.8"
 dependencies:
   - name: wiz-common

wiz-broker/templates/_helpers.tpl

@@ -23,7 +23,9 @@ Deployment name.
 Service account name.
 */}}
 {{- define "wiz-broker.serviceAccountName" -}}
-{{ coalesce (.Values.serviceAccount.name) (printf "%s-wiz-broker-sa" .Release.Name) }}
+{{- if or .Values.serviceAccount.create (.Values.serviceAccount.name | trim) (and .Values.global.useHATunnel .Values.autoRolloutUpdate) -}}
+{{ coalesce (.Values.serviceAccount.name | trim) (printf "%s-wiz-broker-sa" .Release.Name | trim) }}
+{{- end -}}
 {{- end }}
 
 {{/*

wiz-broker/templates/serviceaccount.yaml

@@ -1,9 +1,9 @@
 {{- if .Values.enabled }}
-{{- if .Values.serviceAccount.create }}
+{{- if or .Values.serviceAccount.create (and (not (.Values.serviceAccount.name | trim)) .Values.global.useHATunnel .Values.autoRolloutUpdate) }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "wiz-broker.serviceAccountName" . | trim }}
+  name: {{ include "wiz-broker.serviceAccountName" . }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-broker.labels" . | nindent 4 }}
@@ -12,4 +12,39 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
+---
+{{- if and .Values.global.useHATunnel .Values.autoRolloutUpdate }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "wiz-broker.serviceAccountName" . }}-self-rollout
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames:
+      - {{ include "wiz-broker.deploymentName" . }}
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "wiz-broker.serviceAccountName" . }}-self-rollout-rb
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-broker.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "wiz-broker.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: Role
+  name: {{ include "wiz-broker.serviceAccountName" . }}-self-rollout
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
 {{- end }}

wiz-broker/templates/wiz-broker-deployment.yaml

@@ -46,7 +46,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ .Values.serviceAccount.name }}
+      serviceAccountName: {{ include "wiz-broker.serviceAccountName" . }}
       securityContext:
         {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
         {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }}
@@ -189,6 +189,49 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: K8S_DEPLOYMENT_NAME
+            value: {{ include "wiz-broker.deploymentName" . }}
+          {{- if or .Values.global.istio.enabled .Values.istio.enabled }}
+          - name: WIZ_ISTIO_PROXY_ENABLED
+            value: "true"
+          - name: WIZ_ISTIO_PROXY_PORT
+            value: {{ coalesce .Values.global.istio.proxySidecarPort .Values.istio.proxySidecarPort | quote }}
+          {{- end }}
+          - name: WIZ_CHART_VERSION
+            value: "{{ .Chart.Version }}"
+          {{- if .Values.global.useHATunnel }}
+          - name: WIZ_USE_HATUNNEL
+            value: "1"
+          - name: WIZ_BROKER_HEARTBEAT_DISABLE_CLUSTER_ID
+            value: "1"
+          - name: WIZ_AUTO_ROLLOUT_ROLE
+            value: {{ ternary "true" "false" .Values.autoRolloutUpdate | quote }}
+          - name: WIZ_HEALTH_PORT
+            value: {{ .Values.healthPort | quote }}
+          {{- if .Values.connectorType }}
+          - name: CONNECTOR_TYPE
+            value: {{ .Values.connectorType | quote }}
+          {{- end }}
+          {{- if gt (int .Values.healthPort) 0 }}
+          readinessProbe:
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
+            httpGet:
+              port: {{ .Values.healthPort }}
+              path: /ready
+          livenessProbe:
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 90 # 15 minutes
+            httpGet:
+              port: {{ .Values.healthPort }}
+              path: /live
+          ports:
+            - containerPort: {{ .Values.healthPort }}
+              name: health
+          {{- end }}
+          {{- end }}
           {{- include "wiz-common.renderResources" (list .Values.resources (index .Values.global "wiz-kubernetes-connector" "resources")) | nindent 10 -}}
       {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }}
       nodeSelector:

wiz-broker/values.yaml

@@ -24,6 +24,13 @@ serviceAccount:
   # The name of the service account to use.
   name: ""
 
+# enable the restart rollout rbac policy
+autoRolloutUpdate: true
+
+healthPort: 30000
+
+connectorType: ""
+
 podCustomEnvironmentVariablesFile: ""
 
 podCustomEnvironmentVariables: []
@@ -153,6 +160,21 @@ resources: {}
   #   cpu: 100m
 #   memory: 128Mi
 
+# Set this to true if you are using Istio in sidecar mode.
+# When Istio uses sidecars, there are 2 issues when deploying Wiz:
+# 1) The creation and deletion Jobs never complete (due to istio-proxy sidecar)
+# 2) There is a race condition and possible network connectivity failures
+#    when contacting the Wiz backend.
+#
+# When either of this happens, either the installation, upgrade or uninstallation
+# of the charts fail.
+# Setting this to true ensures that the istio-proxy gets a graceful shutdown
+# and mitigates the networking race condition by sleeping before the Job starts.
+# Learn more:
+# https://istio.io/latest/blog/2023/native-sidecars/
+istio:
+  enabled: false
+  proxySidecarPort: 15000
 
 global:
   # Set the log level. Can be one of "debug", "info", "warn", or "error".
@@ -223,6 +245,24 @@ global:
     create: false # Secret created by wiz-broker.
     secretName: "" # The name of the proxy Secret.
 
+  # Set this to true if you are using Istio in sidecar mode.
+  # When Istio uses sidecars, there are 2 issues when deploying Wiz:
+  # 1) The creation and deletion Jobs never complete (due to istio-proxy sidecar)
+  # 2) There is a race condition and possible network connectivity failures
+  #    when contacting the Wiz backend.
+  #
+  # When either of this happens, either the installation, upgrade or uninstallation
+  # of the charts fail.
+  # Setting this to true ensures that the istio-proxy gets a graceful shutdown
+  # and mitigates the networking race condition by sleeping before the Job starts.
+  # Learn more:
+  # https://istio.io/latest/blog/2023/native-sidecars/
+  istio:
+    enabled: false
+    proxySidecarPort: 0
+
+  useHATunnel: false
+
   wiz-kubernetes-connector:
     resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious

wiz-kubernetes-connector/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 3.4.1
+version: 3.4.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -27,7 +27,7 @@ dependencies:
   - name: wiz-broker
     repository: https://wiz-sec.github.io/charts
 #    repository: "file://../wiz-broker" # Use this line to test the chart locally
-    version: "2.4.1"
+    version: "2.4.2"
     condition: wiz-broker.enabled
   - name: wiz-common
     version: "0.1.9"

wiz-kubernetes-connector/templates/_helpers.tpl

@@ -119,12 +119,7 @@ Input parameters
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.entrypoint" -}}
-{{- if .Values.autoCreateConnector.istio.enabled -}}
-- "sh"
-- "-c"
-{{- else -}}
 - "wiz-broker"
-{{- end -}}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.argsListCreateConnector" -}}
@@ -172,27 +167,11 @@ create-kubernetes-connector
 --wait={{ and (include "wiz-kubernetes-connector.brokerEnabled" . | trim) .Values.autoCreateConnector.waitUntilInitialized }}
 {{- end }}
 
-{{- define "wiz-kubernetes.pre-istio-sidecar" -}}
-{{- printf "sleep %d" (int (.Values.autoCreateConnector.istio.sleepBeforeJobSecs | default 15)) -}}
-{{- end -}}
-
-{{- define "wiz-kubernetes.post-istio-sidecar" -}}
-{{- printf "curl --max-time 2 -s -f -XPOST http://127.0.0.1:%d/quitquitquit" (int (.Values.autoCreateConnector.istio.proxySidecarPort | default 15000)) -}}
-{{- end -}}
-
 {{- define "wiz-kubernetes-connector.generateArgsCreate" -}}
 {{- $args := include "wiz-kubernetes-connector.argsListCreateConnector" . | splitList "\n" -}}
-{{- if .Values.autoCreateConnector.istio.enabled -}}
-{{- $first := include "wiz-kubernetes.pre-istio-sidecar" . -}}
-{{- $last := include "wiz-kubernetes.post-istio-sidecar" . -}}
-{{- $argsWithIstio := printf "%s &&\nwiz-broker %s &&\n%s" $first (join " \n" $args) $last -}}
-  - >
-    {{- printf "%s" $argsWithIstio | nindent 2 }}
-{{- else -}}
 {{- range $arg := $args }}
 - {{ $arg }}
 {{- end }}
-{{- end -}}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.generate-args-list-delete" -}}
@@ -201,21 +180,13 @@ delete-kubernetes-connector
 {{ .Release.Namespace | quote }}
 --input-secret-name
 {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim | quote }}
-|| true
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.argsListDeleteConnector" -}}
 {{- $args := include "wiz-kubernetes-connector.generate-args-list-delete" . | splitList "\n" -}}
-{{- $output := "kuku" }}
-{{- if .Values.autoCreateConnector.istio.enabled -}}
-{{- $first := include "wiz-kubernetes.pre-istio-sidecar" . -}}
-{{- $last := include "wiz-kubernetes.post-istio-sidecar" . -}}
-{{- $output = printf "%s &&\nwiz-broker %s &&\n%s" $first (join " \n" $args) $last -}}
-{{- else -}}
-{{- $output = printf "wiz-broker %s" (join " \n" $args) -}}
-{{- end -}}
-  - >
-    {{- printf "%s" $output | nindent 2 }}
+{{- range $arg := $args }}
+- {{ $arg }}
+{{- end }}
 {{- end }}
 
 {{- define "wiz-kubernetes-connector.generate-args-list-refresh" -}}
@@ -232,17 +203,9 @@ refresh-token
 
 {{- define "wiz-kubernetes-connector.argsListRefreshConnector" -}}
 {{- $args := include "wiz-kubernetes-connector.generate-args-list-refresh" . | splitList "\n" -}}
-{{- if .Values.autoCreateConnector.istio.enabled -}}
-{{- $first := include "wiz-kubernetes.pre-istio-sidecar" . -}}
-{{- $last := include "wiz-kubernetes.post-istio-sidecar" . -}}
-{{- $argsWithIstio := printf "%s &&\nwiz-broker %s &&\n%s" $first (join " \n" $args) $last -}}
-  - >
-    {{- printf "%s" $argsWithIstio | nindent 2 }}
-{{- else -}}
 {{- range $arg := $args }}
 - {{ $arg }}
 {{- end }}
-{{- end -}}
 {{- end }}
 
 {{- define "wiz-broker.image" -}}
@@ -329,4 +292,16 @@ false
 {{- end }}
 - name: WIZ_ENV
   value: {{ coalesce .Values.global.wizApiToken.clientEndpoint .Values.wizApiToken.clientEndpoint | quote }}
+{{- if (or .Values.global.istio.enabled .Values.autoCreateConnector.istio.enabled) }}
+- name: WIZ_ISTIO_PROXY_ENABLED
+  value: "true"
+- name: WIZ_ISTIO_PROXY_PORT
+  value: {{ coalesce .Values.global.istio.proxySidecarPort .Values.autoCreateConnector.istio.proxySidecarPort | quote }}
+{{- end }}
+{{- if .Values.global.useHATunnel }}
+- name: WIZ_USE_HATUNNEL
+  value: "1"
+- name: WIZ_BROKER_HEARTBEAT_DISABLE_CLUSTER_ID
+  value: "1"
+{{- end }}
 {{- end }}

wiz-kubernetes-connector/templates/job-delete-connector.yaml

@@ -87,7 +87,8 @@ spec:
             {{- end }}
           image: {{ include "wiz-broker.image" . }}
           imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
-          command: ["/bin/sh", "-c"]
+          command:
+            {{- include "wiz-kubernetes-connector.entrypoint" . | nindent 12 }}
           args: {{- include "wiz-kubernetes-connector.argsListDeleteConnector" . | nindent 12 }}
           env:
           {{- include "wiz-kubernetes-connector.spec.common.envVars" . | trim | nindent 10 }}

wiz-kubernetes-connector/values.yaml

@@ -99,7 +99,6 @@ autoCreateConnector:
   # https://istio.io/latest/blog/2023/native-sidecars/
   istio:
     enabled: false
-    sleepBeforeJobSecs: 15
     proxySidecarPort: 15000
 
 wizApiToken:
@@ -170,6 +169,9 @@ wiz-broker:
     # The name of the service account to use.
     name: "wiz-broker"
 
+  # enable the restart rollout rbac policy
+  autoRolloutUpdate: true
+
   # API token should be read from an environment file, which is specified in podCustomEnvironmentVariablesFile
   # The file must contain the following lines:
   # WIZ_CLIENT_ID=<wiz service account id>
@@ -333,6 +335,24 @@ global:
     create: false # Secret created by wiz-kubernetes-connector.
     secretName: "" # The name of the proxy Secret.
 
+  # Set this to true if you are using Istio in sidecar mode.
+  # When Istio uses sidecars, there are 2 issues when deploying Wiz:
+  # 1) The creation and deletion Jobs never complete (due to istio-proxy sidecar)
+  # 2) There is a race condition and possible network connectivity failures
+  #    when contacting the Wiz backend.
+  #
+  # When either of this happens, either the installation, upgrade or uninstallation
+  # of the charts fail.
+  # Setting this to true ensures that the istio-proxy gets a graceful shutdown
+  # and mitigates the networking race condition by sleeping before the Job starts.
+  # Learn more:
+  # https://istio.io/latest/blog/2023/native-sidecars/
+  istio:
+    enabled: false
+    proxySidecarPort: 0
+
+  useHATunnel: false
+
   wiz-kubernetes-connector:
     resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious

wiz-kubernetes-integration/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: wiz-kubernetes-integration
 description: A Helm chart for Kubernetes
 type: application
-version: 0.2.110
+version: 0.2.111
 appVersion: ""
 #    Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor
 dependencies: