From d270bf02961abd9db87327e5df4460b255e5733e Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Thu, 5 Sep 2024 15:46:44 -0700 Subject: [PATCH 1/8] feat(lacework-agent) Optionally create clusterAgent templated resources When using clusterAgent.enable make optional creating the rbac resources by setting clusterAgent.createRoleBinding: to create the ClusterRoleBinding clusterAgent.createRole: to create the ClusterRole clusterAgent.createServiceAccount: to create the ServiceAccount --- lacework-agent/templates/cluster-role-binding.yaml | 2 +- lacework-agent/templates/cluster-role.yaml | 2 +- lacework-agent/templates/service-account.yaml | 2 +- lacework-agent/values.yaml | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lacework-agent/templates/cluster-role-binding.yaml b/lacework-agent/templates/cluster-role-binding.yaml index d253d22..a526e9b 100644 --- a/lacework-agent/templates/cluster-role-binding.yaml +++ b/lacework-agent/templates/cluster-role-binding.yaml @@ -1,4 +1,4 @@ -{{- if (.Values.clusterAgent).enable -}} +{{- if (and (.Values.clusterAgent).enable (.Values.clusterAgent).createRoleBinding) -}} apiVersion: rbac.authorization.k8s.io/v1 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. kind: ClusterRoleBinding diff --git a/lacework-agent/templates/cluster-role.yaml b/lacework-agent/templates/cluster-role.yaml index 73fd6ce..b17008a 100644 --- a/lacework-agent/templates/cluster-role.yaml +++ b/lacework-agent/templates/cluster-role.yaml @@ -1,4 +1,4 @@ -{{- if (.Values.clusterAgent).enable -}} +{{- if (and (.Values.clusterAgent).enable (.Values.clusterAgent).createRole) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/lacework-agent/templates/service-account.yaml b/lacework-agent/templates/service-account.yaml index da9f1a4..8befaab 100644 --- a/lacework-agent/templates/service-account.yaml +++ b/lacework-agent/templates/service-account.yaml @@ -1,4 +1,4 @@ -{{- if (.Values.clusterAgent).enable -}} +{{- if (and (.Values.clusterAgent).enable (.Values.clusterAgent).createServiceAccount) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/lacework-agent/values.yaml b/lacework-agent/values.yaml index a254c3c..cf7462c 100644 --- a/lacework-agent/values.yaml +++ b/lacework-agent/values.yaml @@ -38,6 +38,9 @@ clusterAgent: # https://docs.lacework.net/onboarding/restricted/configure-agent-behavior-in-configjson-file#proxyurl-propert proxyUrl: hostNetworkAccess: false + createRoleBinding: true + createRole: true + createServiceAccount: true image: registry: docker.io repository: lacework/k8scollector From 4abd0e3b7b730b9e3c352aa3e98a8654af74c109 Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Tue, 24 Sep 2024 20:51:05 -0700 Subject: [PATCH 2/8] adding charts directory --- charts/.here | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 charts/.here diff --git a/charts/.here b/charts/.here new file mode 100644 index 0000000..e69de29 From 114c7ebc10468e21aa064b6767afc2b35b8b0201 Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Tue, 24 Sep 2024 20:53:42 -0700 Subject: [PATCH 3/8] adding github action for main branch --- .github/workflows/release.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e784b56 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,27 @@ +name: Release Charts + +on: + push: + branches: + - main + +jobs: + release: + permissions: + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From b73255c7aae639a38076ac0dce2e23f1cad167b5 Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Tue, 24 Sep 2024 20:56:59 -0700 Subject: [PATCH 4/8] remove charts dir --- charts/.here | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 charts/.here diff --git a/charts/.here b/charts/.here deleted file mode 100644 index e69de29..0000000 From a1af3a1990378818d7022a184498427e714c59f1 Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Tue, 24 Sep 2024 21:00:22 -0700 Subject: [PATCH 5/8] set the chart dir to build as lacework-agent and increase to version 7.5 to see if it'll publish --- .github/workflows/release.yml | 2 ++ lacework-agent/Chart.yaml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e784b56..adf7848 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,5 +23,7 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 + with: + charts_dir: lacework-agent env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/lacework-agent/Chart.yaml b/lacework-agent/Chart.yaml index 89f5d71..3d2b1ee 100644 --- a/lacework-agent/Chart.yaml +++ b/lacework-agent/Chart.yaml @@ -14,4 +14,4 @@ maintainers: - email: info@lacework.net name: lacework-support name: lacework-agent -version: 7.0.0 +version: 7.5.0 From 2c3e6b004afc66215c99d60d4159d78e98cc5d72 Mon Sep 17 00:00:00 2001 From: Samuel Date: Tue, 24 Sep 2024 21:03:48 -0700 Subject: [PATCH 6/8] Update release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index adf7848..c7396ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,6 +24,6 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 with: - charts_dir: lacework-agent + charts_dir: "/" env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From b0b27b0e9bf537263882475d55fdfa9b72dca687 Mon Sep 17 00:00:00 2001 From: Samuel Date: Tue, 24 Sep 2024 21:04:57 -0700 Subject: [PATCH 7/8] Update release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7396ce..0f11c21 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,6 +24,6 @@ jobs: - name: Run chart-releaser uses: helm/chart-releaser-action@v1.6.0 with: - charts_dir: "/" + charts_dir: "./" env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" From 96c9ee93758a0d3521ae77d9d22f5b905053d486 Mon Sep 17 00:00:00 2001 From: Samuel Beaulieu Date: Wed, 25 Sep 2024 10:02:37 -0700 Subject: [PATCH 8/8] the new parameters were not in the schema so the update failed --- lacework-agent/values.schema.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lacework-agent/values.schema.json b/lacework-agent/values.schema.json index a10c654..59bc1d1 100644 --- a/lacework-agent/values.schema.json +++ b/lacework-agent/values.schema.json @@ -242,6 +242,18 @@ "hostNetworkAccess": { "type": "boolean", "description": "Enable host network access to the cluster collector pod" + }, + "createRoleBinding": { + "type": "boolean", + "description": "Enable creation of the role binding" + }, + "createRole": { + "type": "boolean", + "description": "Enable creation of the role" + }, + "createServiceAccount": { + "type": "boolean", + "description": "Enable creation of the service account" } }, "additionalProperties": false