├── .circleci ├── config.yml ├── continue_config.yml └── package_index.sh ├── .github └── CODEOWNERS ├── .gitignore ├── .idea └── runConfigurations │ ├── Run_helm_tests.xml │ └── Update_golden_files.xml ├── LICENSE ├── README.md ├── flux2 ├── .helmignore ├── Chart.yaml ├── README.md ├── crds │ ├── DONTDELETE.md │ ├── helm-controller.crds.yaml │ ├── image-automation-controller.crds.yaml │ ├── image-reflector-controller.crds.yaml │ ├── kustomize-controller.crds.yaml │ ├── notification-controller.crds.yaml │ └── source-controller.crds.yaml ├── templates │ ├── _helper.tpl │ ├── aggregate-clusterroles.yaml │ ├── cluster-reconciler-clusterrolebinding.yaml │ ├── cluster-reconciler-impersonator-clusterrole.yaml │ ├── cluster-reconciler-impersonator-clusterrolebinding.yaml │ ├── crd-controller-clusterrole.yaml │ ├── crd-controller-clusterrolebinding.yaml │ ├── extra-manifests.yaml │ ├── helm-controller-sa.yaml │ ├── helm-controller.yaml │ ├── image-automation-controller-sa.yaml │ ├── image-automation-controller.yaml │ ├── image-reflector-controller-sa.yaml │ ├── image-reflector-controller.yaml │ ├── kustomize-controller-sa.yaml │ ├── kustomize-controller-secret.yaml │ ├── kustomize-controller.yaml │ ├── notification-controller-ingress.yaml │ ├── notification-controller-sa.yaml │ ├── notification-controller-service.yaml │ ├── notification-controller-webhook-service.yaml │ ├── notification-controller.yaml │ ├── podmonitor.yaml │ ├── policies.yaml │ ├── source-controller-service.yaml │ ├── source-controller-serviceaccount.yaml │ ├── source-controller.yaml │ └── sync.yaml └── values.yaml ├── git-proxy ├── .helmignore ├── Chart.yaml ├── templates │ ├── _helpers.tpl │ ├── deployment.yaml │ ├── namespace.yaml │ ├── secret.yaml │ ├── service.yaml │ └── serviceaccount.yaml └── values.yaml ├── wiz-admission-controller ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── certmanager.yaml │ ├── cronjobmanager.yaml │ ├── deploymentauditlogs.yaml │ ├── deploymentenforcement.yaml │ ├── hpa.yaml │ ├── input-validations.yaml │ ├── jobuninstall.yaml │ ├── networkpolicy.yaml │ ├── opawebhook.yaml │ ├── pod-disruption-budget.yaml │ ├── proxy.yaml │ ├── secret.yaml │ ├── service.yaml │ └── serviceaccount.yaml └── values.yaml ├── wiz-broker ├── .helmignore ├── Chart.yaml ├── templates │ ├── _helpers.tpl │ ├── input-validations.yaml │ ├── secret-proxy.yaml │ ├── secrets.yaml │ ├── serviceaccount.yaml │ └── wiz-broker-deployment.yaml └── values.yaml ├── wiz-common ├── Chart.yaml └── templates │ ├── _debug.tpl │ ├── _hash.tpl │ ├── _proxy.tpl │ ├── _require_helm_version.tpl │ ├── _resources.tpl │ └── _wizApiClientVolumeMounts.tpl ├── wiz-kubernetes-connector ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── input-validations.yaml │ ├── job-create-connector.yaml │ ├── job-delete-connector.yaml │ ├── job-refresh-token.yaml │ ├── secret-connector.yaml │ ├── secret-proxy.yaml │ ├── secrets-wiz-api-token.yaml │ ├── service-account-cluster-reader.yaml │ ├── service-account-modify-connector.yaml │ └── service-account-token-generator.yaml └── values.yaml ├── wiz-kubernetes-integration ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── secret-proxy.yaml │ └── secrets-wiz-api-token.yaml └── values.yaml ├── wiz-network-analyzer ├── .helmignore ├── Chart.yaml ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── job-network-analyzer.yaml │ ├── secret-ca.yaml │ ├── secret-proxy.yaml │ ├── secrets-wiz-api-token.yaml │ └── service-account-cluster-reader.yaml └── values.yaml ├── wiz-outpost-configuration ├── .helmignore ├── Chart.yaml ├── templates │ ├── _helpers.tpl │ ├── agent.secret.yaml │ ├── azureWorkerCredentials.secret.yaml │ ├── httpProxyConfiguration.secret.yaml │ ├── networkAnalyzer.job.yaml │ ├── nodeHttpProxyConfiguration.gcp.ubuntu.yaml │ └── serviceaccount.yaml └── values.yaml ├── wiz-outpost-lite ├── .helmignore ├── Chart.yaml ├── templates │ ├── _helpers.tpl │ ├── credentials.secret.yaml │ ├── deployment.yaml │ ├── httpProxyConfiguration.secret.yaml │ ├── openshift.yaml │ ├── service.yaml │ └── serviceaccount.yaml └── values.yaml └── wiz-sensor ├── .helmignore ├── Chart.yaml ├── templates ├── _helpers.tpl ├── apikeysecret.yaml ├── clusterrole.yaml ├── clusterrolebinding.yaml ├── daemonset.yaml ├── diskscanconfig.yaml ├── gkeallowlistsynchronizer.yaml ├── imagepullsecret.yaml ├── openshift.yaml ├── proxysecret.yaml └── serviceaccount.yaml └── values.yaml /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2.1 2 | orbs: 3 | path-filtering: circleci/path-filtering@0.1.3 4 | continuation: circleci/continuation@0.2.0 5 | 6 | executors: 7 | python: 8 | docker: 9 | - image: cimg/python:3.10 10 | 11 | setup: true 12 | 13 | parameters: 14 | run_trigger_workflow: 15 | default: true 16 | type: boolean 17 | 18 | jobs: 19 | trigger-builds: 20 | description: Continues a pipeline in the `setup` state based with static config and a set of pipeline parameters based on the changes in this push. 21 | executor: 22 | name: python 23 | parameters: 24 | base-revision: 25 | default: origin/master 26 | description: The revision to compare the current one against for the purpose of determining changed files. 27 | type: string 28 | circleci_domain: 29 | default: circleci.com 30 | description: The domain of the CircleCI installation - defaults to circleci.com. (Only necessary for CircleCI Server users) 31 | type: string 32 | config-path: 33 | default: .circleci/continue_config.yml 34 | description: The location of the config to continue the pipeline with. 35 | type: string 36 | mapping: 37 | default: "" 38 | description: Mapping of path regular expressions to pipeline parameters and values. One mapping per line, whitespace-delimited. 39 | type: string 40 | resource_class: 41 | default: small 42 | type: string 43 | parameters-output-path: 44 | default: /tmp/pipeline-parameters.json 45 | type: string 46 | resource_class: << parameters.resource_class >> 47 | steps: 48 | - checkout 49 | - when: 50 | condition: << pipeline.parameters.run_trigger_workflow >> 51 | steps: 52 | - path-filtering/set-parameters: 53 | base-revision: << parameters.base-revision >> 54 | mapping: << parameters.mapping >> 55 | output-path: << parameters.parameters-output-path >> 56 | - when: 57 | condition: 58 | not: << pipeline.parameters.run_trigger_workflow >> 59 | steps: 60 | - run: 61 | name: Produce empty parameters.json 62 | command: echo "{}" > << parameters.parameters-output-path >> 63 | - continuation/continue: 64 | circleci_domain: << parameters.circleci_domain >> 65 | configuration_path: << parameters.config-path >> 66 | parameters: << parameters.parameters-output-path >> 67 | 68 | workflows: 69 | setup-and-trigger: 70 | jobs: 71 | - trigger-builds: 72 | name: generate config and trigger 73 | mapping: | 74 | ^flux2/.* flux2 true 75 | ^git-proxy/.* git-proxy true 76 | ^wiz-broker/.* wiz-broker true 77 | ^wiz-outpost-lite/.* wiz-outpost-lite true 78 | ^wiz-outpost-configuration/.* wiz-outpost-configuration true 79 | ^wiz-admission-controller/.* wiz-admission-controller true 80 | ^wiz-sensor/.* wiz-sensor true 81 | ^wiz-kubernetes-connector/.* wiz-kubernetes-connector true 82 | ^wiz-kubernetes-integration/.* wiz-kubernetes-integration true 83 | ^wiz-network-analyzer/.* wiz-network-analyzer true 84 | ^wiz-common/.* wiz-common true 85 | base-revision: << pipeline.git.branch >> 86 | filters: 87 | branches: 88 | ignore: 89 | - gh-pages 90 | -------------------------------------------------------------------------------- /.circleci/continue_config.yml: -------------------------------------------------------------------------------- 1 | 2 | version: 2.1 3 | 4 | parameters: 5 | flux2: 6 | default: false 7 | type: boolean 8 | git-proxy: 9 | default: false 10 | type: boolean 11 | wiz-broker: 12 | default: false 13 | type: boolean 14 | wiz-admission-controller: 15 | default: false 16 | type: boolean 17 | wiz-sensor: 18 | default: false 19 | type: boolean 20 | wiz-kubernetes-connector: 21 | default: false 22 | type: boolean 23 | wiz-kubernetes-integration: 24 | default: false 25 | type: boolean 26 | wiz-outpost-configuration: 27 | default: false 28 | type: boolean 29 | wiz-outpost-lite: 30 | default: false 31 | type: boolean 32 | wiz-network-analyzer: 33 | default: false 34 | type: boolean 35 | wiz-common: 36 | default: false 37 | type: boolean 38 | 39 | executors: 40 | ops: 41 | docker: 42 | - image: dtzar/helm-kubectl:3.10.2 43 | golang: 44 | docker: 45 | - image: golang:1.23 46 | 47 | commands: 48 | upload_new_chart: 49 | parameters: 50 | package: 51 | type: string 52 | steps: 53 | - run: 54 | name: Push new package << parameters.package >> 55 | command: | 56 | export PACKAGE="<< parameters.package >>" 57 | pushd ~/project/charts 58 | bash .circleci/package_index.sh 59 | popd 60 | 61 | jobs: 62 | package_and_index_charts: 63 | executor: 64 | name: ops 65 | steps: 66 | - when: 67 | condition: 68 | or: 69 | - << pipeline.parameters.flux2 >> 70 | - << pipeline.parameters.git-proxy >> 71 | - << pipeline.parameters.wiz-broker >> 72 | - << pipeline.parameters.wiz-admission-controller >> 73 | - << pipeline.parameters.wiz-sensor >> 74 | - << pipeline.parameters.wiz-kubernetes-connector >> 75 | - << pipeline.parameters.wiz-kubernetes-integration >> 76 | - << pipeline.parameters.wiz-outpost-configuration >> 77 | - << pipeline.parameters.wiz-outpost-lite >> 78 | - << pipeline.parameters.wiz-network-analyzer >> 79 | - << pipeline.parameters.wiz-common >> 80 | steps: 81 | - checkout: 82 | path: ~/project 83 | - add_ssh_keys: 84 | fingerprints: 85 | - "46:88:b6:e7:04:9e:f2:cf:cf:4f:03:09:e5:58:1b:f2" 86 | - run: 87 | name: Read-Write checkout 88 | command: | 89 | mkdir -pm0700 ~/.ssh 90 | ssh-keyscan github.com > ~/.ssh/known_hosts 91 | echo 'Host gitops 92 | Hostname github.com 93 | IdentityFile ~/.ssh/id_rsa_4688b6e7049ef2cfcf4f0309e5581bf2 94 | IdentitiesOnly yes' > ~/.ssh/config 95 | git clone -b master git@gitops:wiz-sec/charts.git 96 | - when: 97 | condition: << pipeline.parameters.wiz-common >> 98 | steps: 99 | - upload_new_chart: 100 | package: wiz-common 101 | - when: 102 | condition: << pipeline.parameters.flux2 >> 103 | steps: 104 | - upload_new_chart: 105 | package: flux2 106 | - when: 107 | condition: << pipeline.parameters.git-proxy >> 108 | steps: 109 | - upload_new_chart: 110 | package: git-proxy 111 | - when: 112 | condition: << pipeline.parameters.wiz-broker >> 113 | steps: 114 | - upload_new_chart: 115 | package: wiz-broker 116 | - when: 117 | condition: << pipeline.parameters.wiz-outpost-configuration >> 118 | steps: 119 | - upload_new_chart: 120 | package: wiz-outpost-configuration 121 | - when: 122 | condition: << pipeline.parameters.wiz-outpost-lite >> 123 | steps: 124 | - upload_new_chart: 125 | package: wiz-outpost-lite 126 | - when: 127 | condition: << pipeline.parameters.wiz-network-analyzer >> 128 | steps: 129 | - upload_new_chart: 130 | package: wiz-network-analyzer 131 | - when: 132 | condition: << pipeline.parameters.wiz-admission-controller >> 133 | steps: 134 | - upload_new_chart: 135 | package: wiz-admission-controller 136 | - when: 137 | condition: << pipeline.parameters.wiz-sensor >> 138 | steps: 139 | - upload_new_chart: 140 | package: wiz-sensor 141 | - when: 142 | condition: << pipeline.parameters.wiz-kubernetes-connector >> 143 | steps: 144 | - upload_new_chart: 145 | package: wiz-kubernetes-connector 146 | - when: 147 | # Should be after all dependencies charts! 148 | condition: << pipeline.parameters.wiz-kubernetes-integration >> 149 | steps: 150 | - upload_new_chart: 151 | package: wiz-kubernetes-integration 152 | - run: 153 | name: Run always 154 | command: echo "Done!" # Hack for empty runs 155 | 156 | workflows: 157 | validate_and_package: 158 | jobs: 159 | - package_and_index_charts: 160 | name: Package and index charts 161 | filters: 162 | branches: 163 | only: 164 | - master 165 | -------------------------------------------------------------------------------- /.circleci/package_index.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | PACKAGE_VERSION=$(helm show chart ${PACKAGE} | grep version | cut -d " " -f 2 | tr -d '[:space:]') 5 | PACKAGE_FULL_NAME="${PACKAGE}-${PACKAGE_VERSION}.tgz" 6 | git config user.email "circleci@wiz.io" 7 | git config user.name "CircleCI" 8 | 9 | ATTEMPTS=20 10 | SLEEP_INTERVAL=30 11 | 12 | for i in $(seq 1 $ATTEMPTS); do 13 | set +e 14 | # Try updating package dependencies 15 | output=$(helm dependency update $PACKAGE 2>&1) 16 | exit_code=$? 17 | set -e 18 | 19 | if echo "$output" | grep -q "can't get a valid version"; then 20 | echo "Attempt $i/$ATTEMPTS: Dependency not available yet. Retrying in $SLEEP_INTERVAL seconds..." 21 | sleep $SLEEP_INTERVAL 22 | elif [ $exit_code -eq 0 ]; then 23 | echo "Dependency update succeeded." 24 | break 25 | else 26 | echo "Error: $output" 27 | exit 1 28 | fi 29 | done 30 | 31 | if [ $i -eq $ATTEMPTS ]; then 32 | echo "Failed to update dependencies after $ATTEMPTS attempts with the following error:" 33 | echo "$output" 34 | exit 1 35 | fi 36 | 37 | # Package the chart with diffs 38 | helm package $PACKAGE 39 | 40 | # Commiting the change to master branch locally (will not push) 41 | git add . 42 | git commit -m "package" 43 | 44 | # Checking out to gh-pages and taking the packages 45 | git checkout gh-pages 46 | git checkout master $PACKAGE_FULL_NAME 47 | 48 | # Indexing and pushing 49 | helm repo index --url https://wiz-sec.github.io/charts/ . 50 | git add . 51 | git commit -a -m "CircleCI: Upload ${PACKAGE} chart" 52 | git push -u origin gh-pages 53 | 54 | git checkout master -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Teams can be specified as code owners as well. Teams should 2 | # be identified in the format @org/team-name. Teams must have 3 | # explicit write access to the repository. In this example, 4 | # the octocats team in the octo-org organization owns all .txt files. 5 | /wiz-admission-controller/ @wiz-sec/wiz-devops @wiz-sec/Wiz-Charts-Approvers circleci@wiz.io 6 | /wiz-broker/ @wiz-sec/wiz-devops @wiz-sec/Wiz-Charts-Approvers circleci@wiz.io 7 | /wiz-common/ @wiz-sec/wiz-devops @wiz-sec/Wiz-Charts-Approvers circleci@wiz.io 8 | /wiz-kubernetes-connector/ @wiz-sec/wiz-devops @wiz-sec/Wiz-Charts-Approvers circleci@wiz.io 9 | /.github/ @wiz-sec/wiz-devops 10 | /.circleci/ @wiz-sec/wiz-devops 11 | /.circleci/tests/ @wiz-sec/Wiz-Charts-Approvers 12 | /wiz-outpost-lite/**/* @yarinm 13 | /wiz-sensor/**/* @ariknem 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/* 2 | !/.idea/runConfigurations 3 | 4 | .DS_Store -------------------------------------------------------------------------------- /.idea/runConfigurations/Run_helm_tests.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /.idea/runConfigurations/Update_golden_files.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Wiz Kubernetes Helm Charts 2 | 3 | 4 | 5 | ## Usage 6 | 7 | [Helm](https://helm.sh) must be installed to use the charts. 8 | Please refer to Helm's [documentation](https://helm.sh/docs/) to get started. 9 | 10 | Once Helm is set up properly, add the repo as follows: 11 | 12 | ```console 13 | helm repo add wiz-sec https://wiz-sec.github.io/charts 14 | ``` 15 | 16 | You can then run `helm search repo wiz-sec` to see the charts. 17 | 18 | ## Helm charts build status 19 | 20 | [![CircleCI](https://dl.circleci.com/status-badge/img/gh/wiz-sec/charts/tree/master.svg?style=shield)](https://dl.circleci.com/status-badge/img/gh/wiz-sec/charts/tree/master.svg?style=shield) 21 | -------------------------------------------------------------------------------- /flux2/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | 25 | tests/ 26 | -------------------------------------------------------------------------------- /flux2/Chart.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | artifacthub.io/changes: | 3 | - "[Chore]: Update App Version to upstream 2.2.3" 4 | apiVersion: v2 5 | appVersion: 2.2.3 6 | description: A Helm chart for flux2 7 | name: flux2 8 | sources: 9 | - https://github.com/fluxcd-community/helm-charts 10 | type: application 11 | version: 2025.02.16 12 | -------------------------------------------------------------------------------- /flux2/crds/DONTDELETE.md: -------------------------------------------------------------------------------- 1 | # Don't delete this folder 2 | 3 | The [upstream flux chart](https://github.com/fluxcd-community/helm-charts/tree/main/charts/flux2) doesn't use a crd folder to install the CRDs, but instead installs them through regular template files. 4 | However, this chart also puts two custom resources, a GitRepository and a Kustomization. As such, these two CRDs should reside 5 | here instead of the regular template file, as it promises that they will be installed before the custom resources. 6 | 7 | for more information see [this document](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/) 8 | -------------------------------------------------------------------------------- /flux2/templates/_helper.tpl: -------------------------------------------------------------------------------- 1 | {{- define "template.image" -}} 2 | {{- if eq (substr 0 7 .tag) "sha256:" -}} 3 | {{- printf "%s@%s" .image .tag -}} 4 | {{- else -}} 5 | {{- printf "%s:%s" .image .tag -}} 6 | {{- end -}} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /flux2/templates/aggregate-clusterroles.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.createAggregation }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | name: flux-edit 9 | labels: 10 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 11 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 12 | rules: 13 | - apiGroups: 14 | - notification.toolkit.fluxcd.io 15 | - source.toolkit.fluxcd.io 16 | - helm.toolkit.fluxcd.io 17 | - image.toolkit.fluxcd.io 18 | - kustomize.toolkit.fluxcd.io 19 | resources: ["*"] 20 | verbs: 21 | - create 22 | - delete 23 | - deletecollection 24 | - patch 25 | - update 26 | --- 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | kind: ClusterRole 29 | metadata: 30 | name: flux-view 31 | labels: 32 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 33 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 34 | rbac.authorization.k8s.io/aggregate-to-view: "true" 35 | rules: 36 | - apiGroups: 37 | - notification.toolkit.fluxcd.io 38 | - source.toolkit.fluxcd.io 39 | - helm.toolkit.fluxcd.io 40 | - image.toolkit.fluxcd.io 41 | - kustomize.toolkit.fluxcd.io 42 | resources: ["*"] 43 | verbs: 44 | - get 45 | - list 46 | - watch 47 | {{- end }} 48 | -------------------------------------------------------------------------------- /flux2/templates/cluster-reconciler-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create (or (not .Values.multitenancy.enabled) .Values.multitenancy.privileged) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | labels: 9 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 11 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 12 | app.kubernetes.io/part-of: flux 13 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 14 | name: cluster-reconciler 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: {{ .Values.rbac.roleRef.name }} 19 | subjects: 20 | - kind: ServiceAccount 21 | name: kustomize-controller 22 | namespace: {{ .Release.Namespace }} 23 | - kind: ServiceAccount 24 | name: helm-controller 25 | namespace: {{ .Release.Namespace }} 26 | {{- end }} -------------------------------------------------------------------------------- /flux2/templates/cluster-reconciler-impersonator-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | name: cluster-reconciler-impersonator 9 | labels: 10 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 12 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 13 | app.kubernetes.io/part-of: flux 14 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 15 | rules: 16 | - apiGroups: [""] 17 | resources: ["serviceaccounts"] 18 | verbs: ["impersonate"] 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /flux2/templates/cluster-reconciler-impersonator-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.multitenancy.enabled (not .Values.multitenancy.privileged) }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | labels: 9 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 10 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 11 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 12 | app.kubernetes.io/part-of: flux 13 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 14 | name: cluster-reconciler-impersonator 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: cluster-reconciler-impersonator 19 | subjects: 20 | - kind: ServiceAccount 21 | name: kustomize-controller 22 | namespace: {{ .Release.Namespace }} 23 | - kind: ServiceAccount 24 | name: helm-controller 25 | namespace: {{ .Release.Namespace }} 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /flux2/templates/crd-controller-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | name: crd-controller 9 | labels: 10 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 12 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 13 | app.kubernetes.io/part-of: flux 14 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 15 | rules: 16 | - apiGroups: ['source.toolkit.fluxcd.io'] 17 | resources: ['*'] 18 | verbs: ['*'] 19 | - apiGroups: ['kustomize.toolkit.fluxcd.io'] 20 | resources: ['*'] 21 | verbs: ['*'] 22 | - apiGroups: ['helm.toolkit.fluxcd.io'] 23 | resources: ['*'] 24 | verbs: ['*'] 25 | - apiGroups: ['notification.toolkit.fluxcd.io'] 26 | resources: ['*'] 27 | verbs: ['*'] 28 | - apiGroups: ['image.toolkit.fluxcd.io'] 29 | resources: ['*'] 30 | verbs: ['*'] 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - namespaces 35 | - secrets 36 | - configmaps 37 | - serviceaccounts 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: 43 | - "" 44 | resources: 45 | - events 46 | verbs: 47 | - create 48 | - patch 49 | # required by leader election 50 | - apiGroups: 51 | - "" 52 | resources: 53 | - configmaps 54 | verbs: 55 | - get 56 | - list 57 | - watch 58 | - create 59 | - update 60 | - patch 61 | - delete 62 | - apiGroups: 63 | - "" 64 | resources: 65 | - configmaps/status 66 | verbs: 67 | - get 68 | - update 69 | - patch 70 | - apiGroups: 71 | - "coordination.k8s.io" 72 | resources: 73 | - leases 74 | verbs: 75 | - get 76 | - list 77 | - watch 78 | - create 79 | - update 80 | - patch 81 | - delete 82 | {{- end }} 83 | -------------------------------------------------------------------------------- /flux2/templates/crd-controller-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create }} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | {{- with .Values.rbac.annotations }} 6 | annotations: {{ toYaml . | nindent 4 }} 7 | {{- end }} 8 | name: crd-controller 9 | labels: 10 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 11 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 12 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 13 | app.kubernetes.io/part-of: flux 14 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 15 | roleRef: 16 | apiGroup: rbac.authorization.k8s.io 17 | kind: ClusterRole 18 | name: crd-controller 19 | subjects: 20 | - kind: ServiceAccount 21 | name: kustomize-controller 22 | namespace: {{ .Release.Namespace }} 23 | - kind: ServiceAccount 24 | name: helm-controller 25 | namespace: {{ .Release.Namespace }} 26 | - kind: ServiceAccount 27 | name: source-controller 28 | namespace: {{ .Release.Namespace }} 29 | - kind: ServiceAccount 30 | name: notification-controller 31 | namespace: {{ .Release.Namespace }} 32 | - kind: ServiceAccount 33 | name: image-reflector-controller 34 | namespace: {{ .Release.Namespace }} 35 | - kind: ServiceAccount 36 | name: image-automation-controller 37 | namespace: {{ .Release.Namespace }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /flux2/templates/extra-manifests.yaml: -------------------------------------------------------------------------------- 1 | {{ range .Values.extraObjects }} 2 | --- 3 | {{ tpl (toYaml .) $ }} 4 | {{ end }} 5 | -------------------------------------------------------------------------------- /flux2/templates/helm-controller-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.helmController.create}} 2 | {{- if .Values.helmController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: helm-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: helm-controller 14 | {{- with .Values.helmController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/helm-controller.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.helmController.create}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: helm-controller 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | control-plane: controller 13 | {{- with .Values.helmController.labels }} 14 | {{- . | toYaml | nindent 4 }} 15 | {{- end }} 16 | name: helm-controller 17 | spec: 18 | {{- if kindIs "invalid" .Values.helmController.replicas }} 19 | replicas: 1 20 | {{- else }} 21 | replicas: {{ .Values.helmController.replicas }} 22 | {{- end}} 23 | selector: 24 | matchLabels: 25 | app: helm-controller 26 | template: 27 | metadata: 28 | {{- with .Values.helmController.annotations }} 29 | annotations: {{ toYaml . | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | app: helm-controller 33 | {{ with .Values.helmController.labels }}{{ toYaml . | indent 8 }}{{ end }} 34 | spec: 35 | automountServiceAccountToken: {{ .Values.helmController.serviceAccount.automount }} 36 | {{- if .Values.helmController.initContainers}} 37 | initContainers: 38 | {{- toYaml .Values.helmController.initContainers | nindent 8}} 39 | {{- end}} 40 | containers: 41 | - args: 42 | {{- if .Values.multitenancy.enabled }} 43 | - --no-cross-namespace-refs=true 44 | - --default-service-account={{ .Values.multitenancy.defaultServiceAccount | default "default" }} 45 | {{- end}} 46 | {{- if .Values.notificationController.create }} 47 | - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. 48 | {{- end}} 49 | - --watch-all-namespaces={{ .Values.watchAllNamespaces }} 50 | - --log-level={{ .Values.logLevel | default "info" }} 51 | - --log-encoding=json 52 | - --enable-leader-election 53 | {{- range .Values.helmController.container.additionalArgs }} 54 | - {{ . }} 55 | {{- end}} 56 | env: 57 | - name: RUNTIME_NAMESPACE 58 | valueFrom: 59 | fieldRef: 60 | fieldPath: metadata.namespace 61 | {{- with .Values.helmController.extraEnv }} 62 | {{- toYaml . | nindent 8 }} 63 | {{- end }} 64 | image: {{ template "template.image" .Values.helmController }} 65 | {{- if .Values.helmController.imagePullPolicy }} 66 | imagePullPolicy: {{ .Values.helmController.imagePullPolicy }} 67 | {{- else }} 68 | imagePullPolicy: IfNotPresent 69 | {{- end }} 70 | livenessProbe: 71 | httpGet: 72 | path: /healthz 73 | port: healthz 74 | name: manager 75 | ports: 76 | - containerPort: 8080 77 | name: http-prom 78 | - containerPort: 9440 79 | name: healthz 80 | protocol: TCP 81 | readinessProbe: 82 | httpGet: 83 | path: /readyz 84 | port: healthz 85 | {{- with .Values.helmController.resources }} 86 | resources: {{ toYaml . | nindent 10 }} 87 | {{- end }} 88 | {{- if .Values.helmController.securityContext }} 89 | securityContext: {{ toYaml .Values.helmController.securityContext | nindent 10 }} 90 | {{- else }} 91 | securityContext: 92 | allowPrivilegeEscalation: false 93 | capabilities: 94 | drop: 95 | - ALL 96 | readOnlyRootFilesystem: true 97 | runAsNonRoot: true 98 | seccompProfile: 99 | type: RuntimeDefault 100 | {{- end}} 101 | volumeMounts: 102 | - mountPath: /tmp 103 | name: temp 104 | {{- if .Values.helmController.volumeMounts }} 105 | {{- toYaml .Values.helmController.volumeMounts | nindent 8 }} 106 | {{- end}} 107 | {{- if .Values.helmController.priorityClassName }} 108 | priorityClassName: {{ .Values.helmController.priorityClassName | quote }} 109 | {{- end }} 110 | {{- if .Values.helmController.podSecurityContext }} 111 | securityContext: {{ toYaml .Values.helmController.podSecurityContext | nindent 8 }} 112 | {{- end }} 113 | serviceAccountName: helm-controller 114 | {{- if .Values.imagePullSecrets }} 115 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} 116 | {{- end }} 117 | terminationGracePeriodSeconds: 600 118 | volumes: 119 | - emptyDir: {} 120 | name: temp 121 | {{- if .Values.helmController.volumes }} 122 | {{- toYaml .Values.helmController.volumes | nindent 6 }} 123 | {{- end}} 124 | {{- with .Values.helmController.nodeSelector }} 125 | nodeSelector: {{ toYaml . | nindent 8 }} 126 | {{- end }} 127 | {{- with .Values.helmController.affinity }} 128 | affinity: {{ toYaml . | nindent 8 }} 129 | {{- end }} 130 | {{- with .Values.helmController.tolerations }} 131 | tolerations: {{ toYaml . | nindent 8 }} 132 | {{- end }} 133 | {{- end }} 134 | -------------------------------------------------------------------------------- /flux2/templates/image-automation-controller-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imageAutomationController.create }} 2 | {{- if .Values.imageAutomationController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: image-automation-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: image-automation-controller 14 | {{- with .Values.imageAutomationController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/image-automation-controller.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imageAutomationController.create}} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: image-automation-controller 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | control-plane: controller 13 | {{- with .Values.imageAutomationController.labels }} 14 | {{- . | toYaml | nindent 4 }} 15 | {{- end }} 16 | name: image-automation-controller 17 | spec: 18 | {{- if kindIs "invalid" .Values.imageAutomationController.replicas }} 19 | replicas: 1 20 | {{- else }} 21 | replicas: {{ .Values.imageAutomationController.replicas }} 22 | {{- end}} 23 | selector: 24 | matchLabels: 25 | app: image-automation-controller 26 | template: 27 | metadata: 28 | {{- with .Values.imageAutomationController.annotations }} 29 | annotations: {{ toYaml . | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | app: image-automation-controller 33 | {{ with .Values.imageAutomationController.labels }}{{ toYaml . | indent 8 }}{{ end }} 34 | spec: 35 | automountServiceAccountToken: {{ .Values.imageAutomationController.serviceAccount.automount }} 36 | {{- if .Values.imageAutomationController.initContainers}} 37 | initContainers: 38 | {{- toYaml .Values.imageAutomationController.initContainers | nindent 8}} 39 | {{- end}} 40 | containers: 41 | - args: 42 | {{- if .Values.multitenancy.enabled }} 43 | - --no-cross-namespace-refs=true 44 | {{- end}} 45 | {{- if .Values.notificationController.create }} 46 | - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. 47 | {{- end}} 48 | - --watch-all-namespaces={{ .Values.watchAllNamespaces }} 49 | - --log-level={{ .Values.logLevel | default "info" }} 50 | - --log-encoding=json 51 | - --enable-leader-election 52 | {{- range .Values.imageAutomationController.container.additionalArgs }} 53 | - {{ . }} 54 | {{- end}} 55 | env: 56 | - name: RUNTIME_NAMESPACE 57 | valueFrom: 58 | fieldRef: 59 | fieldPath: metadata.namespace 60 | {{- with .Values.imageAutomationController.extraEnv }} 61 | {{- toYaml . | nindent 8 }} 62 | {{- end }} 63 | image: {{ template "template.image" .Values.imageAutomationController }} 64 | {{- if .Values.imageAutomationController.imagePullPolicy }} 65 | imagePullPolicy: {{ .Values.imageAutomationController.imagePullPolicy }} 66 | {{- else }} 67 | imagePullPolicy: IfNotPresent 68 | {{- end }} 69 | livenessProbe: 70 | httpGet: 71 | path: /healthz 72 | port: healthz 73 | name: manager 74 | ports: 75 | - containerPort: 8080 76 | name: http-prom 77 | - containerPort: 9440 78 | name: healthz 79 | protocol: TCP 80 | readinessProbe: 81 | httpGet: 82 | path: /readyz 83 | port: healthz 84 | {{- with .Values.imageAutomationController.resources }} 85 | resources: {{ toYaml . | nindent 10 }} 86 | {{- end }} 87 | {{- if .Values.imageAutomationController.securityContext }} 88 | securityContext: {{ toYaml .Values.imageAutomationController.securityContext | nindent 10 }} 89 | {{- else }} 90 | securityContext: 91 | allowPrivilegeEscalation: false 92 | capabilities: 93 | drop: 94 | - ALL 95 | readOnlyRootFilesystem: true 96 | runAsNonRoot: true 97 | seccompProfile: 98 | type: RuntimeDefault 99 | {{- end}} 100 | volumeMounts: 101 | - mountPath: /tmp 102 | name: temp 103 | {{- if .Values.imageAutomationController.volumeMounts }} 104 | {{- toYaml .Values.imageAutomationController.volumeMounts | nindent 8 }} 105 | {{- end}} 106 | {{- if .Values.imageAutomationController.priorityClassName }} 107 | priorityClassName: {{ .Values.imageAutomationController.priorityClassName | quote }} 108 | {{- end }} 109 | {{- if .Values.imageAutomationController.podSecurityContext }} 110 | securityContext: {{ toYaml .Values.imageAutomationController.podSecurityContext | nindent 8 }} 111 | {{- else }} 112 | securityContext: 113 | fsGroup: 1337 114 | {{- end}} 115 | serviceAccountName: image-automation-controller 116 | {{- if .Values.imagePullSecrets }} 117 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} 118 | {{- end }} 119 | terminationGracePeriodSeconds: 10 120 | volumes: 121 | - emptyDir: {} 122 | name: temp 123 | {{- if .Values.imageAutomationController.volumes }} 124 | {{- toYaml .Values.imageAutomationController.volumes | nindent 6 }} 125 | {{- end}} 126 | {{- with .Values.imageAutomationController.nodeSelector }} 127 | nodeSelector: {{ toYaml . | nindent 8 }} 128 | {{- end }} 129 | {{- with .Values.imageAutomationController.affinity }} 130 | affinity: {{ toYaml . | nindent 8 }} 131 | {{- end }} 132 | {{- with .Values.imageAutomationController.tolerations }} 133 | tolerations: {{ toYaml . | nindent 8 }} 134 | {{- end }} 135 | {{- end }} 136 | -------------------------------------------------------------------------------- /flux2/templates/image-reflector-controller-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imageReflectionController.create }} 2 | {{- if .Values.imageReflectionController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: image-reflector-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: image-reflector-controller 14 | {{- with .Values.imageReflectionController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/image-reflector-controller.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imageReflectionController.create }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: image-reflector-controller 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | control-plane: controller 13 | {{- with .Values.imageReflectionController.labels }} 14 | {{- . | toYaml | nindent 4 }} 15 | {{- end }} 16 | name: image-reflector-controller 17 | spec: 18 | {{- if kindIs "invalid" .Values.imageReflectionController.replicas }} 19 | replicas: 1 20 | {{- else }} 21 | replicas: {{ .Values.imageReflectionController.replicas }} 22 | {{- end}} 23 | selector: 24 | matchLabels: 25 | app: image-reflector-controller 26 | template: 27 | metadata: 28 | {{- with .Values.imageReflectionController.annotations }} 29 | annotations: {{ toYaml . | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | app: image-reflector-controller 33 | {{ with .Values.imageReflectionController.labels }}{{ toYaml . | indent 8 }}{{ end }} 34 | spec: 35 | automountServiceAccountToken: {{ .Values.imageReflectionController.serviceAccount.automount }} 36 | {{- if .Values.imageReflectionController.initContainers}} 37 | initContainers: 38 | {{- toYaml .Values.imageReflectionController.initContainers | nindent 8}} 39 | {{- end}} 40 | containers: 41 | - args: 42 | {{- if .Values.multitenancy.enabled }} 43 | - --no-cross-namespace-refs=true 44 | {{- end}} 45 | {{- if .Values.notificationController.create }} 46 | - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. 47 | {{- end}} 48 | - --watch-all-namespaces={{ .Values.watchAllNamespaces }} 49 | - --log-level={{ .Values.logLevel | default "info" }} 50 | - --log-encoding=json 51 | - --enable-leader-election 52 | {{- range .Values.imageReflectionController.container.additionalArgs }} 53 | - {{ . }} 54 | {{- end}} 55 | env: 56 | - name: RUNTIME_NAMESPACE 57 | valueFrom: 58 | fieldRef: 59 | fieldPath: metadata.namespace 60 | {{- with .Values.imageReflectionController.extraEnv }} 61 | {{- toYaml . | nindent 8 }} 62 | {{- end }} 63 | image: {{ template "template.image" .Values.imageReflectionController }} 64 | {{- if .Values.imageReflectionController.imagePullPolicy }} 65 | imagePullPolicy: {{ .Values.imageReflectionController.imagePullPolicy }} 66 | {{- else }} 67 | imagePullPolicy: IfNotPresent 68 | {{- end }} 69 | livenessProbe: 70 | httpGet: 71 | path: /healthz 72 | port: healthz 73 | name: manager 74 | ports: 75 | - containerPort: 8080 76 | name: http-prom 77 | - containerPort: 9440 78 | name: healthz 79 | protocol: TCP 80 | readinessProbe: 81 | httpGet: 82 | path: /readyz 83 | port: healthz 84 | {{- with .Values.imageReflectionController.resources }} 85 | resources: {{ toYaml . | nindent 10 }} 86 | {{- end }} 87 | {{- if .Values.imageReflectionController.securityContext }} 88 | securityContext: {{ toYaml .Values.imageReflectionController.securityContext | nindent 10 }} 89 | {{- else }} 90 | securityContext: 91 | allowPrivilegeEscalation: false 92 | capabilities: 93 | drop: 94 | - ALL 95 | readOnlyRootFilesystem: true 96 | runAsNonRoot: true 97 | seccompProfile: 98 | type: RuntimeDefault 99 | {{- end}} 100 | volumeMounts: 101 | - mountPath: /tmp 102 | name: temp 103 | - mountPath: /data 104 | name: data 105 | {{- if .Values.imageReflectionController.volumeMounts }} 106 | {{- toYaml .Values.imageReflectionController.volumeMounts | nindent 8 }} 107 | {{- end}} 108 | {{- if .Values.imageReflectionController.priorityClassName }} 109 | priorityClassName: {{ .Values.imageReflectionController.priorityClassName | quote }} 110 | {{- end }} 111 | {{- if .Values.imageReflectionController.podSecurityContext }} 112 | securityContext: {{ toYaml .Values.imageReflectionController.podSecurityContext | nindent 8 }} 113 | {{- else }} 114 | securityContext: 115 | fsGroup: 1337 116 | {{- end}} 117 | serviceAccountName: image-reflector-controller 118 | {{- if .Values.imagePullSecrets }} 119 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} 120 | {{- end }} 121 | terminationGracePeriodSeconds: 10 122 | volumes: 123 | - emptyDir: {} 124 | name: temp 125 | - emptyDir: {} 126 | name: data 127 | {{- if .Values.imageReflectionController.volumes }} 128 | {{- toYaml .Values.imageReflectionController.volumes | nindent 6 }} 129 | {{- end}} 130 | {{- with .Values.imageReflectionController.nodeSelector }} 131 | nodeSelector: {{ toYaml . | nindent 8 }} 132 | {{- end }} 133 | {{- with .Values.imageReflectionController.affinity }} 134 | affinity: {{ toYaml . | nindent 8 }} 135 | {{- end }} 136 | {{- with .Values.imageReflectionController.tolerations }} 137 | tolerations: {{ toYaml . | nindent 8 }} 138 | {{- end }} 139 | {{- end }} 140 | -------------------------------------------------------------------------------- /flux2/templates/kustomize-controller-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.kustomizeController.create }} 2 | {{- if .Values.kustomizeController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: kustomize-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: kustomize-controller 14 | {{- with .Values.kustomizeController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/kustomize-controller-secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.kustomizeController.secret.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.kustomizeController.secret.name }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | type: Opaque 14 | data: 15 | {{- range $key, $value := .Values.kustomizeController.secret.data }} 16 | {{ $key }}: {{ $value | toString | b64enc | quote }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /flux2/templates/notification-controller-ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.notificationController.create .Values.notificationController.webhookReceiver.ingress.create }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/part-of: flux 10 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | control-plane: controller 12 | {{- with .Values.notificationController.webhookReceiver.ingress.labels }}{{ toYaml . | nindent 4 }}{{ end }} 13 | {{- with .Values.notificationController.webhookReceiver.ingress.annotations }} 14 | annotations: 15 | {{- range $key, $value := . }} 16 | {{ $key }}: {{ tpl $value $ | quote }} 17 | {{- end }} 18 | {{- end }} 19 | name: webhook-receiver 20 | spec: 21 | {{- if .Values.notificationController.webhookReceiver.ingress.ingressClassName }} 22 | ingressClassName: {{ .Values.notificationController.webhookReceiver.ingress.ingressClassName }} 23 | {{- end -}} 24 | {{- if .Values.notificationController.webhookReceiver.ingress.tls }} 25 | tls: 26 | {{- range .Values.notificationController.webhookReceiver.ingress.tls }} 27 | - hosts: 28 | {{- range .hosts }} 29 | - {{ . | quote }} 30 | {{- end }} 31 | secretName: {{ .secretName }} 32 | {{- end }} 33 | {{- end }} 34 | rules: 35 | {{- range .Values.notificationController.webhookReceiver.ingress.hosts }} 36 | - host: {{ .host | quote }} 37 | http: 38 | paths: 39 | {{- range .paths }} 40 | - path: {{ .path }} 41 | pathType: {{ .pathType }} 42 | backend: 43 | service: 44 | name: webhook-receiver 45 | port: 46 | number: 80 47 | {{- end }} 48 | {{- end }} 49 | {{- end }} 50 | -------------------------------------------------------------------------------- /flux2/templates/notification-controller-sa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.notificationController.create -}} 2 | {{- if .Values.notificationController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: notification-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: notification-controller 14 | {{- with .Values.notificationController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/notification-controller-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.notificationController.create }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/part-of: flux 10 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | control-plane: controller 12 | {{- with .Values.notificationController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} 13 | name: notification-controller 14 | {{- with .Values.notificationController.service.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ports: 19 | - name: http 20 | port: 80 21 | protocol: TCP 22 | targetPort: http 23 | {{- if .Values.notificationController.service.ports }} 24 | {{- toYaml .Values.notificationController.service.ports | nindent 2 }} 25 | {{- end}} 26 | selector: 27 | app: notification-controller 28 | type: ClusterIP 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /flux2/templates/notification-controller-webhook-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.notificationController.create }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/part-of: flux 10 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | control-plane: controller 12 | {{- with .Values.notificationController.webhookReceiver.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} 13 | name: webhook-receiver 14 | {{- with .Values.notificationController.webhookReceiver.service.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ports: 19 | - name: http 20 | port: 80 21 | protocol: TCP 22 | targetPort: 9292 23 | selector: 24 | app: notification-controller 25 | type: ClusterIP 26 | {{- end }} 27 | -------------------------------------------------------------------------------- /flux2/templates/notification-controller.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.notificationController.create }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: notification-controller 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | control-plane: controller 13 | {{- with .Values.notificationController.labels }} 14 | {{- . | toYaml | nindent 4 }} 15 | {{- end }} 16 | name: notification-controller 17 | spec: 18 | {{- if kindIs "invalid" .Values.notificationController.replicas }} 19 | replicas: 1 20 | {{- else }} 21 | replicas: {{ .Values.notificationController.replicas }} 22 | {{- end}} 23 | selector: 24 | matchLabels: 25 | app: notification-controller 26 | template: 27 | metadata: 28 | {{- with .Values.notificationController.annotations }} 29 | annotations: {{ toYaml . | nindent 8 }} 30 | {{- end }} 31 | labels: 32 | app: notification-controller 33 | {{ with .Values.notificationController.labels }}{{ toYaml . | indent 8 }}{{ end }} 34 | spec: 35 | automountServiceAccountToken: {{ .Values.notificationController.serviceAccount.automount }} 36 | {{- if .Values.notificationController.initContainers}} 37 | initContainers: 38 | {{- toYaml .Values.notificationController.initContainers | nindent 8}} 39 | {{- end}} 40 | containers: 41 | - args: 42 | {{- if .Values.multitenancy.enabled }} 43 | - --no-cross-namespace-refs=true 44 | {{- end}} 45 | - --watch-all-namespaces={{ .Values.watchAllNamespaces }} 46 | - --log-level={{ .Values.logLevel | default "info" }} 47 | - --log-encoding=json 48 | - --enable-leader-election 49 | {{- range .Values.notificationController.container.additionalArgs }} 50 | - {{ . }} 51 | {{- end}} 52 | env: 53 | - name: RUNTIME_NAMESPACE 54 | valueFrom: 55 | fieldRef: 56 | fieldPath: metadata.namespace 57 | {{- with .Values.notificationController.extraEnv }} 58 | {{- toYaml . | nindent 8 }} 59 | {{- end }} 60 | image: {{ template "template.image" .Values.notificationController }} 61 | {{- if .Values.notificationController.imagePullPolicy }} 62 | imagePullPolicy: {{ .Values.notificationController.imagePullPolicy }} 63 | {{- else }} 64 | imagePullPolicy: IfNotPresent 65 | {{- end }} 66 | livenessProbe: 67 | httpGet: 68 | path: /healthz 69 | port: healthz 70 | name: manager 71 | ports: 72 | - containerPort: 9090 73 | name: http 74 | protocol: TCP 75 | - containerPort: 9292 76 | name: http-webhook 77 | protocol: TCP 78 | - containerPort: 8080 79 | name: http-prom 80 | protocol: TCP 81 | - containerPort: 9440 82 | name: healthz 83 | protocol: TCP 84 | readinessProbe: 85 | httpGet: 86 | path: /readyz 87 | port: healthz 88 | {{- with .Values.notificationController.resources }} 89 | resources: {{ toYaml . | nindent 10 }} 90 | {{- end }} 91 | {{- if .Values.notificationController.securityContext }} 92 | securityContext: {{ toYaml .Values.notificationController.securityContext | nindent 10 }} 93 | {{- else }} 94 | securityContext: 95 | allowPrivilegeEscalation: false 96 | capabilities: 97 | drop: 98 | - ALL 99 | readOnlyRootFilesystem: true 100 | runAsNonRoot: true 101 | seccompProfile: 102 | type: RuntimeDefault 103 | {{- end}} 104 | volumeMounts: 105 | - mountPath: /tmp 106 | name: temp 107 | {{- if .Values.notificationController.volumeMounts }} 108 | {{- toYaml .Values.notificationController.volumeMounts | nindent 8 }} 109 | {{- end}} 110 | {{- if .Values.notificationController.priorityClassName }} 111 | priorityClassName: {{ .Values.notificationController.priorityClassName | quote }} 112 | {{- end }} 113 | {{- if .Values.notificationController.podSecurityContext }} 114 | securityContext: {{ toYaml .Values.notificationController.podSecurityContext | nindent 8 }} 115 | {{- end }} 116 | serviceAccountName: notification-controller 117 | {{- if .Values.imagePullSecrets }} 118 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} 119 | {{- end }} 120 | terminationGracePeriodSeconds: 10 121 | volumes: 122 | - emptyDir: {} 123 | name: temp 124 | {{- if .Values.notificationController.volumes }} 125 | {{- toYaml .Values.notificationController.volumes | nindent 6 }} 126 | {{- end}} 127 | {{- with .Values.notificationController.nodeSelector }} 128 | nodeSelector: {{ toYaml . | nindent 8 }} 129 | {{- end }} 130 | {{- with .Values.notificationController.affinity }} 131 | affinity: {{ toYaml . | nindent 8 }} 132 | {{- end }} 133 | {{- with .Values.notificationController.tolerations }} 134 | tolerations: {{ toYaml . | nindent 8 }} 135 | {{- end }} 136 | {{- end }} 137 | -------------------------------------------------------------------------------- /flux2/templates/podmonitor.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.prometheus.podMonitor.create }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: {{ .Release.Name }} 6 | labels: 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | {{- range $key, $value := .Values.prometheus.podMonitor.additionalLabels }} 13 | {{ $key }}: {{ $value | quote }} 14 | {{- end }} 15 | spec: 16 | namespaceSelector: 17 | matchNames: 18 | - {{ .Release.Namespace }} 19 | selector: 20 | matchExpressions: 21 | - key: app 22 | operator: In 23 | values: 24 | - helm-controller 25 | - source-controller 26 | - kustomize-controller 27 | - notification-controller 28 | - image-automation-controller 29 | - image-reflector-controller 30 | podMetricsEndpoints: 31 | {{ toYaml .Values.prometheus.podMonitor.podMetricsEndpoints | indent 4 }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /flux2/templates/policies.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.policies.create}} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/part-of: flux 10 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | name: allow-egress 12 | spec: 13 | egress: 14 | - {} 15 | ingress: 16 | - from: 17 | - podSelector: {} 18 | podSelector: {} 19 | policyTypes: 20 | - Ingress 21 | - Egress 22 | --- 23 | apiVersion: networking.k8s.io/v1 24 | kind: NetworkPolicy 25 | metadata: 26 | labels: 27 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 28 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 29 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 30 | app.kubernetes.io/part-of: flux 31 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 32 | name: allow-scraping 33 | spec: 34 | ingress: 35 | - from: 36 | - namespaceSelector: {} 37 | ports: 38 | - port: 8080 39 | protocol: TCP 40 | podSelector: {} 41 | policyTypes: 42 | - Ingress 43 | --- 44 | apiVersion: networking.k8s.io/v1 45 | kind: NetworkPolicy 46 | metadata: 47 | labels: 48 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 49 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 50 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 51 | app.kubernetes.io/part-of: flux 52 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 53 | name: allow-webhooks 54 | spec: 55 | ingress: 56 | - from: 57 | - namespaceSelector: {} 58 | podSelector: 59 | matchLabels: 60 | app: notification-controller 61 | policyTypes: 62 | - Ingress 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /flux2/templates/source-controller-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sourceController.create }} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 7 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 8 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 9 | app.kubernetes.io/part-of: flux 10 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 11 | control-plane: controller 12 | {{- with .Values.sourceController.service.labels }}{{ toYaml . | nindent 4 }}{{ end }} 13 | name: source-controller 14 | {{- with .Values.sourceController.service.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | spec: 18 | ports: 19 | - name: http 20 | port: 80 21 | protocol: TCP 22 | targetPort: http 23 | {{- if .Values.sourceController.service.ports }} 24 | {{- toYaml .Values.sourceController.service.ports | nindent 2 }} 25 | {{- end}} 26 | selector: 27 | app: source-controller 28 | type: ClusterIP 29 | {{- end }} 30 | -------------------------------------------------------------------------------- /flux2/templates/source-controller-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sourceController.create -}} 2 | {{- if .Values.sourceController.serviceAccount.create -}} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | labels: 7 | app.kubernetes.io/component: source-controller 8 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 9 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 10 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 11 | app.kubernetes.io/part-of: flux 12 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 13 | name: source-controller 14 | {{- with .Values.sourceController.serviceAccount.annotations }} 15 | annotations: {{ toYaml . | nindent 4 }} 16 | {{- end }} 17 | {{- end -}} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /flux2/templates/source-controller.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.sourceController.create }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: source-controller 7 | app.kubernetes.io/instance: {{ .Release.Namespace | quote }} 8 | app.kubernetes.io/managed-by: {{ .Release.Service | quote }} 9 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 10 | app.kubernetes.io/part-of: flux 11 | helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 12 | control-plane: controller 13 | {{- with .Values.sourceController.labels }} 14 | {{- . | toYaml | nindent 4 }} 15 | {{- end }} 16 | name: source-controller 17 | spec: 18 | replicas: 1 19 | selector: 20 | matchLabels: 21 | app: source-controller 22 | strategy: 23 | type: Recreate 24 | template: 25 | metadata: 26 | {{- with .Values.sourceController.annotations }} 27 | annotations: {{ toYaml . | nindent 8 }} 28 | {{- end }} 29 | labels: 30 | app: source-controller 31 | {{ with .Values.sourceController.labels }}{{ toYaml . | indent 8 }}{{ end }} 32 | spec: 33 | automountServiceAccountToken: {{ .Values.sourceController.serviceAccount.automount }} 34 | {{- if .Values.sourceController.initContainers}} 35 | initContainers: 36 | {{- toYaml .Values.sourceController.initContainers | nindent 8}} 37 | {{- end}} 38 | containers: 39 | - args: 40 | {{- if .Values.notificationController.create }} 41 | - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. 42 | {{- end}} 43 | - --watch-all-namespaces={{ .Values.watchAllNamespaces }} 44 | - --log-level={{ .Values.logLevel | default "info" }} 45 | - --log-encoding=json 46 | - --enable-leader-election 47 | - --storage-path=/data 48 | - --storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.{{ .Values.clusterDomain | default "cluster.local" }}. 49 | {{- range .Values.sourceController.container.additionalArgs }} 50 | - {{ . }} 51 | {{- end}} 52 | env: 53 | - name: RUNTIME_NAMESPACE 54 | valueFrom: 55 | fieldRef: 56 | fieldPath: metadata.namespace 57 | {{- with .Values.sourceController.extraEnv }} 58 | {{- toYaml . | nindent 8 }} 59 | {{- end }} 60 | image: {{ template "template.image" .Values.sourceController }} 61 | {{- if .Values.sourceController.imagePullPolicy }} 62 | imagePullPolicy: {{ .Values.sourceController.imagePullPolicy }} 63 | {{- else }} 64 | imagePullPolicy: IfNotPresent 65 | {{- end }} 66 | livenessProbe: 67 | httpGet: 68 | path: /healthz 69 | port: healthz 70 | name: manager 71 | ports: 72 | - containerPort: 9090 73 | name: http 74 | protocol: TCP 75 | - containerPort: 8080 76 | name: http-prom 77 | protocol: TCP 78 | - containerPort: 9440 79 | name: healthz 80 | protocol: TCP 81 | readinessProbe: 82 | httpGet: 83 | path: / 84 | port: http 85 | {{- with .Values.sourceController.resources }} 86 | resources: {{ toYaml . | nindent 10 }} 87 | {{- end }} 88 | {{- if .Values.sourceController.securityContext }} 89 | securityContext: {{ toYaml .Values.sourceController.securityContext | nindent 10 }} 90 | {{- else }} 91 | securityContext: 92 | allowPrivilegeEscalation: false 93 | capabilities: 94 | drop: 95 | - ALL 96 | readOnlyRootFilesystem: true 97 | runAsNonRoot: true 98 | seccompProfile: 99 | type: RuntimeDefault 100 | {{- end}} 101 | volumeMounts: 102 | - mountPath: /data 103 | name: data 104 | - mountPath: /tmp 105 | name: tmp 106 | {{- if .Values.sourceController.volumeMounts }} 107 | {{- toYaml .Values.sourceController.volumeMounts | nindent 8 }} 108 | {{- end}} 109 | {{- if .Values.sourceController.priorityClassName }} 110 | priorityClassName: {{ .Values.sourceController.priorityClassName | quote }} 111 | {{- end }} 112 | {{- if .Values.sourceController.podSecurityContext }} 113 | securityContext: {{ toYaml .Values.sourceController.podSecurityContext | nindent 8 }} 114 | {{- else }} 115 | securityContext: 116 | fsGroup: 1337 117 | {{- end}} 118 | serviceAccountName: source-controller 119 | {{- if .Values.imagePullSecrets }} 120 | imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 6 }} 121 | {{- end }} 122 | terminationGracePeriodSeconds: 10 123 | volumes: 124 | - emptyDir: {} 125 | name: data 126 | - emptyDir: {} 127 | name: tmp 128 | {{- if .Values.sourceController.volumes }} 129 | {{- toYaml .Values.sourceController.volumes | nindent 6 }} 130 | {{- end}} 131 | {{- with .Values.sourceController.nodeSelector }} 132 | nodeSelector: {{ toYaml . | nindent 8 }} 133 | {{- end }} 134 | {{- with .Values.sourceController.affinity }} 135 | affinity: {{ toYaml . | nindent 8 }} 136 | {{- end }} 137 | {{- with .Values.sourceController.tolerations }} 138 | tolerations: {{ toYaml . | nindent 8 }} 139 | {{- end }} 140 | {{- end }} 141 | -------------------------------------------------------------------------------- /flux2/templates/sync.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: outpost-state 6 | spec: 7 | interval: 3m0s 8 | ref: 9 | branch: {{ required "branch is required" .Values.git.branch }} 10 | url: {{ required "git.url is required" .Values.git.url }} 11 | --- 12 | apiVersion: kustomize.toolkit.fluxcd.io/v1 13 | kind: Kustomization 14 | metadata: 15 | name: outpost-state 16 | spec: 17 | interval: 10m0s 18 | path: {{ required "git.path is required" .Values.git.path }} 19 | prune: true 20 | sourceRef: 21 | kind: GitRepository 22 | name: outpost-state 23 | -------------------------------------------------------------------------------- /git-proxy/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /git-proxy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: git-proxy 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 2025.05.28 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: 0.0.1 24 | -------------------------------------------------------------------------------- /git-proxy/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "git-proxy.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "git-proxy.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "git-proxy.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "git-proxy.labels" -}} 37 | helm.sh/chart: {{ include "git-proxy.chart" . }} 38 | {{ include "git-proxy.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "git-proxy.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "git-proxy.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "git-proxy.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "git-proxy.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /git-proxy/templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (ne .Release.Namespace "default") .Values.createNamespace }} 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | labels: 6 | app.kubernetes.io/instance: git-proxy 7 | app.kubernetes.io/version: {{ .Chart.Version }} 8 | name: {{ .Release.Namespace }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /git-proxy/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.blob.azureCreds }} 2 | {{/* Small hack for autoamated clusters - publish the secret for git-proxy / external secrets */}} 3 | apiVersion: v1 4 | kind: Secret 5 | type: Opaque 6 | metadata: 7 | name: {{ .Values.blob.azureCredsSecretName }} 8 | labels: 9 | {{- include "git-proxy.labels" . | nindent 4 }} 10 | data: 11 | azure.json: {{ .Values.blob.azureCreds | toJson | b64enc | quote }} 12 | # external secrets need each key separately so we reference the secret via env vars 13 | {{- range $k, $v := .Values.blob.azureCreds }} 14 | {{- if and (not (eq $k "useInstanceMetadata" )) (not (eq $k "useFederatedToken" ))}} 15 | {{ $k }}: {{ $v | b64enc | quote }} 16 | {{- end }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /git-proxy/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "git-proxy.fullname" . }} 5 | labels: 6 | {{- include "git-proxy.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: 80 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | - port: 3000 15 | targetPort: grpc 16 | protocol: TCP 17 | name: grpc 18 | selector: 19 | {{- include "git-proxy.selectorLabels" . | nindent 4 }} 20 | --- 21 | {{- if ne .Release.Name "git-proxy" }} 22 | apiVersion: v1 23 | kind: Service 24 | metadata: 25 | name: git-proxy 26 | labels: 27 | {{- include "git-proxy.labels" . | nindent 4 }} 28 | spec: 29 | type: {{ .Values.service.type }} 30 | ports: 31 | - port: 80 32 | targetPort: http 33 | protocol: TCP 34 | name: http 35 | - port: 3000 36 | targetPort: grpc 37 | protocol: TCP 38 | name: grpc 39 | selector: 40 | {{- include "git-proxy.selectorLabels" . | nindent 4 }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /git-proxy/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "git-proxy.serviceAccountName" . }} 6 | labels: 7 | {{- include "git-proxy.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.extraLabels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | {{- if .Values.serviceAccount.annotations }} 12 | annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /git-proxy/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for git-proxy. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | storageService: "" # s3/gcs/blob/objectstorage/oss/wiz 7 | s3: 8 | bucketName: 9 | region: 10 | gcs: 11 | bucketName: 12 | blob: 13 | # credentials JSON containing the service principal, secret must contain azure.json key 14 | # leave empty if you're using the system assigned identity for the node 15 | # (existing in /etc/kubernetes/azure.json) 16 | azureCreds: 17 | # tenantId: 18 | # aadClientId: 19 | # aadClientSecret: 20 | # subscriptionId: 21 | # environment: 22 | # useInstanceMetadata: 23 | # useFederatedToken: 24 | azureCredsSecretName: azure-creds 25 | useAzureCredsSecret: false 26 | resourceGroupName: 27 | storageAccountName: 28 | containerName: gitops-state 29 | globalStorageAccountIP: "" 30 | storageAccountDomain: core.windows.net 31 | 32 | wiz: 33 | secretName: wiz-outpost-agent-creds 34 | env: "" 35 | outpostId: "" 36 | serviceType: "" 37 | dataCenter: "" 38 | 39 | serviceAccount: 40 | # Specifies whether a service account should be created 41 | create: false 42 | # Annotations to add to the service account 43 | annotations: {} 44 | # The name of the service account to use. 45 | # If empty, a name is generated using the fullname template 46 | name: "" 47 | 48 | objectstorage: 49 | region: 50 | namespaceName: 51 | bucketName: 52 | 53 | oss: 54 | oidcProviderARN: "" 55 | roleARN: "" 56 | region: 57 | bucketName: 58 | 59 | image: 60 | repository: public-registry.wiz.io 61 | namePrefix: wiz-git-proxy 62 | pullPolicy: Always 63 | # Overrides the image tag whose default is the chart appVersion. 64 | tag: "f50b5d3cc33ed261561fa3241899788e195ff0ba-multiarch" 65 | 66 | imagePullSecrets: [] 67 | nameOverride: "" 68 | fullnameOverride: "" 69 | 70 | podAnnotations: {} 71 | 72 | service: 73 | type: ClusterIP 74 | port: 8080 75 | grpcPort: 3000 76 | 77 | resources: 78 | {} 79 | # We usually recommend not to specify default resources and to leave this as a conscious 80 | # choice for the user. This also increases chances charts run on environments with little 81 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 82 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 83 | # limits: 84 | # cpu: 100m 85 | # memory: 128Mi 86 | # requests: 87 | # cpu: 100m 88 | # memory: 128Mi 89 | 90 | nodeSelector: {} 91 | 92 | tolerations: [] 93 | 94 | affinity: {} 95 | hostpathCopier: 96 | image: 97 | name: wiz-busybox 98 | tag: 1.36.0 99 | 100 | internetAccessCertificates: 101 | skipSslValidation: false 102 | 103 | extraEnv: {} 104 | 105 | httpProxyConfiguration: 106 | name: wiz-http-proxy-configuration 107 | -------------------------------------------------------------------------------- /wiz-admission-controller/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-admission-controller/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wiz-admission-controller 3 | description: Wiz admission controller 4 | type: application 5 | # This is the chart version. This version number should be incremented each time you make changes 6 | # to the chart and its templates, including the app version. 7 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 8 | version: 3.10.2 9 | # This is the version number of the application being deployed. This version number should be 10 | # incremented each time you make changes to the application. Versions are not expected to 11 | # follow Semantic Versioning. They should reflect the version the application is using. 12 | # It is recommended to use it with quotes. 13 | appVersion: "2.9" 14 | dependencies: 15 | - name: wiz-common 16 | version: "0.1.9" 17 | repository: https://wiz-sec.github.io/charts 18 | # repository: "file://../wiz-common" # Use this line to test the chart locally 19 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | For uninstalling the wiz admission controller you need to delete helm hooks resources manually: 2 | 1. Delete validating webhook configuration - kubectl delete validatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "misconfigurations" }} 3 | 2. Delete mutating webhook configuration - kubectl delete mutatingwebhookconfiguration {{ printf "%s-%s" (include "wiz-admission-controller-enforcer.name" . ) "image-integrity" }} 4 | 5 | {{- if not .Values.webhook.secret.name }} 6 | 3. Delete certificates secret - kubectl delete -n {{ .Release.Namespace }} secret {{ include "wiz-admission-controller.secretServerCert" . | trim }} 7 | {{- end }} 8 | {{- if eq .Values.opaWebhook.failurePolicy "Fail" }} 9 | 10 | WARNING!!! 11 | opaWebhook.failurePolicy is Fail, You need to delete validatingwebhookconfiguration before uninstall, if webhook exists without chart resources you can’t create resources in your cluster! 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/certmanager.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.webhook.createSelfSignedCert }} 2 | apiVersion: cert-manager.io/v1 3 | kind: Issuer 4 | metadata: 5 | name: "selfsigned-issuer" 6 | namespace: {{ .Release.Namespace | quote }} 7 | spec: 8 | selfSigned: {} 9 | --- 10 | apiVersion: cert-manager.io/v1 11 | kind: Certificate 12 | metadata: 13 | name: {{ printf "%s-cert" (include "wiz-admission-controller.fullname" .) | quote }} 14 | namespace: {{ .Release.Namespace | quote }} 15 | spec: 16 | subject: 17 | organizations: 18 | - wizselfsigned 19 | dnsNames: 20 | - {{ printf "%s.%s" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace | quote }} 21 | - {{ printf "%s.%s.svc" (include "wiz-admission-controller-enforcer.name" .) .Release.Namespace | quote }} 22 | - {{ printf "%s.%s" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace }} 23 | - {{ printf "%s.%s.svc" ( include "wiz-kubernetes-audit-log-collector.name" .) .Release.Namespace }} 24 | duration: "87600h0m0s" # AC doesn't currently detect changes to the certificate and must be restarted after renewal 25 | renewBefore: "360h0m0s" 26 | secretName: {{ include "wiz-admission-controller.secretServerCert" . | quote }} 27 | {{- if (or .Values.webhook.secret.annotations .Values.opaWebhook.secret.annotations) }} 28 | secretTemplate: 29 | annotations: 30 | {{- with .Values.webhook.secret.annotations }} 31 | {{- toYaml . | nindent 6 }} 32 | {{- end }} 33 | {{- with .Values.opaWebhook.secret.annotations }} 34 | {{- toYaml . | nindent 6 }} 35 | {{- end }} 36 | {{- end }} 37 | issuerRef: 38 | name: "selfsigned-issuer" 39 | kind: "Issuer" 40 | group: "cert-manager.io" 41 | {{ end }} 42 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/cronjobmanager.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.wizManager.enabled -}} 2 | apiVersion: batch/v1 3 | kind: CronJob 4 | metadata: 5 | name: {{ include "wiz-admission-controller-manager.name" . }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-admission-controller-manager.labels" . | nindent 4 }} 9 | spec: 10 | schedule: "{{ .Values.wizManager.schedule }}" 11 | concurrencyPolicy: Forbid # Ensures only one job instance runs at a time 12 | jobTemplate: 13 | spec: 14 | activeDeadlineSeconds: {{ .Values.wizManager.timeoutSeconds }} 15 | ttlSecondsAfterFinished: {{ .Values.wizManager.cleanupJobSeconds }} 16 | template: 17 | metadata: 18 | annotations: 19 | rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }} 20 | rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }} 21 | {{- with .Values.global.podAnnotations }} 22 | {{- toYaml . | nindent 12 }} 23 | {{- end }} 24 | {{- with .Values.podAnnotations }} 25 | {{- toYaml . | nindent 12 }} 26 | {{- end }} 27 | labels: 28 | wiz.io/component: "admission-controller-manager" 29 | {{- include "wiz-admission-controller-manager.labels" . | nindent 12 }} 30 | {{- with .Values.global.podLabels }} 31 | {{- toYaml . | nindent 12 }} 32 | {{- end }} 33 | {{- with .Values.podLabels }} 34 | {{- toYaml . | nindent 12 }} 35 | {{- end }} 36 | spec: 37 | restartPolicy: Never 38 | {{- if .Values.priorityClassName }} 39 | priorityClassName: {{ .Values.priorityClassName }} 40 | {{- end }} 41 | {{- with (coalesce .Values.global.imagePullSecrets .Values.imagePullSecrets) }} 42 | imagePullSecrets: 43 | {{- toYaml . | nindent 12 }} 44 | {{- end }} 45 | serviceAccountName: {{ include "wiz-admission-controller.manager.serviceAccountName" . }} 46 | securityContext: 47 | {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }} 48 | {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }} 49 | {{- else }} 50 | {{- toYaml .Values.podSecurityContext | nindent 12 }} 51 | {{- end }} 52 | {{- if .Values.hostNetwork }} 53 | hostNetwork: true 54 | {{- end }} 55 | terminationGracePeriodSeconds: {{ .Values.global.podTerminationGracePeriodSeconds }} 56 | containers: 57 | - name: {{ .Chart.Name }}-manager 58 | securityContext: 59 | {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }} 60 | {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }} 61 | {{- else }} 62 | {{- toYaml .Values.securityContext | nindent 16 }} 63 | {{- end }} 64 | image: {{ include "wiz-admission-controller.image" . }} 65 | imagePullPolicy: {{ .Values.image.pullPolicy }} 66 | command: 67 | - "/usr/bin/wiz-admission-controller" 68 | - "manager" 69 | {{- include "wiz-admission-controller.spec.common.commandArgs" . | trim | nindent 14 }} 70 | {{- include "wiz-admission-controller.wiz-admission-controller.autoUpdate.deployments.arg" . | trim | nindent 14 }} 71 | # Auto update flags 72 | - "--auto-update-enabled={{ .Values.wizManager.autoRolloutRestart.enabled }}" 73 | - "--release-namespace={{ .Release.Namespace }}" 74 | env: 75 | {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 14 }} 76 | - name: WIZ_DELETE_UNSEEN_ENABLED 77 | value: "true" 78 | {{- if eq (include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower) "true" }} 79 | - name: WIZ_ENFORCER_DEPLOYMENT_NAME 80 | value: {{ include "wiz-admission-controller-enforcer.name" . }} 81 | {{- end -}} 82 | {{- if .Values.kubernetesAuditLogsWebhook.enabled }} 83 | - name: WIZ_KUBERNETES_AUDIT_LOG_COLLECTOR_DEPLOYMENT_NAME 84 | value: {{ include "wiz-kubernetes-audit-log-collector.name" . }} 85 | {{- end }} 86 | resources: 87 | {{- include "wiz-admission-controller.resources" . | trim | nindent 16 }} 88 | volumeMounts: 89 | {{- include "wiz-admission-controller.spec.common.volumeMounts" . | trim | nindent 14 }} 90 | {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }} 91 | {{- with .Values.customVolumeMounts }} 92 | {{- toYaml . | nindent 14 }} 93 | {{- end }} 94 | {{- with .Values.global.customVolumeMounts }} 95 | {{- toYaml . | nindent 14 }} 96 | {{- end }} 97 | {{- end }} 98 | volumes: 99 | {{- include "wiz-admission-controller.spec.common.volumes" . | trim | nindent 12 }} 100 | {{- with .Values.customVolumes }} 101 | {{- toYaml . | nindent 12 }} 102 | {{- end }} 103 | {{- with .Values.global.customVolumes }} 104 | {{- toYaml . | nindent 12 }} 105 | {{- end }} 106 | {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }} 107 | nodeSelector: 108 | {{- toYaml . | nindent 12 }} 109 | {{- end }} 110 | {{- with (coalesce .Values.global.affinity .Values.affinity) }} 111 | affinity: 112 | {{- toYaml . | nindent 12 }} 113 | {{- end }} 114 | {{- if (or .Values.global.tolerations .Values.tolerations)}} 115 | tolerations: 116 | {{- with .Values.global.tolerations }} 117 | {{- toYaml . | nindent 12 }} 118 | {{- end }} 119 | {{- with .Values.tolerations }} 120 | {{- toYaml . | nindent 12 }} 121 | {{- end }} 122 | {{- end }} 123 | {{- end }} 124 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.hpa.enabled (eq (include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower) "true") }} 2 | apiVersion: autoscaling/v2 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "wiz-admission-controller.wiz-hpa-enforcer.name" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "wiz-admission-controller.wiz-admission-controller.wiz-hpa-enforcer.labels" . | nindent 4 }} 9 | spec: 10 | scaleTargetRef: 11 | apiVersion: apps/v1 12 | kind: Deployment 13 | name: {{ include "wiz-admission-controller-enforcer.name" . }} 14 | minReplicas: {{ .Values.hpa.minReplicas }} 15 | maxReplicas: {{ .Values.hpa.maxReplicas }} 16 | metrics: 17 | {{- if .Values.hpa.enableCPU }} 18 | - type: Resource 19 | resource: 20 | name: cpu 21 | target: 22 | type: Utilization 23 | averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }} 24 | {{- end }} 25 | {{- with .Values.hpa.customMetrics }} 26 | {{- toYaml . | nindent 4 }} 27 | {{- end }} 28 | behavior: {{ include "wiz-admission-controller.hpaBehavior" . | nindent 4 }} 29 | --- 30 | {{- end }} 31 | {{- if and .Values.hpa.enabled .Values.kubernetesAuditLogsWebhook.enabled }} 32 | apiVersion: autoscaling/v2 33 | kind: HorizontalPodAutoscaler 34 | metadata: 35 | name: {{ include "wiz-admission-controller.wiz-hpa-audit-logs.name" . }} 36 | namespace: {{ .Release.Namespace }} 37 | labels: 38 | {{- include "wiz-admission-controller.wiz-hpa-audit-logs.labels" . | nindent 4 }} 39 | spec: 40 | scaleTargetRef: 41 | apiVersion: apps/v1 42 | kind: Deployment 43 | name: {{ include "wiz-kubernetes-audit-log-collector.name" . }} 44 | minReplicas: {{ .Values.hpa.minReplicas }} 45 | maxReplicas: {{ .Values.hpa.maxReplicas }} 46 | metrics: 47 | {{- if .Values.hpa.enableCPU }} 48 | - type: Resource 49 | resource: 50 | name: cpu 51 | target: 52 | type: Utilization 53 | averageUtilization: {{ .Values.hpa.targetCPUUtilizationPercentage }} 54 | {{- end }} 55 | {{- with .Values.hpa.customMetrics }} 56 | {{- toYaml . | nindent 4 }} 57 | {{- end }} 58 | behavior: {{ include "wiz-admission-controller.hpaBehavior" . | nindent 4 }} 59 | {{- end }} 60 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/input-validations.yaml: -------------------------------------------------------------------------------- 1 | {{ include "wiz-common.requireHelm310" . }} 2 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/jobuninstall.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.wizUninstallJob.enabled -}} 2 | apiVersion: batch/v1 3 | kind: Job 4 | metadata: 5 | name: {{ include "wiz-admission-controller-uninstall.name" . }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | wiz.io/component: "admission-controller-uninstall" 9 | {{- include "wiz-admission-controller-uninstall.labels" . | nindent 4 }} 10 | annotations: 11 | "helm.sh/hook": pre-delete 12 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 | rollme.proxyHash: {{ include "wiz-admission-controller.proxyHash" . }} 14 | rollme.wizApiTokenHash: {{ include "wiz-admission-controller.wizApiTokenHash" . }} 15 | {{- with (.Values.wizUninstallJob.jobAnnotations) }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.wizUninstallJob.useJobTTL }} 20 | ttlSecondsAfterFinished: 60 21 | {{- end }} 22 | manualSelector: true 23 | selector: 24 | matchLabels: 25 | {{- include "wiz-admission-controller-uninstall.selectorLabels" . | nindent 6 }} 26 | activeDeadlineSeconds: {{ .Values.wizUninstallJob.timeoutSeconds }} 27 | backoffLimit: 1 28 | template: 29 | metadata: 30 | {{- if (or .Values.global.podAnnotations .Values.podAnnotations .Values.wizUninstallJob.podAnnotations)}} 31 | annotations: 32 | {{- with .Values.global.podAnnotations }} 33 | {{- toYaml . | nindent 8 }} 34 | {{- end }} 35 | {{- with .Values.podAnnotations }} 36 | {{- toYaml . | nindent 8 }} 37 | {{- end }} 38 | {{- with .Values.wizUninstallJob.podAnnotations }} 39 | {{- toYaml . | nindent 8 }} 40 | {{- end }} 41 | {{- end }} 42 | labels: 43 | wiz.io/component: "admission-controller-uninstall" 44 | {{- include "wiz-admission-controller-uninstall.labels" . | nindent 8 }} 45 | {{- with .Values.global.podLabels }} 46 | {{- toYaml . | nindent 8 }} 47 | {{- end }} 48 | {{- with .Values.podLabels }} 49 | {{- toYaml . | nindent 8 }} 50 | {{- end }} 51 | spec: 52 | {{- with .Values.wizUninstallJob.podAdditionalSpec }} 53 | {{- toYaml . | nindent 8 }} 54 | {{- end }} 55 | {{- with .Values.global.imagePullSecrets }} 56 | imagePullSecrets: 57 | {{- toYaml . | nindent 8 }} 58 | {{- end }} 59 | restartPolicy: "Never" 60 | securityContext: 61 | {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }} 62 | {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }} 63 | {{- else }} 64 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 65 | {{- end }} 66 | {{- if .Values.hostNetwork }} 67 | hostNetwork: true 68 | {{- end }} 69 | volumes: 70 | {{- include "wiz-admission-controller.spec.common.volumes" . | trim | nindent 8 }} 71 | {{- with .Values.customVolumes }} 72 | {{- toYaml . | nindent 8 }} 73 | {{- end }} 74 | {{- with .Values.global.customVolumes }} 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | containers: 78 | - name: {{ .Chart.Name }}-uninstall 79 | securityContext: 80 | {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }} 81 | {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 14 }} 82 | {{- else }} 83 | {{- toYaml .Values.securityContext | nindent 14 }} 84 | {{- end }} 85 | image: {{ include "wiz-admission-controller.image" . }} 86 | imagePullPolicy: {{ .Values.image.pullPolicy }} 87 | command: 88 | - "/usr/bin/wiz-admission-controller" 89 | - "uninstall" 90 | {{- include "wiz-admission-controller.spec.common.commandArgs" . | trim | nindent 10 }} 91 | env: 92 | {{- include "wiz-admission-controller.spec.common.envVars" . | trim | nindent 10 }} 93 | resources: 94 | {{- include "wiz-admission-controller.resources" . | trim | nindent 12 }} 95 | volumeMounts: 96 | {{- include "wiz-admission-controller.spec.common.volumeMounts" . | trim | nindent 14 }} 97 | {{- if or .Values.customVolumeMounts .Values.global.customVolumeMounts }} 98 | {{- with .Values.customVolumeMounts }} 99 | {{- toYaml . | nindent 14 }} 100 | {{- end }} 101 | {{- with .Values.global.customVolumeMounts }} 102 | {{- toYaml . | nindent 14 }} 103 | {{- end }} 104 | {{- end }} 105 | {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }} 106 | nodeSelector: 107 | {{- toYaml . | nindent 8 }} 108 | {{- end }} 109 | {{- with (coalesce .Values.global.affinity .Values.affinity) }} 110 | affinity: 111 | {{- toYaml . | nindent 8 }} 112 | {{- end }} 113 | {{- if (or .Values.global.tolerations .Values.tolerations) }} 114 | tolerations: 115 | {{- with .Values.global.tolerations }} 116 | {{- toYaml . | nindent 8 }} 117 | {{- end }} 118 | {{- with .Values.tolerations }} 119 | {{- toYaml . | nindent 8 }} 120 | {{- end }} 121 | {{- end }} 122 | {{- end }} 123 | 124 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.networkPolicy.ingress.enabled }} 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: {{ include "wiz-admission-controller.fullname" . }}-policy 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }} 13 | policyTypes: 14 | - Ingress 15 | ingress: 16 | - from: 17 | - namespaceSelector: 18 | matchLabels: 19 | kubernetes.io/metadata.name: kube-system 20 | ports: 21 | - protocol: TCP 22 | port: {{ .Values.service.targetPort }} 23 | - protocol: TCP 24 | port: 8000 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/pod-disruption-budget.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.kubernetesAuditLogsWebhook.podDisruptionBudget.enabled -}} 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: {{ include "wiz-kubernetes-audit-log-collector.name" . }} 6 | spec: 7 | minAvailable: {{ .Values.kubernetesAuditLogsWebhook.podDisruptionBudget.minAvailable }} 8 | maxUnavailable: {{ .Values.kubernetesAuditLogsWebhook.podDisruptionBudget.maxUnavailable }} 9 | selector: 10 | matchLabels: 11 | {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }} 12 | {{- include "wiz-kubernetes-audit-log-collector.selectorLabels" . | nindent 6 }} 13 | {{- end }} 14 | {{- if or .Values.podDisruptionBudget.enabled}} 15 | --- 16 | apiVersion: policy/v1 17 | kind: PodDisruptionBudget 18 | metadata: 19 | name: {{ include "wiz-admission-controller-enforcer.name" . }} 20 | spec: 21 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 22 | maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} 23 | selector: 24 | matchLabels: 25 | {{- include "wiz-admission-controller.selectorLabels" . | nindent 6 }} 26 | {{- include "wiz-admission-controller-enforcement.selectorLabels" . | nindent 6 }} 27 | {{- end }} -------------------------------------------------------------------------------- /wiz-admission-controller/templates/proxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (empty .Values.httpProxyConfiguration.httpsProxy)) (eq .Values.httpProxyConfiguration.enabled false) }} 2 | {{- fail "Error: httpsProxy is set but httpProxyConfiguration.enabled is false. Please enable the proxy configuration or unset httpsProxy." }} 3 | {{- end }} 4 | 5 | {{- if .Values.httpProxyConfiguration.enabled }} 6 | {{- if .Values.httpProxyConfiguration.create }} 7 | {{- if hasPrefix "https://" .Values.httpProxyConfiguration.httpsProxy }} 8 | {{- if empty .Values.httpProxyConfiguration.clientCertificate }} 9 | {{- fail "Error: HTTPS proxy requires a client certificate. Please provide clientCertificate in httpProxyConfiguration." }} 10 | {{- end }} 11 | {{- else }} 12 | {{- if not (empty .Values.httpProxyConfiguration.clientCertificate) }} 13 | {{- fail "Error: Client certificate is only supported for HTTPS proxies. Please remove clientCertificate or use an HTTPS proxy." }} 14 | {{- end }} 15 | {{- end }} 16 | 17 | apiVersion: v1 18 | kind: Secret 19 | type: Opaque 20 | metadata: 21 | name: {{ include "wiz-admission-controller.proxySecretName" . | trim }} 22 | namespace: {{ .Release.Namespace | quote }} 23 | labels: 24 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 25 | {{- with .Values.httpProxyConfiguration.annotations }} 26 | annotations: 27 | {{- toYaml . | nindent 4 }} 28 | {{- end }} 29 | stringData: 30 | httpProxy: {{ .Values.httpProxyConfiguration.httpProxy | quote }} 31 | httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }} 32 | noProxyAddress: {{ .Values.httpProxyConfiguration.noProxyAddress | quote }} 33 | clientCertificate: {{ .Values.httpProxyConfiguration.clientCertificate | quote }} 34 | {{- end }} 35 | {{- end }} 36 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq (include "wiz-admission-controller.isWizApiTokenSecretEnabled" . | trim | lower) "true" }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "wiz-admission-controller.secretApiTokenName" . | trim }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 9 | {{- with .Values.wizApiToken.secret.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | stringData: 14 | clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.wizApiToken.clientId | quote }} 15 | clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.wizApiToken.clientToken | quote }} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq (include "wiz-admission-controller.isEnforcerEnabled" . | trim | lower) "true" }} 2 | --- 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | name: {{ include "wiz-admission-controller-enforcer.name" . }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | labels: 9 | {{- include "wiz-admission-controller-enforcement.labels" . | nindent 4 }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.port }} 14 | targetPort: {{ .Values.service.targetPort }} 15 | protocol: TCP 16 | selector: 17 | {{- include "wiz-admission-controller.selectorLabels" . | nindent 4 }} 18 | {{- include "wiz-admission-controller-enforcement.selectorLabels" . | nindent 4 }} 19 | {{- end }} 20 | {{ if .Values.kubernetesAuditLogsWebhook.enabled -}} 21 | --- 22 | apiVersion: v1 23 | kind: Service 24 | metadata: 25 | name: {{ include "wiz-kubernetes-audit-log-collector.name" . }} 26 | namespace: {{ .Release.Namespace | quote }} 27 | labels: 28 | {{- include "wiz-kubernetes-audit-log-collector.labels" . | nindent 4 }} 29 | spec: 30 | type: {{ .Values.service.type }} 31 | ports: 32 | - port: {{ .Values.service.port }} 33 | targetPort: {{ .Values.service.targetPort }} 34 | protocol: TCP 35 | selector: 36 | {{- include "wiz-admission-controller.selectorLabels" . | nindent 4 }} 37 | {{- include "wiz-kubernetes-audit-log-collector.selectorLabels" . | nindent 4 }} 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /wiz-admission-controller/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "wiz-admission-controller.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 9 | {{- with .Values.serviceAccount.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | {{- end }} 14 | --- 15 | {{ if .Values.serviceAccount.createRbac }} 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: ClusterRole 18 | metadata: 19 | name: {{ printf "%s-namespace-reader" (include "wiz-admission-controller.serviceAccountName" .) }} 20 | namespace: {{ .Release.Namespace | quote }} 21 | labels: 22 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 23 | rules: 24 | - apiGroups: [""] 25 | resources: ["namespaces"] 26 | verbs: ["get", "list"] 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ printf "%s-namespace" (include "wiz-admission-controller.serviceAccountName" .) }} 32 | namespace: {{ .Release.Namespace | quote }} 33 | labels: 34 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 35 | subjects: 36 | - kind: ServiceAccount 37 | name: {{ include "wiz-admission-controller.serviceAccountName" . }} 38 | namespace: {{ .Release.Namespace | quote }} 39 | roleRef: 40 | kind: ClusterRole 41 | name: {{ printf "%s-namespace-reader" (include "wiz-admission-controller.serviceAccountName" .) }} 42 | apiGroup: rbac.authorization.k8s.io 43 | {{ end }} 44 | 45 | {{ if and .Values.imageIntegrityWebhook.enabled .Values.imageRegistryClient.pullSecrets .Values.imageRegistryClient.createRole }} 46 | --- 47 | apiVersion: rbac.authorization.k8s.io/v1 48 | kind: Role 49 | metadata: 50 | name: {{ printf "%s-pull-secrets-reader" (include "wiz-admission-controller.serviceAccountName" .) }} 51 | namespace: {{ .Values.imageRegistryClient.secretsNamespace | quote }} 52 | labels: 53 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 54 | rules: 55 | - apiGroups: [""] 56 | resources: ["secrets"] 57 | resourceNames: {{ .Values.imageRegistryClient.pullSecrets | toJson }} 58 | verbs: ["get"] 59 | --- 60 | apiVersion: rbac.authorization.k8s.io/v1 61 | kind: RoleBinding 62 | metadata: 63 | name: {{ printf "%s-pull-secrets-reader" (include "wiz-admission-controller.serviceAccountName" .) }} 64 | namespace: {{ .Values.imageRegistryClient.secretsNamespace | quote }} 65 | labels: 66 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 67 | subjects: 68 | - kind: ServiceAccount 69 | name: {{ include "wiz-admission-controller.serviceAccountName" . }} 70 | namespace: {{ .Release.Namespace | quote }} 71 | roleRef: 72 | kind: Role 73 | name: {{ printf "%s-pull-secrets-reader" (include "wiz-admission-controller.serviceAccountName" .) }} 74 | apiGroup: rbac.authorization.k8s.io 75 | {{ end }} 76 | 77 | 78 | {{- if .Values.wizManager.enabled -}} 79 | {{- if .Values.wizManager.serviceAccount.create -}} 80 | --- 81 | apiVersion: v1 82 | kind: ServiceAccount 83 | metadata: 84 | name: {{ include "wiz-admission-controller.manager.serviceAccountName" . }} 85 | namespace: {{ .Release.Namespace | quote }} 86 | labels: 87 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 88 | {{- with .Values.wizManager.serviceAccount.annotations }} 89 | annotations: 90 | {{- toYaml . | nindent 4 }} 91 | {{- end }} 92 | {{- end }} 93 | 94 | {{ if .Values.wizManager.serviceAccount.createRbac }} 95 | --- 96 | apiVersion: rbac.authorization.k8s.io/v1 97 | kind: Role 98 | metadata: 99 | name: {{ printf "%s-pods-and-deployments-manager" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 100 | namespace: {{ .Release.Namespace | quote }} 101 | labels: 102 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 103 | rules: 104 | - apiGroups: ["apps"] 105 | resources: ["deployments"] 106 | resourceNames: {{ include "wiz-admission-controller.autoUpdate.deployments" . }} 107 | verbs: ["get", "patch"] 108 | - apiGroups: [""] 109 | resources: ["pods"] 110 | verbs: ["get", "list"] 111 | --- 112 | apiVersion: rbac.authorization.k8s.io/v1 113 | kind: RoleBinding 114 | metadata: 115 | name: {{ printf "%s-pods-and-deployments" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 116 | namespace: {{ .Release.Namespace | quote }} 117 | labels: 118 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 119 | subjects: 120 | - kind: ServiceAccount 121 | name: {{ include "wiz-admission-controller.manager.serviceAccountName" . }} 122 | namespace: {{ .Release.Namespace | quote }} 123 | roleRef: 124 | kind: Role 125 | name: {{ printf "%s-pods-and-deployments-manager" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 126 | apiGroup: rbac.authorization.k8s.io 127 | --- 128 | apiVersion: rbac.authorization.k8s.io/v1 129 | kind: ClusterRole 130 | metadata: 131 | name: {{ printf "%s-event-creator" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 132 | namespace: {{ .Release.Namespace | quote }} 133 | labels: 134 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 135 | rules: 136 | - apiGroups: [""] 137 | resources: ["events"] 138 | verbs: ["create"] 139 | --- 140 | apiVersion: rbac.authorization.k8s.io/v1 141 | kind: ClusterRoleBinding 142 | metadata: 143 | name: {{ printf "%s-event-creator" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 144 | namespace: {{ .Release.Namespace | quote }} 145 | labels: 146 | {{- include "wiz-admission-controller.labels" . | nindent 4 }} 147 | roleRef: 148 | kind: ClusterRole 149 | name: {{ printf "%s-event-creator" (include "wiz-admission-controller.manager.serviceAccountName" .) }} 150 | apiGroup: rbac.authorization.k8s.io 151 | subjects: 152 | - kind: ServiceAccount 153 | name: {{ include "wiz-admission-controller.manager.serviceAccountName" . }} 154 | namespace: {{ .Release.Namespace | quote }} 155 | {{- end }} 156 | {{- end }} 157 | -------------------------------------------------------------------------------- /wiz-broker/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-broker/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: "wiz-broker" 3 | description: Wiz Broker for tunneling http traffic to Wiz backend 4 | type: application 5 | version: 2.3.11 6 | appVersion: "2.7" 7 | dependencies: 8 | - name: wiz-common 9 | version: "0.1.9" 10 | repository: https://wiz-sec.github.io/charts 11 | # repository: "file://../wiz-common" # Use this line to test the chart locally 12 | -------------------------------------------------------------------------------- /wiz-broker/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "wiz-broker.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create chart name and version as used by the chart label. 10 | */}} 11 | {{- define "wiz-broker.chart" -}} 12 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 13 | {{- end }} 14 | 15 | {{/* 16 | Deployment name. 17 | */}} 18 | {{- define "wiz-broker.deploymentName" -}} 19 | {{ printf "%s-agent" .Release.Name }} 20 | {{- end }} 21 | 22 | {{/* 23 | Service account name. 24 | */}} 25 | {{- define "wiz-broker.serviceAccountName" -}} 26 | {{ coalesce (.Values.serviceAccount.name) (printf "%s-wiz-broker-sa" .Release.Name) }} 27 | {{- end }} 28 | 29 | {{/* 30 | Common labels 31 | */}} 32 | {{- define "wiz-broker.labels" -}} 33 | helm.sh/chart: {{ include "wiz-broker.chart" . }} 34 | {{ include "wiz-broker.selectorLabels" . }} 35 | {{- if .Chart.AppVersion }} 36 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 37 | {{- end }} 38 | app.kubernetes.io/managed-by: {{ .Release.Service }} 39 | {{- if .Values.commonLabels }} 40 | {{- range $index, $content := .Values.commonLabels }} 41 | {{ $index }}: {{ tpl $content $ | quote }} 42 | {{- end }} 43 | {{- end }} 44 | {{- if .Values.global.commonLabels }} 45 | {{- range $index, $content := .Values.global.commonLabels }} 46 | {{ $index }}: {{ tpl $content $ | quote }} 47 | {{- end }} 48 | {{- end }} 49 | {{- end }} 50 | 51 | {{/* 52 | Selector labels 53 | */}} 54 | {{- define "wiz-broker.selectorLabels" -}} 55 | app.kubernetes.io/name: {{ include "wiz-broker.name" . }} 56 | app.kubernetes.io/instance: {{ .Release.Name }} 57 | {{- end }} 58 | 59 | {{/* 60 | Create Wiz broker properties to use 61 | */}} 62 | 63 | {{- define "wiz-broker.wizConnectorSecretData" -}} 64 | {{- if and .Values.wizConnector.createSecret (not .Values.wizConnector.autoCreated) }} 65 | ConnectorId: {{ required "A valid .Values.wizConnector.connectorId entry required!" .Values.wizConnector.connectorId | quote}} 66 | TunnelToken: {{ required "A valid .Values.wizConnector.connectorToken entry required!" .Values.wizConnector.connectorToken | quote }} 67 | TunnelDomain: {{ required "A valid .Values.wizConnector.targetDomain entry required!" .Values.wizConnector.targetDomain | quote }} 68 | TunnelServerDomain: {{ required "A valid .Values.wizConnector.tunnelServerDomain entry required!" .Values.wizConnector.tunnelServerDomain | quote }} 69 | TunnelServerPort: {{ required "A valid .Values.wizConnector.tunnelServerPort entry required!" .Values.wizConnector.tunnelServerPort | quote }} 70 | TargetIp: {{ required "A valid .Values.wizConnector.targetIp entry required!" .Values.wizConnector.targetIp | quote }} 71 | TargetPort: {{ required "A valid .Values.wizConnector.targetPort entry required!" .Values.wizConnector.targetPort | quote }} 72 | {{- if .Values.wizConnector.tunnelClientAllowedDomains }} 73 | TunnelClientAllowedDomains: "{{ range $index, $domain := .Values.wizConnector.tunnelClientAllowedDomains }}{{ if $index }},{{ end }}{{ $domain }}{{ end }}" 74 | {{- end }} 75 | {{- end }} 76 | {{- end }} 77 | 78 | {{/* 79 | Secrets names 80 | */}} 81 | 82 | {{- define "wiz-broker.apiTokenSecretName" -}} 83 | {{ coalesce (.Values.global.wizApiToken.secret.name) (.Values.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }} 84 | {{- end }} 85 | 86 | {{- define "wiz-broker.caCertificateSecretName" -}} 87 | {{ coalesce (.Values.caCertificate.secretName) (printf "%s-ca-certificate" .Release.Name) }} 88 | {{- end }} 89 | 90 | {{- define "wiz-broker.mtlsSecretName" -}} 91 | {{- with .Values.mtls }} 92 | {{- if and .createSecret (not (and .certificate .privateKey)) }} 93 | {{- fail "Both client certificate and private key must be provided" }} 94 | {{- end }} 95 | {{ coalesce (.secretName) (printf "%s-mtls" $.Release.Name) }} 96 | {{- end }} 97 | {{- end }} 98 | 99 | {{- define "wiz-broker.proxySecretName" -}} 100 | {{ coalesce (.Values.global.httpProxyConfiguration.secretName) (.Values.httpProxyConfiguration.secretName) (printf "%s-proxy-configuration" .Release.Name) }} 101 | {{- end }} 102 | 103 | {{- define "wiz-broker.connectorSecretName" -}} 104 | {{ coalesce (.Values.wizConnector.secretName) (printf "%s-connector" .Release.Name) }} 105 | {{- end }} 106 | 107 | {{- define "wiz-broker.image" -}} 108 | {{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }} 109 | {{- end -}} 110 | 111 | {{- define "wiz-broker.isWizApiTokenSecretEnabled" -}} 112 | {{- if and (.Values.wizApiToken.secret.create) (eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true") }} 113 | true 114 | {{- else }} 115 | false 116 | {{- end }} 117 | {{- end }} 118 | 119 | {{- define "wiz-broker.isWizApiClientVolumeMountEnabled" -}} 120 | {{- if eq (include "wiz-common.isWizApiClientVolumeMountEnabled" (list .Values.wizApiToken.usePodCustomEnvironmentVariablesFile .Values.wizApiToken.wizApiTokensVolumeMount .Values.global.wizApiToken.wizApiTokensVolumeMount) | trim | lower) "true" -}} 121 | true 122 | {{- else -}} 123 | false 124 | {{- end }} 125 | {{- end }} 126 | 127 | 128 | {{- define "wiz-broker.spec.common.volumeMounts" -}} 129 | {{- if eq (include "wiz-broker.isWizApiClientVolumeMountEnabled" . | trim | lower) "true" }} 130 | - name: {{ include "wiz-common.volumes.apiClientName" . }} 131 | mountPath: /var/{{ include "wiz-common.volumes.apiClientName" . }} 132 | readOnly: true 133 | {{- end -}} 134 | {{- if or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled }} 135 | {{ include "wiz-common.proxy.volumeMount" . | trim }} 136 | {{- end -}} 137 | {{- end -}} 138 | 139 | {{- define "wiz-broker.spec.common.volumes" -}} 140 | {{- if eq (include "wiz-broker.isWizApiClientVolumeMountEnabled" . | trim | lower) "true" }} 141 | - name: {{ include "wiz-common.volumes.apiClientName" . | trim }} 142 | secret: 143 | secretName: {{ include "wiz-broker.apiTokenSecretName" . | trim }} 144 | {{- end }} 145 | {{- if or .Values.global.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.enabled }} 146 | {{ include "wiz-common.proxy.volume" (list (include "wiz-broker.proxySecretName" . | trim )) | trim }} 147 | {{- end -}} 148 | {{- end -}} 149 | -------------------------------------------------------------------------------- /wiz-broker/templates/input-validations.yaml: -------------------------------------------------------------------------------- 1 | {{ include "wiz-common.requireHelm310" . }} 2 | -------------------------------------------------------------------------------- /wiz-broker/templates/secret-proxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (empty .Values.httpProxyConfiguration.httpsProxy)) (eq .Values.httpProxyConfiguration.enabled false) }} 2 | {{- fail "Error: httpsProxy is set but httpProxyConfiguration.enabled is false. Please enable the proxy configuration or unset httpsProxy." }} 3 | {{- end }} 4 | 5 | {{- if and .Values.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.create }} 6 | {{- if hasPrefix "https://" .Values.httpProxyConfiguration.httpsProxy }} 7 | {{- fail "Error: httpsProxy must start with 'http://', https or any other protocol is not supported." }} 8 | {{- end }} 9 | 10 | apiVersion: v1 11 | kind: Secret 12 | type: Opaque 13 | metadata: 14 | name: {{ include "wiz-broker.proxySecretName" . | trim }} 15 | namespace: {{ .Release.Namespace | quote }} 16 | {{ if .Values.httpProxyConfiguration.annotations }} 17 | annotations: 18 | {{- if (index .Values "wiz-broker" "enabled") }} # Secret used by per-install hook in wiz-kubernetes-connector 19 | "helm.sh/hook": pre-install,pre-upgrade 20 | "helm.sh/hook-weight": "-1" 21 | {{- end }} 22 | {{- with .Values.httpProxyConfiguration.annotations }} 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | {{- end }} 26 | labels: 27 | {{- include "wiz-broker.labels" . | nindent 4 }} 28 | stringData: 29 | httpProxy: {{ .Values.httpProxyConfiguration.httpProxy | quote }} 30 | httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }} 31 | noProxyAddress: {{ .Values.httpProxyConfiguration.noProxyAddress | quote }} 32 | clientCertificate: {{ .Values.httpProxyConfiguration.clientCertificate | quote }} 33 | {{- end }} 34 | -------------------------------------------------------------------------------- /wiz-broker/templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enabled }} 2 | {{- if and .Values.wizConnector.createSecret }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "wiz-broker.connectorSecretName" . | trim }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | labels: 9 | {{- include "wiz-broker.labels" . | nindent 4 }} 10 | annotations: 11 | "helm.sh/hook": pre-install, pre-upgrade 12 | "helm.sh/hook-weight": "-1" 13 | {{- with .Values.wizConnector.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | type: Opaque 17 | data: 18 | connectorData: {{ include "wiz-broker.wizConnectorSecretData" . | fromYaml | toJson | b64enc | quote }} 19 | {{- end }} 20 | 21 | {{- if and .Values.caCertificate.enabled .Values.caCertificate.createSecret }} 22 | --- 23 | apiVersion: v1 24 | kind: Secret 25 | metadata: 26 | name: {{ include "wiz-broker.caCertificateSecretName" . | trim }} 27 | namespace: {{ .Release.Namespace | quote }} 28 | labels: 29 | {{- include "wiz-broker.labels" . | nindent 4 }} 30 | annotations: 31 | {{- with .Values.caCertificate.annotations }} 32 | {{- toYaml . | nindent 4 }} 33 | {{- end }} 34 | data: 35 | caCertificate: {{ .Values.caCertificate.pem | b64enc | quote }} 36 | {{- end }} 37 | 38 | {{- if and .Values.mtls.enabled .Values.mtls.createSecret }} 39 | --- 40 | apiVersion: v1 41 | kind: Secret 42 | metadata: 43 | name: {{ include "wiz-broker.mtlsSecretName" . | trim }} 44 | namespace: {{ .Release.Namespace | quote }} 45 | labels: 46 | {{- include "wiz-broker.labels" . | nindent 4 }} 47 | annotations: 48 | {{- with .Values.mtls.annotations }} 49 | {{- toYaml . | nindent 4 }} 50 | {{- end }} 51 | data: 52 | certificate: {{ .Values.mtls.certificate | b64enc | quote }} 53 | privateKey: {{ .Values.mtls.privateKey | b64enc | quote }} 54 | {{- end }} 55 | 56 | {{- if eq (include "wiz-broker.isWizApiTokenSecretEnabled" . | trim | lower) "true" }} 57 | --- 58 | apiVersion: v1 59 | kind: Secret 60 | metadata: 61 | name: {{ include "wiz-broker.apiTokenSecretName" . | trim }} 62 | namespace: {{ .Release.Namespace | quote }} 63 | labels: 64 | {{- include "wiz-broker.labels" . | nindent 4 }} 65 | annotations: 66 | {{- with .Values.wizApiToken.secret.annotations }} 67 | {{- toYaml . | nindent 4 }} 68 | {{- end }} 69 | data: 70 | clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.wizApiToken.clientId | b64enc | quote }} 71 | clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.wizApiToken.clientToken | b64enc | quote }} 72 | {{- end }} 73 | {{- end }} 74 | -------------------------------------------------------------------------------- /wiz-broker/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.enabled }} 2 | {{- if .Values.serviceAccount.create }} 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "wiz-broker.serviceAccountName" . | trim }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | labels: 9 | {{- include "wiz-broker.labels" . | nindent 4 }} 10 | {{- with .Values.serviceAccount.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /wiz-common/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wiz-common 3 | description: Common library chart for shared templates 4 | type: library 5 | version: 0.1.9 6 | -------------------------------------------------------------------------------- /wiz-common/templates/_debug.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | This function dump the value of a variable and fail the template execution. 3 | Use for debug purpose only. 4 | */}} 5 | {{- define "helpers.var_dump" -}} 6 | {{- . | mustToPrettyJson | printf "\nThe JSON output of the dumped var is: \n%s" | fail }} 7 | {{- end -}} 8 | -------------------------------------------------------------------------------- /wiz-common/templates/_hash.tpl: -------------------------------------------------------------------------------- 1 | {{- define "helpers.calculateHash" -}} 2 | {{- $list := . -}} 3 | {{- $hash := printf "%s" $list | sha256sum -}} 4 | {{- $hash := $hash | trimSuffix "\n" -}} 5 | {{- $hash -}} 6 | {{- end -}} 7 | -------------------------------------------------------------------------------- /wiz-common/templates/_proxy.tpl: -------------------------------------------------------------------------------- 1 | {{- define "wiz-common.proxy.name" -}} 2 | proxy 3 | {{- end -}} 4 | 5 | {{- define "wiz-common.proxy.dir" -}} 6 | /var/{{ include "wiz-common.proxy.name" . }} 7 | {{- end -}} 8 | 9 | {{- define "wiz-common.proxy.volume" -}} 10 | {{- $secret := index . 0 -}} 11 | - name: {{ include "wiz-common.proxy.name" . | trim }} 12 | secret: 13 | secretName: {{ $secret }} 14 | items: 15 | - key: httpProxy 16 | path: httpProxy 17 | - key: httpsProxy 18 | path: httpsProxy 19 | - key: noProxyAddress 20 | path: noProxy 21 | - key: clientCertificate 22 | path: clientCertificate 23 | {{- end -}} 24 | 25 | {{- define "wiz-common.proxy.volumeMount" -}} 26 | - name: {{ include "wiz-common.proxy.name" . }} 27 | mountPath: {{ include "wiz-common.proxy.dir" . }} 28 | readOnly: true 29 | {{- end -}} 30 | 31 | {{- define "wiz-common.proxy.env" -}} 32 | - name: CLI_FILES_AS_ENV_VARS 33 | value: "{{ include "wiz-common.proxy.dir" . }}/httpProxy,{{ include "wiz-common.proxy.dir" . }}/httpsProxy,{{ include "wiz-common.proxy.dir" . }}/noProxy" 34 | {{- end -}} 35 | -------------------------------------------------------------------------------- /wiz-common/templates/_require_helm_version.tpl: -------------------------------------------------------------------------------- 1 | {{- define "wiz-common.requireHelm310" -}} 2 | 3 | {{/* We don't want to use (and .Values.mockCapabilities .Values.mockCapabilities.helmVersion ...) since it breaks in old helm versions */}} 4 | {{- $helmVersion := .Capabilities.HelmVersion.Version }} 5 | {{- if .Values.mockCapabilities -}} 6 | {{- if .Values.mockCapabilities.helmVersion -}} 7 | {{- if .Values.mockCapabilities.helmVersion.version -}} 8 | {{- $helmVersion = .Values.mockCapabilities.helmVersion.version -}} 9 | {{- end -}} 10 | {{- end -}} 11 | {{- end -}} 12 | 13 | {{/* Parse the version string and reconstruct a clean version with just major.minor.patch */}} 14 | {{- $parsedVersion := semver $helmVersion }} 15 | {{- $cleanVersion := printf "%d.%d.%d" $parsedVersion.Major $parsedVersion.Minor $parsedVersion.Patch }} 16 | 17 | {{- if not (semverCompare ">=3.10.0" $cleanVersion) }} 18 | {{- printf "WARNING: This chart is intended for Helm client version 3.10.0 or higher. Found %s\n" $helmVersion | quote }} 19 | {{- end -}} 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /wiz-common/templates/_resources.tpl: -------------------------------------------------------------------------------- 1 | {{- define "wiz-common.renderResources" -}} 2 | {{/* 3 | This function: 4 | - Takes a list of two items: 5 | 1) The local resources object 6 | 2) The global resources object 7 | - If the local object has any "requests" or "limits", it returns them 8 | under a `resources` key. 9 | - Otherwise, it returns the global object under a `resources` key. 10 | - If neither is set, it returns an empty string. 11 | - The caller should handle final indentation using `| nindent `. 12 | */}} 13 | 14 | {{- $local := index . 0 -}} 15 | {{- $global := index . 1 -}} 16 | 17 | {{- $hasLocalResources := or (hasKey $local "limits") (hasKey $local "requests") }} 18 | {{- $hasGlobalResources := or (hasKey $global "limits") (hasKey $global "requests") }} 19 | 20 | {{- if $hasLocalResources }} 21 | resources: 22 | {{- toYaml $local | nindent 2 }} 23 | {{- else if $hasGlobalResources }} 24 | resources: 25 | {{- toYaml $global | nindent 2 }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /wiz-common/templates/_wizApiClientVolumeMounts.tpl: -------------------------------------------------------------------------------- 1 | {{- define "wiz-common.volumes.apiClientName" -}} 2 | api-client 3 | {{- end -}} 4 | 5 | {{- define "wiz-common.isWizApiClientVolumeMountEnabled" -}} 6 | {{- $usePodCustomEnvironmentVariablesFile := index . 0 -}} 7 | {{- $wizApiTokensVolumeMount := index . 1 -}} 8 | {{- $globalWizApiTokensVolumeMount := index . 2 -}} 9 | {{- if or $usePodCustomEnvironmentVariablesFile (coalesce $wizApiTokensVolumeMount $globalWizApiTokensVolumeMount "") }} 10 | false 11 | {{- else }} 12 | true 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: "wiz-kubernetes-connector" 3 | description: A Helm chart for connecting Kubernetes clusters to Wiz 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 3.3.14 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | # It is recommended to use it with quotes. 24 | appVersion: "2.7" 25 | 26 | dependencies: 27 | - name: wiz-broker 28 | repository: https://wiz-sec.github.io/charts 29 | # repository: "file://../wiz-broker" # Use this line to test the chart locally 30 | version: "2.3.11" 31 | condition: wiz-broker.enabled 32 | - name: wiz-common 33 | version: "0.1.9" 34 | repository: https://wiz-sec.github.io/charts 35 | # repository: "file://../wiz-common" # Use this line to test the chart locally 36 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if not .Values.autoCreateConnector.enabled }} 2 | 0. Install a service account with read permissions using .Values.clusterReader.installRbac flag 3 | 1. Get the service account connector properties by running these commands: 4 | SECRET_NAME=$(kubectl get serviceaccount "{{ .Values.clusterReader.serviceAccount.name }}" -n "{{ .Values.namespace }}" -o jsonpath="{.secrets[0].name}") 5 | echo "Service account CA certificate:" 6 | kubectl get secrets -n "{{ .Values.namespace }}" "$SECRET_NAME" -o go-template='{{ "{{" }} index .data "ca.crt" }}' 7 | echo "\nService account token:" 8 | kubectl get secrets -n "{{ .Values.namespace }}" "$SECRET_NAME" -o go-template="{{ "{{" }} .data.token | base64decode }}" 9 | 2. Create a Wiz Kubernetes connector using the web portal or the Wiz Terraform provider 10 | 3. Install Wiz broker deployment using .Values.broker.enabled flag 11 | {{- end }} 12 | 13 | For uninstalling the wiz kubernetes connector you need to delete helm hooks resources manually. 14 | Please run the following commands: 15 | helm uninstall {{ .Release.Name | quote }} -n {{ .Release.Namespace | quote }} 16 | {{- if "wiz-kubernetes-connector.brokerEnabled" }} 17 | {{- if (index .Values "wiz-broker" "wizConnector.createSecret") }} 18 | kubectl delete secret {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }} -n {{ .Release.Namespace | quote }} 19 | {{- end }} 20 | {{- end }} 21 | {{- if eq (include "wiz-kubernetes-connector.isWizApiTokenSecretEnabled" . | trim | lower) "true" }} 22 | kubectl delete secret {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }} -n {{ .Release.Namespace | quote }} 23 | {{- end }} 24 | {{- if .Values.clusterReader.installRbac }} 25 | kubectl delete secret {{ .Values.clusterReader.serviceAccount.name }}-token -n {{ .Release.Namespace | quote }} 26 | kubectl delete serviceaccount {{ .Values.clusterReader.serviceAccount.name }} -n {{ .Release.Namespace | quote }} 27 | {{- end }} 28 | {{- if .Values.autoCreateConnector.enabled }} 29 | kubectl delete serviceaccount {{ .Values.autoCreateConnector.serviceAccount.name }} -n {{ .Release.Namespace | quote }} 30 | kubectl delete role {{ .Values.autoCreateConnector.serviceAccount.name }} 31 | kubectl delete rolebinding {{ .Values.autoCreateConnector.serviceAccount.name }} 32 | {{- end }} 33 | {{- if and .Values.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.create }} 34 | kubectl delete secret {{ include "wiz-kubernetes-connector.proxySecretName" . }} -n {{ .Release.Namespace | quote }} 35 | {{- end }} -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/input-validations.yaml: -------------------------------------------------------------------------------- 1 | {{ include "wiz-common.requireHelm310" . }} 2 | 3 | 4 | {{- $targetIp := (index .Values "wiz-broker" "targetIp") -}} 5 | {{- $apiServerEndpoint := include "wiz-kubernetes-connector.apiServerEndpoint" . | trim -}} 6 | 7 | {{/*Ensure targetIp does not start with http:// or https://*/}} 8 | {{- if (or (hasPrefix "http://" $targetIp) (hasPrefix "https://" $targetIp)) }} 9 | {{- fail (printf "Error: 'targetIp' must not start with 'http://' or 'https://', got '%s'." $targetIp) }} 10 | {{- end }} 11 | 12 | {{- $wizBrokerEnabled := (index .Values "wiz-broker" "enabled") -}} 13 | {{- if (and $wizBrokerEnabled $targetIp $apiServerEndpoint (not (contains $targetIp $apiServerEndpoint))) }} 14 | {{- fail (printf "targetIp (%s) must be a substring of apiServerEndpoint (%s)" $targetIp $apiServerEndpoint) }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/job-delete-connector.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoCreateConnector.enabled }} 2 | {{- if .Values.autoCreateConnector.autoDeleteConnectorEnabled }} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | name: {{ include "wiz-kubernetes-connector.name" . }}-delete-connector 7 | namespace: {{ .Release.Namespace | quote }} 8 | labels: 9 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 10 | annotations: 11 | "helm.sh/hook": pre-delete 12 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 13 | rollme.proxyHash: {{ include "wiz-kubernetes-connector.proxyHash" . }} 14 | rollme.brokerHash: {{ include "wiz-kubernetes-connector.brokerHash" . }} 15 | {{- with (.Values.autoCreateConnector.deleteJobAnnotations) }} 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | 19 | spec: 20 | {{- if .Values.autoCreateConnector.useJobTTL }} 21 | ttlSecondsAfterFinished: 60 22 | {{- end }} 23 | manualSelector: true 24 | selector: 25 | matchLabels: 26 | {{- include "wiz-kubernetes-connector.selectorLabels" . | nindent 6 }} 27 | backoffLimit: 1 28 | template: 29 | metadata: 30 | {{- if (or .Values.global.podAnnotations .Values.podAnnotations .Values.autoCreateConnector.podAnnotations)}} 31 | annotations: 32 | {{- with .Values.global.podAnnotations }} 33 | {{- toYaml . | nindent 8 }} 34 | {{- end }} 35 | {{- with .Values.podAnnotations }} 36 | {{- toYaml . | nindent 8 }} 37 | {{- end }} 38 | {{- with .Values.autoCreateConnector.podAnnotations }} 39 | {{- toYaml . | nindent 8 }} 40 | {{- end }} 41 | {{- end }} 42 | labels: 43 | wiz.io/component: "delete-kubernetes-connector" 44 | {{/* 45 | `labels` includes `selectorLabels` 46 | */}} 47 | {{- include "wiz-kubernetes-connector.labels" . | nindent 8 }} 48 | spec: 49 | {{- with .Values.autoCreateConnector.podAdditionalSpec }} 50 | {{- toYaml . | nindent 6 }} 51 | {{- end }} 52 | {{- with .Values.global.podAdditionalSpec }} 53 | {{- toYaml . | nindent 6 }} 54 | {{- end }} 55 | {{- with .Values.global.imagePullSecrets }} 56 | imagePullSecrets: 57 | {{- toYaml . | nindent 8 }} 58 | {{- end }} 59 | serviceAccountName: {{ .Values.autoCreateConnector.serviceAccount.name }} 60 | restartPolicy: "Never" 61 | securityContext: 62 | {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }} 63 | {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 8 }} 64 | {{- else }} 65 | {{- toYaml .Values.global.podSecurityContext | nindent 8 }} 66 | {{- end }} 67 | volumes: 68 | {{- $volumes := include "wiz-kubernetes-connector.spec.common.volumes" . | trim }} 69 | {{- if $volumes -}} 70 | {{ $volumes | nindent 6 }} 71 | {{- end -}} 72 | {{- if or .Values.autoCreateConnector.customVolumes .Values.global.customVolumes}} 73 | {{ with .Values.global.customVolumes }} 74 | {{- toYaml . | nindent 6 }} 75 | {{- end }} 76 | {{ with .Values.autoCreateConnector.customVolumes }} 77 | {{- toYaml . | nindent 6 }} 78 | {{- end }} 79 | {{- end }} 80 | containers: 81 | - name: wiz-connector-delete 82 | securityContext: 83 | {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }} 84 | {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 12 }} 85 | {{- else }} 86 | {{- toYaml .Values.global.securityContext | nindent 12 }} 87 | {{- end }} 88 | image: {{ include "wiz-broker.image" . }} 89 | imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }} 90 | command: ["/bin/sh", "-c"] 91 | args: {{- include "wiz-kubernetes-connector.argsListDeleteConnector" . | nindent 12 }} 92 | env: 93 | {{- include "wiz-kubernetes-connector.spec.common.envVars" . | trim | nindent 10 }} 94 | {{- include "wiz-common.renderResources" (list .Values.resources (index .Values.global "wiz-kubernetes-connector" "resources")) | nindent 10 }} 95 | volumeMounts: 96 | {{- include "wiz-kubernetes-connector.spec.common.volumeMounts" . | trim | nindent 10 }} 97 | {{- if or .Values.autoCreateConnector.customVolumeMounts .Values.global.customVolumeMounts }} 98 | {{- with .Values.autoCreateConnector.customVolumeMounts }} 99 | {{- toYaml . | nindent 10 }} 100 | {{- end -}} 101 | {{- with .Values.global.customVolumeMounts }} 102 | {{- toYaml . | nindent 10 }} 103 | {{- end }} 104 | {{- end }} 105 | {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }} 106 | nodeSelector: 107 | {{- toYaml . | nindent 8 }} 108 | {{- end }} 109 | {{- with (coalesce .Values.global.affinity .Values.affinity) }} 110 | affinity: 111 | {{- toYaml . | nindent 8 }} 112 | {{- end }} 113 | {{- if (or .Values.global.tolerations .Values.tolerations) }} 114 | tolerations: 115 | {{- with .Values.global.tolerations }} 116 | {{- toYaml . | nindent 8 }} 117 | {{- end }} 118 | {{- with .Values.tolerations }} 119 | {{- toYaml . | nindent 8 }} 120 | {{- end }} 121 | {{- end }} 122 | {{- end }} 123 | {{- end }} 124 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/job-refresh-token.yaml: -------------------------------------------------------------------------------- 1 | {{ if and .Values.refreshToken.enabled -}} 2 | {{/* We require version 1.22 and above since we rely on the TokenRequest API in k8s which was introduced as part of "Bound service account token volume mechanism" which was supported in version 1.22 3 | https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume*/}} 4 | {{- if semverCompare "<1.22-0" (include "kubeVersion" .) }} 5 | {{- fail (printf "The refresh token job requires Kubernetes cluster version 1.22 or higher. Found version: %s. To mitigate this, either update your Kubernetes cluster version or set refreshToken.enabled to false." .Capabilities.KubeVersion.Version) }} 6 | {{- end }} 7 | 8 | apiVersion: batch/v1 9 | kind: CronJob 10 | metadata: 11 | name: {{ include "wiz-kubernetes-connector.name" . }}-refresh-token 12 | namespace: {{ .Release.Namespace | quote }} 13 | labels: 14 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 15 | {{- if .Values.refreshToken.cronJobAnnotations}} 16 | annotations: 17 | {{- with (.Values.refreshToken.cronJobAnnotations) }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | {{- end }} 21 | spec: 22 | schedule: "{{ coalesce .Values.refreshToken.schedule "0 */6 * * *" }}" 23 | concurrencyPolicy: Forbid # Ensures only one job instance runs at a time 24 | jobTemplate: 25 | metadata: 26 | name: {{ include "wiz-kubernetes-connector.name" . }}-refresh-token-job 27 | namespace: {{ .Release.Namespace | quote }} 28 | labels: 29 | {{- include "wiz-kubernetes-connector.labels" . | nindent 8 }} 30 | {{- if .Values.refreshToken.jobAnnotations}} 31 | annotations: 32 | {{- with (.Values.refreshToken.jobAnnotations) }} 33 | {{- toYaml . | nindent 8 }} 34 | {{- end }} 35 | {{- end }} 36 | spec: 37 | activeDeadlineSeconds: {{ .Values.refreshToken.timeoutSeconds }} 38 | ttlSecondsAfterFinished: {{ .Values.refreshToken.cleanupJobSeconds }} 39 | template: 40 | metadata: 41 | annotations: 42 | rollme.proxyHash: {{ include "wiz-kubernetes-connector.proxyHash" . }} 43 | rollme.brokerHash: {{ include "wiz-kubernetes-connector.brokerHash" . }} 44 | rollme.wizApiTokenHash: {{ include "wiz-kubernetes-connector.wizApiTokenHash" . }} 45 | {{- with .Values.global.podAnnotations }} 46 | {{- toYaml . | nindent 12 }} 47 | {{- end }} 48 | {{- with .Values.podAnnotations }} 49 | {{- toYaml . | nindent 12 }} 50 | {{- end }} 51 | {{- with .Values.refreshToken.podAnnotations }} 52 | {{- toYaml . | nindent 12 }} 53 | {{- end }} 54 | labels: 55 | wiz.io/component: "refresh-kubernetes-connector-token" 56 | {{- include "wiz-kubernetes-connector.labels" . | nindent 12 }} 57 | spec: 58 | {{- with .Values.autoCreateConnector.podAdditionalSpec }} 59 | {{- toYaml . | nindent 10 }} 60 | {{- end }} 61 | {{- with .Values.global.podAdditionalSpec }} 62 | {{- toYaml . | nindent 10 }} 63 | {{- end }} 64 | restartPolicy: Never 65 | {{- with .Values.global.imagePullSecrets }} 66 | imagePullSecrets: 67 | {{- toYaml . | nindent 12 }} 68 | {{- end }} 69 | serviceAccountName: {{ .Values.refreshToken.serviceAccount.name }} 70 | securityContext: 71 | {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }} 72 | {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }} 73 | {{- else }} 74 | {{- toYaml .Values.global.podSecurityContext | nindent 12 }} 75 | {{- end }} 76 | containers: 77 | - name: {{ .Chart.Name }}-refresh-token 78 | securityContext: 79 | {{- if hasKey .Values.global "lowPrivilegeSecurityPolicy" }} 80 | {{- toYaml .Values.global.lowPrivilegeSecurityPolicy | nindent 16 }} 81 | {{- else }} 82 | {{- toYaml .Values.global.securityContext | nindent 16 }} 83 | {{- end }} 84 | image: {{ include "wiz-broker.image" . }} 85 | imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }} 86 | command: 87 | {{- include "wiz-kubernetes-connector.entrypoint" . | nindent 16 }} 88 | args: {{- include "wiz-kubernetes-connector.argsListRefreshConnector" . | nindent 16 }} 89 | env: 90 | {{- include "wiz-kubernetes-connector.spec.common.envVars" . | trim | nindent 14 }} 91 | {{- include "wiz-common.renderResources" (list .Values.resources (index .Values.global "wiz-kubernetes-connector" "resources")) | nindent 14 }} 92 | volumeMounts: 93 | {{- include "wiz-kubernetes-connector.spec.common.volumeMounts" . | trim | nindent 14 }} 94 | {{- if or .Values.autoCreateConnector.customVolumeMounts .Values.global.customVolumeMounts }} 95 | {{- with .Values.autoCreateConnector.customVolumeMounts }} 96 | {{- toYaml . | nindent 14 }} 97 | {{- end -}} 98 | {{- with .Values.global.customVolumeMounts }} 99 | {{- toYaml . | nindent 14 }} 100 | {{- end }} 101 | {{- end }} 102 | {{- with (coalesce .Values.global.nodeSelector .Values.nodeSelector) }} 103 | nodeSelector: 104 | {{- toYaml . | nindent 12 }} 105 | {{- end }} 106 | {{- with (coalesce .Values.global.affinity .Values.affinity) }} 107 | affinity: 108 | {{- toYaml . | nindent 12 }} 109 | {{- end }} 110 | {{- if (or .Values.global.tolerations .Values.tolerations) }} 111 | tolerations: 112 | {{- with .Values.global.tolerations }} 113 | {{- toYaml . | nindent 12 }} 114 | {{- end }} 115 | {{- with .Values.tolerations }} 116 | {{- toYaml . | nindent 12 }} 117 | {{- end }} 118 | {{- end }} 119 | volumes: 120 | {{- $volumes := include "wiz-kubernetes-connector.spec.common.volumes" . | trim }} 121 | {{- if $volumes -}} 122 | {{ $volumes | nindent 12 }} 123 | {{- end -}} 124 | {{- end }} -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/secret-connector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.wizConnector.createSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "wiz-kubernetes-connector.connectorSecretName" . | trim }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install, pre-upgrade 11 | "helm.sh/hook-weight": "-1" 12 | {{- with .Values.wizConnector.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | type: Opaque 16 | data: 17 | connectorData: {{ include "wiz-kubernetes-connector.wizConnectorSecretData" . | fromYaml | toJson | b64enc | quote }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/secret-proxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (empty .Values.httpProxyConfiguration.httpsProxy)) (eq .Values.httpProxyConfiguration.enabled false) }} 2 | {{- fail "Error: httpsProxy is set but httpProxyConfiguration.enabled is false. Please enable the proxy configuration or unset httpsProxy." }} 3 | {{- end }} 4 | 5 | {{- if and .Values.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.create }} 6 | {{- if hasPrefix "https://" .Values.httpProxyConfiguration.httpsProxy }} 7 | {{- fail "Error: httpsProxy must start with 'http://', https or any other protocol is not supported." }} 8 | {{- end }} 9 | apiVersion: v1 10 | kind: Secret 11 | type: Opaque 12 | metadata: 13 | name: {{ include "wiz-kubernetes-connector.proxySecretName" . | trim }} 14 | namespace: {{ .Release.Namespace | quote }} 15 | annotations: 16 | "helm.sh/hook": pre-install,pre-upgrade 17 | "helm.sh/hook-weight": "-1" 18 | {{- with .Values.httpProxyConfiguration.annotations }} 19 | {{- toYaml . | nindent 4 }} 20 | {{- end }} 21 | labels: 22 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 23 | stringData: 24 | httpProxy: {{ .Values.httpProxyConfiguration.httpProxy | quote }} 25 | httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }} 26 | noProxyAddress: {{ .Values.httpProxyConfiguration.noProxyAddress | quote }} 27 | clientCertificate: {{ .Values.httpProxyConfiguration.clientCertificate | quote }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/secrets-wiz-api-token.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq (include "wiz-kubernetes-connector.isWizApiTokenSecretEnabled" . | trim | lower) "true" }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install, pre-upgrade 11 | "helm.sh/hook-weight": "-1" 12 | {{- with.Values.wizApiToken.secret.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | stringData: 16 | clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.wizApiToken.clientId | quote }} 17 | clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.wizApiToken.clientToken | quote }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.clusterReader.installRbac }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.clusterReader.serviceAccount.name }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation 12 | {{- with .Values.clusterReader.serviceAccount.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | --- 16 | {{- if not .Values.refreshToken.enabled }} 17 | apiVersion: v1 18 | kind: Secret 19 | metadata: 20 | name: {{ .Values.clusterReader.serviceAccount.name }}-token 21 | namespace: {{ .Release.Namespace | quote }} 22 | labels: 23 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 24 | annotations: 25 | "helm.sh/hook": pre-install,pre-upgrade 26 | "helm.sh/hook-delete-policy": before-hook-creation 27 | kubernetes.io/service-account.name: {{ .Values.clusterReader.serviceAccount.name }} 28 | {{- with .Values.clusterReader.secret.annotations }} 29 | {{- toYaml . | nindent 4 }} 30 | {{- end }} 31 | type: kubernetes.io/service-account-token 32 | {{- end }} 33 | --- 34 | apiVersion: rbac.authorization.k8s.io/v1 35 | kind: ClusterRole 36 | metadata: 37 | name: {{ .Values.clusterReader.serviceAccount.name }} 38 | labels: 39 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 40 | {{- with .Values.clusterReader.serviceAccount.rules }} 41 | rules: 42 | {{ toYaml . | indent 2 }} 43 | {{- end }} 44 | 45 | --- 46 | apiVersion: rbac.authorization.k8s.io/v1 47 | kind: ClusterRoleBinding 48 | metadata: 49 | name: {{ .Values.clusterReader.serviceAccount.name }} 50 | labels: 51 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 52 | roleRef: 53 | apiGroup: rbac.authorization.k8s.io 54 | kind: ClusterRole 55 | name: {{ .Values.clusterReader.serviceAccount.name }} 56 | subjects: 57 | - kind: ServiceAccount 58 | name: {{ .Values.clusterReader.serviceAccount.name }} 59 | namespace: {{ .Release.Namespace | quote }} 60 | {{- end }} 61 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/service-account-modify-connector.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.autoCreateConnector.enabled .Values.autoCreateConnector.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.autoCreateConnector.serviceAccount.name }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install,pre-upgrade,pre-delete 11 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 12 | "helm.sh/hook-weight": "-1" 13 | {{- with .Values.autoCreateConnector.serviceAccount.annotations }} 14 | {{- toYaml . | nindent 4 }} 15 | {{- end }} 16 | {{- end }} 17 | {{- if and .Values.autoCreateConnector.enabled .Values.autoCreateConnector.serviceAccount.createRbac }} 18 | --- 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: Role 21 | metadata: 22 | name: {{ .Values.autoCreateConnector.serviceAccount.name }} 23 | namespace: {{ .Release.Namespace | quote }} 24 | labels: 25 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 26 | annotations: 27 | "helm.sh/hook": pre-install,pre-upgrade,pre-delete 28 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 29 | "helm.sh/hook-weight": "-1" 30 | {{- with .Values.autoCreateConnector.roleAnnotations }} 31 | {{- toYaml . | nindent 4 }} 32 | {{- end }} 33 | rules: 34 | - apiGroups: [""] 35 | resources: ["secrets"] 36 | resourceNames: [{{ include "wiz-kubernetes-connector.connectorSecretName" . | trim | quote }}] 37 | verbs: ["update", "get"] 38 | - apiGroups: [""] 39 | resources: ["secrets"] 40 | resourceNames: [ 41 | {{ include "wiz-kubernetes-connector.apiTokenSecretName" . | trim | quote }} 42 | {{- if not .Values.refreshToken.enabled }} 43 | {{- "," }} 44 | {{ include "wiz-kubernetes-connector.clusterReaderToken" . | quote }} 45 | {{- end }} 46 | ] 47 | verbs: ["get"] 48 | {{- if .Values.refreshToken.enabled }} 49 | - apiGroups: [""] 50 | resources: ["serviceaccounts/token"] 51 | resourceNames: ["{{ .Values.clusterReader.serviceAccount.name }}"] 52 | verbs: ["create"] 53 | {{- end }} 54 | --- 55 | apiVersion: rbac.authorization.k8s.io/v1 56 | kind: RoleBinding 57 | metadata: 58 | name: {{ .Values.autoCreateConnector.serviceAccount.name }} 59 | namespace: {{ .Release.Namespace | quote }} 60 | labels: 61 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 62 | annotations: 63 | "helm.sh/hook": pre-install,pre-upgrade,pre-delete 64 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 65 | "helm.sh/hook-weight": "-1" 66 | {{- with .Values.autoCreateConnector.roleBindingAnnotations }} 67 | {{- toYaml . | nindent 4 }} 68 | {{- end }} 69 | roleRef: 70 | apiGroup: rbac.authorization.k8s.io 71 | kind: Role 72 | name: {{ .Values.autoCreateConnector.serviceAccount.name }} 73 | subjects: 74 | - kind: ServiceAccount 75 | name: {{ .Values.autoCreateConnector.serviceAccount.name }} 76 | namespace: {{ .Release.Namespace | quote }} 77 | {{- end }} 78 | -------------------------------------------------------------------------------- /wiz-kubernetes-connector/templates/service-account-token-generator.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.refreshToken.installRbac .Values.refreshToken.enabled }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.refreshToken.serviceAccount.name }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 9 | annotations: 10 | {{- with .Values.refreshToken.serviceAccount.annotations }} 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | --- 14 | apiVersion: rbac.authorization.k8s.io/v1 15 | kind: Role 16 | metadata: 17 | name: {{ .Values.refreshToken.serviceAccount.name }} 18 | namespace: {{ .Release.Namespace | quote }} 19 | labels: 20 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 21 | rules: 22 | - apiGroups: [""] 23 | resources: ["serviceaccounts/token"] 24 | resourceNames: ["{{ .Values.clusterReader.serviceAccount.name }}"] 25 | verbs: ["create"] 26 | - apiGroups: [""] 27 | resources: ["secrets"] 28 | resourceNames: [{{ include "wiz-kubernetes-connector.connectorSecretName" . | trim | quote }}] 29 | verbs: ["get"] 30 | --- 31 | apiVersion: rbac.authorization.k8s.io/v1 32 | kind: RoleBinding 33 | metadata: 34 | namespace: {{ .Release.Namespace | quote }} 35 | name: {{ .Values.refreshToken.serviceAccount.name }} 36 | labels: 37 | {{- include "wiz-kubernetes-connector.labels" . | nindent 4 }} 38 | roleRef: 39 | apiGroup: rbac.authorization.k8s.io 40 | kind: Role 41 | name: {{ .Values.refreshToken.serviceAccount.name }} 42 | subjects: 43 | - kind: ServiceAccount 44 | name: {{ .Values.refreshToken.serviceAccount.name }} 45 | namespace: {{ .Release.Namespace | quote }} 46 | {{- end }} 47 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wiz-kubernetes-integration 3 | description: A Helm chart for Kubernetes 4 | type: application 5 | version: 0.2.96 6 | appVersion: "" 7 | 8 | # Dependencies for wiz-kubernetes connector and wiz-admission-controller and wiz-sensor 9 | dependencies: 10 | - name: wiz-kubernetes-connector 11 | repository: https://wiz-sec.github.io/charts 12 | version: ">=3.1.0" 13 | condition: wiz-kubernetes-connector.enabled 14 | - name: "wiz-admission-controller" 15 | repository: https://wiz-sec.github.io/charts 16 | version: ">=3.6.0" 17 | condition: wiz-admission-controller.enabled 18 | - name: wiz-sensor 19 | repository: https://wiz-sec.github.io/charts 20 | version: ">=1.0.6816" 21 | condition: wiz-sensor.enabled 22 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if (index .Values "wiz-kubernetes-connector" "enabled") }} 2 | {{- if or (and .Values.global.httpProxyConfiguration.enabled .Values.global.httpProxyConfiguration.create) .Values.global.wizApiToken.secret.create }} 3 | Some secrets used by helm pre-install hooks. 4 | Please delete them manually when you uninstall this chart. 5 | {{- if and .Values.global.httpProxyConfiguration.enabled .Values.global.httpProxyConfiguration.create }} 6 | kubectl delete secret {{ include "wiz-kubernetes-integration.secretApiTokenName" . | trim }} -n {{ .Release.Namespace | quote }} 7 | {{- end }} 8 | {{- if and .Values.global.wizApiToken.secret.create (index .Values "wiz-kubernetes-connector" "enabled") }} 9 | kubectl delete secret {{ include "wiz-kubernetes-integration.proxySecretName" . | trim }} -n {{ .Release.Namespace | quote }} 10 | {{- end }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "wiz-kubernetes-integration.name" -}} 5 | {{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "wiz-kubernetes-integration.fullname" -}} 14 | {{- if .Values.global.fullnameOverride }} 15 | {{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.global.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "wiz-kubernetes-integration.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "wiz-kubernetes-integration.labels" -}} 37 | helm.sh/chart: {{ include "wiz-kubernetes-integration.chart" . }} 38 | {{ include "wiz-kubernetes-integration.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Values.global.image.tag | default .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- if .Values.global.commonLabels }} 44 | {{- range $index, $content := .Values.global.commonLabels }} 45 | {{ $index }}: {{ tpl $content $ | quote }} 46 | {{- end }} 47 | {{- end }} 48 | {{- end }} 49 | 50 | {{- define "wiz-kubernetes-integration.selectorLabels" -}} 51 | app.kubernetes.io/name: {{ include "wiz-kubernetes-integration.name" . }} 52 | app.kubernetes.io/instance: {{ .Release.Name }} 53 | {{- end }} 54 | 55 | {{- define "wiz-kubernetes-integration.secretApiTokenName" -}} 56 | {{ coalesce (.Values.global.wizApiToken.secret.name) (printf "%s-api-token" .Release.Name) }} 57 | {{- end }} 58 | 59 | {{- define "wiz-kubernetes-integration.proxySecretName" -}} 60 | {{ coalesce (.Values.global.httpProxyConfiguration.secretName) (printf "%s-%s" .Release.Name "proxy-configuration") }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/templates/secret-proxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and (not (empty .Values.global.httpProxyConfiguration.httpsProxy)) (eq .Values.global.httpProxyConfiguration.enabled false) }} 2 | {{- fail "Error: httpsProxy is set but httpProxyConfiguration.enabled is false. Please enable the proxy configuration or unset httpsProxy." }} 3 | {{- end }} 4 | 5 | {{- if and .Values.global.httpProxyConfiguration.enabled .Values.global.httpProxyConfiguration.create }} 6 | {{- if hasPrefix "https://" .Values.global.httpProxyConfiguration.httpsProxy }} 7 | {{- if index .Values "wiz-kubernetes-connector" "enabled" }} 8 | {{- fail "Error: httpsProxy must start with 'http://', https or any other protocol is not supported for the Wiz Kubernetes Connector or the Wiz Broker." }} 9 | {{- end }} 10 | {{- if empty .Values.global.httpProxyConfiguration.clientCertificate }} 11 | {{- fail "Error: HTTPS proxy requires a client certificate. Please provide clientCertificate in httpProxyConfiguration." }} 12 | {{- end }} 13 | {{- else }} 14 | {{- if not (empty .Values.global.httpProxyConfiguration.clientCertificate) }} 15 | {{- fail "Error: Client certificate is only supported for HTTPS proxies. Please remove clientCertificate or use an HTTPS proxy." }} 16 | {{- end }} 17 | {{- end }} 18 | 19 | apiVersion: v1 20 | kind: Secret 21 | type: Opaque 22 | metadata: 23 | name: {{ include "wiz-kubernetes-integration.proxySecretName" . | trim }} 24 | namespace: {{ .Release.Namespace | quote }} 25 | {{ if or (index .Values "wiz-kubernetes-connector" "enabled") .Values.global.httpProxyConfiguration.annotations }} 26 | annotations: 27 | {{- if (index .Values "wiz-kubernetes-connector" "enabled") }} # Secret used by per-install hook in wiz-kubernetes-connector 28 | "helm.sh/hook": pre-install,pre-upgrade 29 | "helm.sh/hook-weight": "-1" 30 | {{- end }} 31 | {{- with .Values.global.httpProxyConfiguration.annotations }} 32 | {{- toYaml . | nindent 4 }} 33 | {{- end }} 34 | {{- end }} 35 | labels: 36 | {{- include "wiz-kubernetes-integration.labels" . | nindent 4 }} 37 | stringData: 38 | http_proxy: {{ .Values.global.httpProxyConfiguration.httpProxy | quote }} 39 | https_proxy: {{ .Values.global.httpProxyConfiguration.httpsProxy | quote }} 40 | no_proxy: {{ .Values.global.httpProxyConfiguration.noProxyAddress | quote }} 41 | httpProxy: {{ .Values.global.httpProxyConfiguration.httpProxy | quote }} 42 | httpsProxy: {{ .Values.global.httpProxyConfiguration.httpsProxy | quote }} 43 | noProxyAddress: {{ .Values.global.httpProxyConfiguration.noProxyAddress | quote }} 44 | caCertificate: {{ .Values.global.httpProxyConfiguration.caCertificate | quote }} 45 | clientCertificate: {{ .Values.global.httpProxyConfiguration.clientCertificate | quote }} 46 | {{- end }} 47 | -------------------------------------------------------------------------------- /wiz-kubernetes-integration/templates/secrets-wiz-api-token.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.global.wizApiToken.secret.create (not .Values.global.wizApiToken.wizApiTokensVolumeMount) }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "wiz-kubernetes-integration.secretApiTokenName" . | trim }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-kubernetes-integration.labels" . | nindent 4 }} 9 | annotations: 10 | {{- if (index .Values "wiz-kubernetes-connector" "enabled") }} # Secret used by per-install hook in wiz-kubernetes-connector 11 | "helm.sh/hook": pre-install,pre-upgrade 12 | "helm.sh/hook-weight": "-1" 13 | {{- end }} 14 | {{- with .Values.global.wizApiToken.secret.annotations }} 15 | {{- toYaml . | nindent 4 }} 16 | {{- end }} 17 | stringData: 18 | clientId: {{ required "Missing required value global.wizApiToken.clientId is required" .Values.global.wizApiToken.clientId | quote }} 19 | clientToken: {{ required "Missing required value: global.wizApiToken.clientToken is required" .Values.global.wizApiToken.clientToken | quote }} 20 | {{- if .Values.global.wizApiToken.clientEndpoint }} 21 | clientEndpoint: {{ .Values.global.wizApiToken.clientEndpoint | quote }} 22 | {{- end }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /wiz-network-analyzer/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-network-analyzer/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: "wiz-network-analyzer" 3 | description: A Helm chart for troubleshooting networking connectivity from Kubernetes clusters to Wiz 4 | 5 | type: application 6 | 7 | version: 0.1.3 8 | 9 | appVersion: "0.1" 10 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | You have successfully installed the Wiz Network Analyzer! 2 | 3 | Next steps: 4 | 1. Wait for the Job to complete 5 | kubectl wait --for=condition=complete job/{{ include "wiz-network-analyzer.name" . }} -n {{ .Release.Namespace }}) 6 | 7 | 2. Collect the support package from the cluster 8 | POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=wiz-network-analyzer -n {{ .Release.Namespace }}) 9 | kubectl -n wiz cp $POD_NAME:/support-package.zip . 10 | 11 | 2. Upload it to Wiz 12 | Follow the instructions in the support package to upload it to Wiz. 13 | 14 | 3. (Optional) access the logs 15 | POD_NAME=$(kubectl get pod -l app.kubernetes.io/name=wiz-network-analyzer -n {{ .Release.Namespace }}) 16 | kubectl -n {{ .Release.Namespace }}) logs $POD_NAME > wiz-network-analyzer.log 17 | 18 | Upon completion, the Job will remain for 5 minutes to allow extracting the support package. 19 | After that, the Job will be deleted automatically. 20 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "wiz-network-analyzer.name" -}} 5 | {{- $nameOverride := coalesce .Values.global.nameOverride .Values.nameOverride }} 6 | {{- default .Chart.Name $nameOverride | trunc 63 | trimSuffix "-" }} 7 | {{- end }} 8 | 9 | {{/* 10 | Create chart name and version as used by the chart label. 11 | */}} 12 | {{- define "wiz-network-analyzer.chart" -}} 13 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 14 | {{- end }} 15 | 16 | {{/* 17 | Common labels 18 | */}} 19 | {{- define "wiz-network-analyzer.labels" -}} 20 | helm.sh/chart: {{ include "wiz-network-analyzer.chart" . }} 21 | {{ include "wiz-network-analyzer.selectorLabels" . }} 22 | {{- if .Chart.AppVersion }} 23 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 24 | {{- end }} 25 | app.kubernetes.io/managed-by: {{ .Release.Service }} 26 | {{- if .Values.commonLabels }} 27 | {{- range $index, $content := .Values.commonLabels }} 28 | {{ $index }}: {{ tpl $content $ | quote }} 29 | {{- end }} 30 | {{- end }} 31 | {{- if .Values.global.commonLabels }} 32 | {{- range $index, $content := .Values.global.commonLabels }} 33 | {{ $index }}: {{ tpl $content $ | quote }} 34 | {{- end }} 35 | {{- end }} 36 | {{- end }} 37 | 38 | {{/* 39 | Selector labels 40 | */}} 41 | {{- define "wiz-network-analyzer.selectorLabels" -}} 42 | app.kubernetes.io/name: {{ include "wiz-network-analyzer.name" . }} 43 | app.kubernetes.io/instance: {{ .Release.Name }} 44 | {{- end }} 45 | 46 | {{/* 47 | Create Wiz Network Analyzer properties to use 48 | */}} 49 | 50 | 51 | {{/* 52 | Secrets names 53 | */}} 54 | 55 | {{- define "wiz-network-analyzer.apiTokenSecretName" -}} 56 | {{ coalesce (.Values.global.wizApiToken.secret.name) (.Values.wizApiToken.secret.name) (printf "%s-na-api-token" .Release.Name) }} 57 | {{- end }} 58 | 59 | {{- define "wiz-network-analyzer.proxySecretName" -}} 60 | {{ coalesce (.Values.global.httpProxyConfiguration.secretName) (.Values.httpProxyConfiguration.secretName) (printf "%s-na-proxy-configuration" .Release.Name) }} 61 | {{- end }} 62 | 63 | {{- define "wiz-network-analyzer.caSecretName" -}} 64 | {{ coalesce (.Values.caCertificate.secretName) (printf "%s-na-ca" .Release.Name) }} 65 | {{- end }} 66 | 67 | {{/* 68 | Input parameters 69 | */}} 70 | {{- define "wiz-network-analyzer.apiServerEndpoint" -}} 71 | {{- $url := urlParse .Values.apiServerEndpoint}} 72 | {{- if not (and $url.host $url.scheme) }} 73 | {{- fail "Invalid URL format for .Values.apiServerEndpoint" }} 74 | {{- else }} 75 | {{ printf "%s" .Values.apiServerEndpoint }} 76 | {{- end }} 77 | {{- end }} 78 | 79 | {{/* 80 | This function dump the value of a variable and fail the template execution. 81 | Use for debug purpose only. 82 | */}} 83 | {{- define "helpers.var_dump" -}} 84 | {{- . | mustToPrettyJson | printf "\nThe JSON output of the dumped var is: \n%s" | fail }} 85 | {{- end -}} 86 | 87 | {{- define "helpers.calculateHash" -}} 88 | {{- $list := . -}} 89 | {{- $hash := printf "%s" $list | sha256sum -}} 90 | {{- $hash := $hash | trimSuffix "\n" -}} 91 | {{- $hash -}} 92 | {{- end -}} 93 | 94 | {{- define "wiz-network-analyzer.wizApiTokenHash" -}} 95 | {{ include "helpers.calculateHash" (list .Values.wizApiToken.clientId .Values.wizApiToken.clientToken .Values.wizApiToken.secret.name) }} 96 | {{- end }} 97 | 98 | {{- define "wiz-network-analyzer.proxyHash" -}} 99 | {{ include "helpers.calculateHash" (list .Values.httpProxyConfiguration.httpProxy .Values.httpProxyConfiguration.httpsProxy .Values.httpProxyConfiguration.noProxyAddress .Values.httpProxyConfiguration.secretName) }} 100 | {{- end }} 101 | 102 | {{- define "wiz-network-analyzer.entrypoint" -}} 103 | {{- if .Values.istio.enabled -}} 104 | - "sh" 105 | - "-c" 106 | {{- else -}} 107 | - "wiz-network-analyzer" 108 | {{- end -}} 109 | {{- end }} 110 | 111 | {{- define "wiz-network-analyzer.argsList" -}} 112 | analyze 113 | --output 114 | /tmp 115 | {{- if .Values.outpostId }} 116 | --outpost-id 117 | "{{ .Values.outpostId }}" 118 | {{- end }} 119 | --region 120 | {{ .Values.wizRegion }} 121 | {{- if and .Values.caCertificate.enabled }} 122 | --proxy-ca-dir 123 | /usr/local/share/ca-certificates 124 | {{- end }} 125 | {{- end }} 126 | 127 | {{- define "wiz-kubernetes.pre-istio-sidecar" -}} 128 | {{- printf "sleep %d" (int (.Values.istio.sleepBeforeJobSecs | default 15)) -}} 129 | {{- end -}} 130 | 131 | {{- define "wiz-kubernetes.post-istio-sidecar" -}} 132 | {{- printf "curl --max-time 2 -s -f -XPOST http://127.0.0.1:%d/quitquitquit" (int (.Values.istio.proxySidecarPort | default 15000)) -}} 133 | {{- end -}} 134 | 135 | {{- define "wiz-network-analyzer.generateArgs" -}} 136 | {{- $args := include "wiz-network-analyzer.argsList" . | trim | splitList "\n" -}} 137 | {{- if .Values.istio.enabled -}} 138 | {{- $first := include "wiz-kubernetes.pre-istio-sidecar" . | trim -}} 139 | {{- $last := include "wiz-kubernetes.post-istio-sidecar" . | trim -}} 140 | {{- $argsWithIstio := printf "%s &&\nwiz-network-analyzer %s &&\n%s" $first (join " \n" $args) $last -}} 141 | - > 142 | {{- printf "%s" $argsWithIstio | nindent 2 }} 143 | {{- else -}} 144 | {{- range $arg := $args }} 145 | - {{ $arg | trim }} 146 | {{- end }} 147 | {{- end }} 148 | {{- end }} 149 | 150 | {{- define "wiz-network-analyzer.image" -}} 151 | {{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }} 152 | {{- end -}} 153 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/secret-ca.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.caCertificate.enabled .Values.caCertificate.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | type: Opaque 5 | metadata: 6 | name: {{ include "wiz-network-analyzer.caSecretName" . | trim }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | annotations: 9 | "helm.sh/hook": pre-install,pre-upgrade 10 | "helm.sh/hook-weight": "-1" 11 | {{- with .Values.caCertificate.annotations }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 16 | stringData: 17 | ca.crt: {{ .Values.caCertificate.certificate | quote }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/secret-proxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.httpProxyConfiguration.enabled .Values.httpProxyConfiguration.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | type: Opaque 5 | metadata: 6 | name: {{ include "wiz-network-analyzer.proxySecretName" . | trim }} 7 | namespace: {{ .Release.Namespace | quote }} 8 | annotations: 9 | "helm.sh/hook": pre-install,pre-upgrade 10 | "helm.sh/hook-weight": "-1" 11 | {{- with .Values.httpProxyConfiguration.annotations }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | labels: 15 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 16 | stringData: 17 | httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }} 18 | noProxyAddress: {{ .Values.httpProxyConfiguration.noProxyAddress | quote }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/secrets-wiz-api-token.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.wizApiToken.secret.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "wiz-network-analyzer.apiTokenSecretName" . | trim }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install, pre-upgrade 11 | "helm.sh/hook-weight": "-1" 12 | {{- with.Values.wizApiToken.secret.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | stringData: 16 | clientId: {{ required "Missing required value wizApiToken.clientId is required" .Values.wizApiToken.clientId | quote }} 17 | clientToken: {{ required "Missing required value: wizApiToken.clientToken is required" .Values.wizApiToken.clientToken | quote }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /wiz-network-analyzer/templates/service-account-cluster-reader.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.clusterReader.installRbac }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Values.clusterReader.serviceAccount.name }} 6 | namespace: {{ .Release.Namespace | quote }} 7 | labels: 8 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 9 | annotations: 10 | "helm.sh/hook": pre-install,pre-upgrade 11 | "helm.sh/hook-delete-policy": before-hook-creation 12 | {{- with .Values.clusterReader.serviceAccount.annotations }} 13 | {{- toYaml . | nindent 4 }} 14 | {{- end }} 15 | --- 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | kind: ClusterRole 18 | metadata: 19 | name: {{ .Values.clusterReader.serviceAccount.name }} 20 | labels: 21 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 22 | {{- with .Values.clusterReader.serviceAccount.rules }} 23 | rules: 24 | {{ toYaml . | indent 2 }} 25 | {{- end }} 26 | 27 | --- 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ .Values.clusterReader.serviceAccount.name }} 32 | labels: 33 | {{- include "wiz-network-analyzer.labels" . | nindent 4 }} 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: ClusterRole 37 | name: {{ .Values.clusterReader.serviceAccount.name }} 38 | subjects: 39 | - kind: ServiceAccount 40 | name: {{ .Values.clusterReader.serviceAccount.name }} 41 | namespace: {{ .Release.Namespace | quote }} 42 | {{- end }} 43 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wiz-outpost-configuration 3 | description: A Helm chart for Kubernetes 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 2025.05.21 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: 0.0.1 24 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "wiz-outpost-configuration.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "wiz-outpost-configuration.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "wiz-outpost-configuration.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "wiz-outpost-configuration.labels" -}} 37 | helm.sh/chart: {{ include "wiz-outpost-configuration.chart" . }} 38 | {{ include "wiz-outpost-configuration.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "wiz-outpost-configuration.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "wiz-outpost-configuration.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "wiz-outpost-configuration.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "wiz-outpost-configuration.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | 64 | {{- define "wiz-network-analyzer.image" -}} 65 | {{ .Values.networkAnalyzer.image.registry }}/{{ .Values.networkAnalyzer.image.repository }}:{{ .Values.networkAnalyzer.image.tag | default .Chart.AppVersion }} 66 | {{- end -}} 67 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/agent.secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.agent.enabled }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.agentCredsSecretName }} 6 | labels: 7 | {{- include "wiz-outpost-configuration.labels" . | nindent 4 }} 8 | {{- if .Values.agent.annotations }} 9 | annotations: {{ toYaml .Values.agent.annotations | nindent 4 }} 10 | {{- end }} 11 | 12 | stringData: 13 | {{- if .Values.agent.clientId }} 14 | clientId: {{ required "Missing required value agent.clientId is required" .Values.agent.clientId | quote }} 15 | clientSecret: {{ required "Missing required value: agent.clientSecret is required" .Values.agent.clientSecret | quote }} 16 | {{- else }} 17 | privateKey: {{ required "Missing required value agent.privateKey" .Values.agent.privateKey | quote }} 18 | {{- end }} 19 | {{- end }} 20 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/azureWorkerCredentials.secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.azureWorkerCredentials }} 2 | {{/* publish the secret for git-proxy / external secrets */}} 3 | apiVersion: v1 4 | kind: Secret 5 | type: Opaque 6 | metadata: 7 | name: {{ .Values.azureWorkerCredentialsSecretName }} 8 | labels: 9 | {{- include "wiz-outpost-configuration.labels" . | nindent 4 }} 10 | data: 11 | azure.json: {{ .Values.azureWorkerCredentials | toJson | b64enc | quote }} 12 | # external secrets need each key separately so we reference the secret via env vars 13 | {{- range $k, $v := .Values.azureWorkerCredentials }} 14 | {{- if and (not (eq $k "useInstanceMetadata" )) (not (eq $k "useFederatedToken" ))}} 15 | {{ $k }}: {{ $v | b64enc | quote }} 16 | {{- end }} 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/httpProxyConfiguration.secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.httpProxyConfiguration.enabled }} 2 | {{- $noProxyCommaSeparatedList := join "," .Values.httpProxyConfiguration.noProxy }} 3 | {{- $noProxySpaceSeparatedList := join " " .Values.httpProxyConfiguration.noProxy }} 4 | apiVersion: v1 5 | kind: Secret 6 | type: Opaque 7 | metadata: 8 | name: {{ .Values.httpProxyConfiguration.name }} 9 | labels: 10 | {{- include "wiz-outpost-configuration.labels" . | nindent 4 }} 11 | annotations: 12 | meta.helm.sh/release-name: "{{ .Release.Name }}" 13 | meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" 14 | data: 15 | {{- with .Values.httpProxyConfiguration.httpProxy }} 16 | httpProxy: {{ . | b64enc | quote }} 17 | http-proxy: {{ . | b64enc | quote }} 18 | {{- end }} 19 | {{- with .Values.httpProxyConfiguration.httpsProxy }} 20 | httpsProxy: {{ . | b64enc | quote }} 21 | https-proxy: {{ . | b64enc | quote }} 22 | {{- end }} 23 | {{- if .Values.httpProxyConfiguration.noProxy }} 24 | no-proxy-address: {{ $noProxySpaceSeparatedList | b64enc | quote }} 25 | no-proxy-address-cs: {{ $noProxyCommaSeparatedList | b64enc | quote }} 26 | noProxyAddress: {{ $noProxyCommaSeparatedList | b64enc | quote }} 27 | noProxyAddressSpaceSepareted: {{ $noProxySpaceSeparatedList | b64enc | quote }} 28 | {{- end }} 29 | {{- if .Values.httpProxyConfiguration.caCertificate }} 30 | caCertificate: {{ .Values.httpProxyConfiguration.caCertificate | b64enc | quote }} 31 | {{- else }} 32 | caCertificate: "" 33 | {{- end }} 34 | {{- if .Values.httpProxyConfiguration.clientCertificate }} 35 | clientCertificate: {{ .Values.httpProxyConfiguration.clientCertificate | b64enc | quote }} 36 | {{- else }} 37 | clientCertificate: "" 38 | {{- end }} 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/networkAnalyzer.job.yaml: -------------------------------------------------------------------------------- 1 | 2 | {{- if .Values.networkAnalyzer.enabled }} 3 | apiVersion: batch/v1 4 | kind: Job 5 | metadata: 6 | {{- if .Values.networkAnalyzer.rollingUpdate }} 7 | name: "{{ .Values.networkAnalyzer.name }}-{{ now | unixEpoch }}" 8 | {{else}} 9 | name: "{{ .Values.networkAnalyzer.name }}" 10 | {{- end }} 11 | namespace: {{ .Release.Namespace | quote }} 12 | labels: 13 | {{- include "wiz-outpost-configuration.labels" . | nindent 4 }} 14 | annotations: 15 | "meta.helm.sh/release-name": "{{ .Release.Name }}" 16 | "meta.helm.sh/release-namespace": "{{ .Release.Namespace }}" 17 | {{- if .Values.networkAnalyzer.failDeploymentOnFailure }} 18 | "helm.sh/hook": post-install,post-upgrade 19 | "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded 20 | {{- end }} 21 | spec: 22 | backoffLimit: 0 # Fail fast if the job fails 23 | ttlSecondsAfterFinished: 30 24 | manualSelector: true 25 | selector: 26 | matchLabels: 27 | {{- include "wiz-outpost-configuration.selectorLabels" . | nindent 6 }} 28 | template: 29 | metadata: 30 | {{- with (coalesce .Values.podAnnotations) }} 31 | annotations: 32 | {{- toYaml . | nindent 8 }} 33 | {{- end }} 34 | labels: 35 | {{- include "wiz-outpost-configuration.labels" . | nindent 8 }} 36 | spec: 37 | {{- with .Values.imagePullSecrets }} 38 | imagePullSecrets: 39 | {{- toYaml . | nindent 8 }} 40 | {{- end }} 41 | serviceAccountName: {{ include "wiz-outpost-configuration.serviceAccountName" . | trim }} 42 | restartPolicy: "Never" 43 | securityContext: 44 | fsGroup: 1000 45 | supplementalGroups: 46 | - 1000 47 | containers: 48 | - name: wiz-network-analyzer 49 | securityContext: 50 | readOnlyRootFilesystem: true 51 | runAsNonRoot: true 52 | runAsUser: 1000 53 | runAsGroup: 1000 54 | privileged: false 55 | allowPrivilegeEscalation: false 56 | image: {{ include "wiz-network-analyzer.image" . }} 57 | imagePullPolicy: {{ .Values.networkAnalyzer.image.pullPolicy }} 58 | command: 59 | - "wiz-network-analyzer" 60 | args: 61 | - analyze 62 | - --output 63 | - /tmp 64 | {{- with .Values.networkAnalyzer.outpostId }} 65 | - --outpost-id 66 | - {{ . | quote }} 67 | {{- end }} 68 | - --region 69 | - {{ .Values.networkAnalyzer.wizRegion }} 70 | {{- with .Values.networkAnalyzer.forceHttp1 }} 71 | - --http1 72 | {{- end }} 73 | env: 74 | - name: LOG_LEVEL 75 | value: "info" 76 | {{- with .Values.networkAnalyzer.env }} 77 | - name: ENV 78 | value: {{ . | quote }} 79 | {{- end}} 80 | {{- with .Values.networkAnalyzer.outpostId }} 81 | - name: WIZ_OUTPOST_ID 82 | value: {{ . | quote }} 83 | {{- end }} 84 | - name: WIZ_CLIENT_ID 85 | valueFrom: 86 | secretKeyRef: 87 | name: {{ .Values.agentCredsSecretName }} 88 | key: clientId 89 | - name: WIZ_CLIENT_SECRET 90 | valueFrom: 91 | secretKeyRef: 92 | name: {{ .Values.agentCredsSecretName }} 93 | key: clientSecret 94 | - name: WIZ_DATA_CENTER 95 | value: {{ .Values.networkAnalyzer.dataCenter | quote }} 96 | - name: http_proxy 97 | valueFrom: 98 | secretKeyRef: 99 | name: {{ .Values.httpProxyConfiguration.name | quote }} 100 | key: "httpProxy" 101 | optional: true 102 | - name: HTTP_PROXY 103 | valueFrom: 104 | secretKeyRef: 105 | name: {{ .Values.httpProxyConfiguration.name | quote }} 106 | key: "httpProxy" 107 | optional: true 108 | - name: https_proxy 109 | valueFrom: 110 | secretKeyRef: 111 | name: {{ .Values.httpProxyConfiguration.name | quote }} 112 | key: "httpsProxy" 113 | optional: true 114 | - name: HTTPS_PROXY 115 | valueFrom: 116 | secretKeyRef: 117 | name: {{ .Values.httpProxyConfiguration.name | quote }} 118 | key: "httpsProxy" 119 | optional: true 120 | - name: no_proxy 121 | valueFrom: 122 | secretKeyRef: 123 | name: {{ .Values.httpProxyConfiguration.name | quote }} 124 | key: "noProxyAddress" 125 | optional: true 126 | - name: NO_PROXY 127 | valueFrom: 128 | secretKeyRef: 129 | name: {{ .Values.httpProxyConfiguration.name | quote }} 130 | key: "noProxyAddress" 131 | optional: true 132 | - name: SSL_CERT_DIR 133 | value: "/usr/local/share/ca-certificates/:/certificates/" 134 | volumeMounts: 135 | - mountPath: /tmp 136 | name: tmp-dir 137 | {{- if not .Values.networkAnalyzer.outpostId }} 138 | - name: secrets 139 | mountPath: /mnt/secrets/ 140 | readOnly: true 141 | {{- end }} 142 | resources: 143 | {{- toYaml .Values.networkAnalyzer.resources | nindent 12 }} 144 | volumes: 145 | - name: tmp-dir 146 | emptyDir: { } 147 | - name: ca-certificate 148 | secret: 149 | defaultMode: 420 150 | secretName: {{ .Values.httpProxyConfiguration.name | quote }} 151 | items: 152 | - key: caCertificate 153 | path: root.crt 154 | optional: true 155 | {{- if not .Values.networkAnalyzer.outpostId }} 156 | - name: secrets 157 | projected: 158 | sources: 159 | - secret: 160 | name: {{ .Values.agentCredsSecretName }} 161 | items: 162 | - key: privateKey 163 | path: WIZ_PRIVATE_KEY 164 | {{- end}} 165 | {{- end}} 166 | -------------------------------------------------------------------------------- /wiz-outpost-configuration/templates/nodeHttpProxyConfiguration.gcp.ubuntu.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.httpProxyConfiguration.enabled (eq .Values.httpProxyConfiguration.nodeConfigurationType "gcp-ubuntu") }} 2 | {{- $noProxyList := join "," .Values.httpProxyConfiguration.noProxy }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ .Values.httpProxyConfiguration.name }}-entrypoint 7 | labels: 8 | {{- include "wiz-outpost-configuration.labels" . | nindent 4 }} 9 | annotations: 10 | meta.helm.sh/release-name: "{{ .Release.Name }}" 11 | meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" 12 | data: 13 | entrypoint.sh: | 14 | #!/usr/bin/env bash 15 | 16 | set -euo pipefail -x 17 | 18 | ROOT_MOUNT_DIR="${ROOT_MOUNT_DIR:-/root}" 19 | if chroot "${ROOT_MOUNT_DIR}" test -f /var/run/http-proxy-configured; then 20 | echo "Proxy already configured, skipping" 21 | exit 0 22 | fi 23 | chroot "${ROOT_MOUNT_DIR}" tee</dev/null 48 | [Service] 49 | EnvironmentFile=/etc/environment 50 | EOF 51 | 52 | {{- with .Values.httpProxyConfiguration.caCertificate }} 53 | chroot "${ROOT_MOUNT_DIR}" mkdir -p /usr/local/share/ca-certificates/extra 54 | chroot "${ROOT_MOUNT_DIR}" tee < container-registry */}} 66 | {{- $runner = $runner | kebabcase }} 67 | {{- $runnerID := get $values "runnerID" | default $runner }} 68 | 69 | {{/* Get module type based on runner name - using a variable since we can't define a template inside another template */}} 70 | {{- $moduleType := "" }} 71 | {{- if hasPrefix "rem-" $runner -}} 72 | {{- $moduleType = "remediation" }} 73 | {{- else if eq $runner "container-registry" -}} 74 | {{- $moduleType = "container-registry" }} 75 | {{- else if hasPrefix "vcs-" $runner -}} 76 | {{- $moduleType = "vcs" }} 77 | {{- else -}} 78 | {{- fail (printf "Invalid runner name: %s. Runner name must start with 'rem-', 'vcs-', or be 'container-registry'" $runner) -}} 79 | {{- end }} 80 | 81 | {{/* e.g. remediation-aws-rds-003 -> outpost-lite-runner-remediation 82 | container-registry -> outpost-lite-runner-container-registry 83 | */}} 84 | {{- $imageName := "" }} 85 | {{- if eq $moduleType "remediation" }} 86 | {{- $imageName = "outpost-lite-runner-remediation" }} 87 | {{- else }} 88 | {{- $imageName = dig "image" "name" (printf "outpost-lite-runner-%s" $runner) $values }} 89 | {{- end }} 90 | 91 | {{- $values = deepCopy $values }} 92 | 93 | {{/* Unify with module specific values */}} 94 | {{- $values = mergeOverwrite (deepCopy (get $.Values.modules $moduleType)) $values }} 95 | {{- $values = merge $values (dict "image" (dict "name" $imageName)) }} 96 | 97 | {{/* Unify with global values */}} 98 | {{- $values = mergeOverwrite (deepCopy (omit $.Values "runners")) $values }} 99 | 100 | {{/* Overwrite openshift values if runner set openshift to true */}} 101 | {{- if and $values.openshift }} 102 | {{- $values = merge $values $.Values.openshiftOverrides }} 103 | {{- end }} 104 | 105 | {{- if hasKey $values "containerSecurityContextOverride"}} 106 | {{- $values = set $values "containerSecurityContext" $values.containerSecurityContextOverride }} 107 | {{- end }} 108 | 109 | {{- if hasKey $values "podSecurityContextOverride"}} 110 | {{- $values = set $values "podSecurityContext" $values.podSecurityContextOverride }} 111 | {{- end }} 112 | 113 | {{/* Generate final values be used inside a "with" statement */}} 114 | {{- $values = dict "runner" $runner "runnerID" $runnerID "Values" $values -}} 115 | 116 | {{- $runnerValues = set $runnerValues $runner $values }} 117 | {{- end }} {{/* range */}} 118 | 119 | {{ $runnerValues | toJson }} 120 | {{- end }} {{/* define */}} 121 | -------------------------------------------------------------------------------- /wiz-outpost-lite/templates/credentials.secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.secret.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ .Values.agent.secretName }} 6 | labels: 7 | {{- include "wiz-outpost-lite.labels" . | nindent 4 }} 8 | stringData: 9 | {{- if .Values.agent.clientId }} 10 | clientId: {{ required "Missing required value agent.clientId is required" .Values.agent.clientId | quote }} 11 | clientSecret: {{ required "Missing required value: agent.clientSecret is required" .Values.agent.clientSecret | quote }} 12 | {{- end }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /wiz-outpost-lite/templates/httpProxyConfiguration.secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.httpProxyConfiguration.enabled }} 2 | {{- $noProxyCommaSeparatedList := join "," .Values.httpProxyConfiguration.noProxy }} 3 | {{- $noProxySpaceSeparatedList := join " " .Values.httpProxyConfiguration.noProxy }} 4 | apiVersion: v1 5 | kind: Secret 6 | type: Opaque 7 | metadata: 8 | name: {{ .Values.httpProxyConfiguration.name }} 9 | labels: 10 | {{- include "wiz-outpost-lite.labels" . | nindent 4 }} 11 | annotations: 12 | meta.helm.sh/release-name: "{{ .Release.Name }}" 13 | meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" 14 | data: 15 | {{- with .Values.httpProxyConfiguration.httpProxy }} 16 | httpProxy: {{ . | b64enc | quote }} 17 | http-proxy: {{ . | b64enc | quote }} 18 | {{- end }} 19 | {{- with .Values.httpProxyConfiguration.httpsProxy }} 20 | httpsProxy: {{ . | b64enc | quote }} 21 | https-proxy: {{ . | b64enc | quote }} 22 | {{- end }} 23 | {{- if .Values.httpProxyConfiguration.noProxy }} 24 | no-proxy-address: {{ $noProxySpaceSeparatedList | b64enc | quote }} 25 | no-proxy-address-cs: {{ $noProxyCommaSeparatedList | b64enc | quote }} 26 | noProxyAddress: {{ $noProxyCommaSeparatedList | b64enc | quote }} 27 | noProxyAddressSpaceSepareted: {{ $noProxySpaceSeparatedList | b64enc | quote }} 28 | {{- end }} 29 | {{- with .Values.httpProxyConfiguration.caCertificate }} 30 | caCertificate: {{ . | b64enc | quote }} 31 | {{- end }} 32 | {{- end }} 33 | -------------------------------------------------------------------------------- /wiz-outpost-lite/templates/openshift.yaml: -------------------------------------------------------------------------------- 1 | {{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }} 2 | {{- with merge $values (omit $ "Values") }} 3 | {{- if and .Values.openshift (eq .runner "container-registry") -}} 4 | apiVersion: security.openshift.io/v1 5 | kind: SecurityContextConstraints 6 | metadata: 7 | name: {{ include "wiz-outpost-lite.fullname" . }}-scc 8 | labels: {{- include "wiz-outpost-lite.labels" . | nindent 4 }} 9 | allowHostDirVolumePlugin: true 10 | allowPrivilegedContainer: true 11 | readOnlyRootFilesystem: false 12 | allowHostIPC: false 13 | allowHostNetwork: false 14 | allowHostPID: false 15 | allowHostPorts: false 16 | requiredDropCapabilities: null 17 | groups: [] 18 | priority: 0 19 | allowedCapabilities: 20 | - SYS_ADMIN 21 | fsGroup: 22 | type: RunAsAny 23 | runAsUser: 24 | type: RunAsAny 25 | seLinuxContext: 26 | type: RunAsAny 27 | supplementalGroups: 28 | type: RunAsAny 29 | seccompProfiles: 30 | - '*' 31 | users: 32 | - system:serviceaccount:{{ .Release.Namespace }}:sa-{{ .runner }} 33 | volumes: 34 | - downwardAPI 35 | - emptyDir 36 | - hostPath 37 | - secret 38 | --- 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /wiz-outpost-lite/templates/service.yaml: -------------------------------------------------------------------------------- 1 | {{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }} 2 | {{- with merge $values (omit $ "Values") }} 3 | {{- if and .Values.enabled .Values.service.enabled }} 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: {{ include "wiz-outpost-lite.fullname" . }} 8 | labels: 9 | {{- include "wiz-outpost-lite.labels" . | nindent 4 }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | ports: 13 | - port: {{ .Values.service.metricsPort }} 14 | targetPort: metrics 15 | protocol: TCP 16 | name: metrics 17 | selector: 18 | {{- include "wiz-outpost-lite.selectorLabels" . | nindent 4 }} 19 | --- 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /wiz-outpost-lite/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- range $values := (include "wiz-outpost-lite.runners" . | fromJson) }} 2 | {{- with merge $values (omit $ "Values") }} 3 | {{- if and .Values.enabled .Values.serviceAccount.create }} 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: sa-{{ .runner }} 8 | namespace: {{ .Release.Namespace }} 9 | labels: 10 | {{- include "wiz-outpost-lite.labels" . | nindent 4 }} 11 | --- 12 | {{- end }} 13 | {{- end }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /wiz-outpost-lite/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for wiz-outpost-lite. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | agent: 8 | secretName: outpost-lite-agent-creds 9 | env: "" 10 | clientId: "" 11 | clientSecret: "" 12 | outpostId: "" 13 | outpostRegion: partition-1 14 | 15 | secret: 16 | create: true 17 | 18 | image: 19 | repository: wizio.azurecr.io 20 | pullPolicy: Always 21 | # Overrides the image tag whose default is the chart appVersion. 22 | tag: "0.1-latest" 23 | tagSuffix: "" 24 | 25 | autoUpdate: true 26 | 27 | # If set, controls the message processing concurrency of the runner 28 | concurrency: 0 29 | 30 | imagePullSecrets: [] 31 | nameOverride: "" 32 | fullnameOverride: "" 33 | 34 | podAnnotations: {} 35 | 36 | apparmorProfile: "" 37 | 38 | resources: 39 | limits: 40 | memory: 4396M 41 | requests: 42 | memory: 1024M 43 | 44 | nodeSelector: {} 45 | 46 | tolerations: [] 47 | 48 | affinity: {} 49 | 50 | internetAccessCertificates: 51 | skipSslValidation: false 52 | 53 | extraEnv: {} 54 | extraEnvConfigMap: "" 55 | 56 | service: 57 | type: ClusterIP 58 | enabled: true 59 | metricsPort: 9090 60 | 61 | httpProxyConfiguration: 62 | enabled: false 63 | name: wiz-http-proxy-configuration 64 | # httpProxy: replaceme 65 | # httpsProxy: replaceme 66 | # noProxy: 67 | # - replaceme 68 | # - replaceme2 69 | # caCertificate: | 70 | # --- BEGIN CERTIFICATE --- 71 | # replaceme 72 | # --- END CERTIFICATE --- 73 | 74 | terminationGracePeriodSeconds: 30 75 | 76 | # Set to true on specific runner when installing on OpenShift clusters to create a SecurityContextConstraint for our service-account 77 | openshift: false 78 | 79 | openshiftOverrides: 80 | serviceAccount: 81 | create: true 82 | containerSecurityContext: 83 | privileged: true 84 | 85 | serviceAccount: 86 | create: false 87 | 88 | podSecurityContext: {} 89 | containerSecurityContext: {} 90 | 91 | modules: 92 | vcs: 93 | enabled: false 94 | image: 95 | name: outpost-lite-runner-vcs 96 | apparmorProfile: unconfined 97 | containerSecurityContext: 98 | capabilities: 99 | add: 100 | - SYS_ADMIN 101 | seLinuxOptions: 102 | type: spc_t 103 | container-registry: 104 | enabled: false 105 | apparmorProfile: unconfined 106 | containerSecurityContext: 107 | capabilities: 108 | add: 109 | - SYS_ADMIN 110 | seLinuxOptions: 111 | type: spc_t 112 | remediation: 113 | enabled: false 114 | serviceAccount: 115 | create: true 116 | podSecurityContext: 117 | runAsNonRoot: true 118 | runAsUser: 1000 119 | runAsGroup: 1000 120 | fsGroup: 1000 121 | containerSecurityContext: 122 | capabilities: 123 | drop: 124 | - ALL 125 | runAsNonRoot: true 126 | runAsUser: 1000 127 | runAsGroup: 1000 128 | allowPrivilegeEscalation: false 129 | privileged: false 130 | readOnlyRootFilesystem: true 131 | seLinuxOptions: 132 | type: container_t 133 | 134 | runners: 135 | vcs-event-triggered: 136 | concurrency: 4 137 | terminationGracePeriodSeconds: 300 # 5 minutes 138 | -------------------------------------------------------------------------------- /wiz-sensor/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /wiz-sensor/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: wiz-sensor 3 | description: Wiz Sensor helm chart 4 | type: application 5 | home: https://www.wiz.io/ 6 | version: 1.0.6816 7 | appVersion: 1.0.6816 -------------------------------------------------------------------------------- /wiz-sensor/templates/apikeysecret.yaml: -------------------------------------------------------------------------------- 1 | {{- $createSecret := include "wiz-sensor.createSecret" . }} 2 | {{- if eq $createSecret "true" }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "wiz-sensor.secretName" . }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 9 | {{- with (coalesce .Values.wizApiToken.annotations .Values.wizApiToken.secret.annotations) }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | type: Opaque 14 | stringData: 15 | {{- if .Values.apikey }} 16 | clientId: {{ required "A valid clientId value is required! Use --set apikey.clientId=..." .Values.apikey.clientId | quote }} 17 | clientToken: {{ required "A valid clientSecret value is required! Use --set apikey.clientSecret=..." .Values.apikey.clientSecret | quote }} 18 | {{- else }} 19 | clientId: {{ required "A valid clientId value is required! Use --set wizApiToken.clientId=..." .Values.wizApiToken.clientId | quote }} 20 | clientToken: {{ required "A valid clientToken value is required! Use --set wizApiToken.clientToken=..." .Values.wizApiToken.clientToken | quote }} 21 | {{- if (coalesce .Values.backendEnv .Values.wizApiToken.clientEndpoint) }} 22 | clientEndpoint: {{ coalesce .Values.backendEnv .Values.wizApiToken.clientEndpoint | quote }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end -}} -------------------------------------------------------------------------------- /wiz-sensor/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.rbac -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "wiz-sensor.fullname" . }} 6 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["pods"] 10 | verbs: ["get", "list", "watch"] 11 | 12 | - apiGroups: ["", "apps", "batch"] 13 | resources: [ 14 | "namespaces", "nodes", "daemonsets", "replicasets", "deployments", 15 | "jobs", "cronjobs", "statefulsets", "replicationcontrollers", "serviceaccounts", 16 | "nodes/proxy" 17 | ] 18 | verbs: ["get", "list", "watch"] 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /wiz-sensor/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.rbac -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ include "wiz-sensor.fullname" . }} 6 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 7 | subjects: 8 | - kind: ServiceAccount 9 | name: {{ include "wiz-sensor.serviceAccountName" . }} 10 | namespace: {{ .Release.Namespace }} 11 | roleRef: 12 | kind: ClusterRole 13 | name: {{ include "wiz-sensor.fullname" . }} 14 | apiGroup: rbac.authorization.k8s.io 15 | {{- end -}} 16 | -------------------------------------------------------------------------------- /wiz-sensor/templates/diskscanconfig.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.diskScan.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ConfigMap 5 | 6 | metadata: 7 | name: {{ include "wiz-sensor.diskScanConfigName" . }} 8 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 9 | namespace: {{ .Release.Namespace }} 10 | 11 | data: 12 | config: | 13 | {{ coalesce .Values.diskScan.config "" | toJson }} 14 | {{- end -}} 15 | -------------------------------------------------------------------------------- /wiz-sensor/templates/gkeallowlistsynchronizer.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.gkeAutopilotUseAllowlist }} 2 | apiVersion: auto.gke.io/v1 3 | kind: AllowlistSynchronizer 4 | metadata: 5 | name: wiz-sensor-allowlist-synchronizer 6 | annotations: 7 | helm.sh/hook: "pre-install,pre-upgrade" 8 | spec: 9 | allowlistPaths: 10 | - "Wiz/wiz-sensor/v1/*" 11 | {{- end }} -------------------------------------------------------------------------------- /wiz-sensor/templates/imagepullsecret.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.imagePullSecret.required .Values.imagePullSecret.create -}} 2 | apiVersion: v1 3 | kind: Secret 4 | type: kubernetes.io/dockerconfigjson 5 | metadata: 6 | name: {{ include "wiz-sensor.imagePullSecretName" . }} 7 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 8 | namespace: {{ .Release.Namespace }} 9 | data: 10 | .dockerconfigjson: {{ template "wiz-sensor.imagePullSecretValue" . }} 11 | {{- end -}} 12 | -------------------------------------------------------------------------------- /wiz-sensor/templates/openshift.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.openshift -}} 2 | apiVersion: security.openshift.io/v1 3 | kind: SecurityContextConstraints 4 | metadata: 5 | name: {{ include "wiz-sensor.fullname" . }}-scc 6 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 7 | allowHostDirVolumePlugin: true 8 | allowPrivilegedContainer: true 9 | allowHostIPC: true 10 | allowHostNetwork: true 11 | allowHostPID: true 12 | allowHostPorts: true 13 | allowedCapabilities: 14 | - SYS_ADMIN # for kernels <5.8 (CAP_BPF and CAP_PERFMON) 15 | - SYS_CHROOT # setns (file hash) 16 | - SYS_RESOURCE # eBPF 17 | - SYS_RAWIO # file hashing 18 | - DAC_OVERRIDE # file hashing 19 | - DAC_READ_SEARCH # file hashing 20 | - NET_ADMIN # network events 21 | - NET_RAW # network events 22 | - IPC_LOCK # eBPF 23 | - FOWNER # file hashing 24 | - SYS_PTRACE # eBPF 25 | - KILL # forensics 26 | - SYSLOG # syslog 27 | - CHOWN # Access filesystem with overlayFS. 28 | - SETPCAP # Drop capabilities when not needed. 29 | requiredDropCapabilities: null 30 | fsGroup: 31 | type: RunAsAny 32 | groups: [] 33 | priority: 0 34 | readOnlyRootFilesystem: true 35 | runAsUser: 36 | type: RunAsAny 37 | seLinuxContext: 38 | type: RunAsAny 39 | supplementalGroups: 40 | type: RunAsAny 41 | seccompProfiles: 42 | - "*" 43 | users: 44 | - system:serviceaccount:{{ .Release.Namespace }}:{{ include "wiz-sensor.serviceAccountName" . }} 45 | volumes: 46 | - downwardAPI 47 | - emptyDir 48 | - hostPath 49 | - secret 50 | {{- end }} 51 | -------------------------------------------------------------------------------- /wiz-sensor/templates/proxysecret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.httpProxyConfiguration.enabled }} 2 | {{- if .Values.httpProxyConfiguration.create }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ include "wiz-sensor.proxySecretName" . }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 9 | {{- with .Values.httpProxyConfiguration.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | type: Opaque 14 | stringData: 15 | httpsProxy: {{ .Values.httpProxyConfiguration.httpsProxy | quote }} 16 | caCertificate: {{ .Values.httpProxyConfiguration.caCertificate | quote }} 17 | clientCertificate: {{ .Values.httpProxyConfiguration.clientCertificate | quote }} 18 | {{- end -}} 19 | {{- end -}} -------------------------------------------------------------------------------- /wiz-sensor/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "wiz-sensor.serviceAccountName" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: {{- include "wiz-sensor.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | --------------------------------------------------------------------------------