Helm 2.32.0: ARM64 support, credentials update improvement #152

- ARM64 support: ARM64 support is now available for all agents, except Runtime Protection blade and Shiftleft environment - ECS scanner: supporting customer certificates for Container Registries scan from ECS via CG_REG_CA_CERTIFICATE environment variable - Labels Unification: standardized labeling across all components - Agents restart on credential change: all agents will be restarted when credentials or cluster ID is updated - Telemetry Enhancements Agents versions: - Inventory 1.15.0 - Image Assurance 2.36.0 - Admission Control: Enforcer 2.13.0, Policy 1.9.0 - Runtime Policy 1.9.0 - Flow Logs (Intelligence) 0.15.0
CheckPointSW · Sep 19, 2024 · 8e060f6 · 8e060f6
1 parent a566514
commit 8e060f6
Show file tree

Hide file tree

Showing 16 changed files with 156 additions and 91 deletions.
diff --git a/checkpoint/cloudguard/Chart.yaml b/checkpoint/cloudguard/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.31.0
+appVersion: 2.32.0
 description: A Helm chart for Check Point CloudGuard Workload Security
 home: https://portal.checkpoint.com
 icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
@@ -35,4 +35,4 @@ keywords:
 - gke
 - autopilot
 name: cloudguard
-version: 2.31.0
+version: 2.32.0
diff --git a/checkpoint/cloudguard/defaults.yaml b/checkpoint/cloudguard/defaults.yaml
@@ -69,7 +69,7 @@ inventory:
 
     ## Specify image and tag
     image: checkpoint/consec-inventory-agent
-    tag: 1.14.0
+    tag: 1.15.0
 
     ## Specify existing service account name ("" to create)
     serviceAccountName: ""
@@ -112,7 +112,7 @@ addons:
       priorityClassName: "system-node-critical"
       ## Specify image and tag
       image: checkpoint/consec-imagescan-daemon
-      tag: 2.30.0
+      tag: 2.36.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -134,7 +134,7 @@ addons:
       shim:
         ## Specify image and tag
         image: checkpoint/consec-imagescan-shim
-        tag: 2.30.0
+        tag: 2.36.0
 
         ## Configure resource requests and limits
         ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -159,7 +159,6 @@ addons:
       ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
       nodeSelector:
         kubernetes.io/os: linux
-        kubernetes.io/arch: amd64
       tolerations:
       - operator: Exists
       affinity: {}
@@ -170,7 +169,7 @@ addons:
     engine:
       ## Specify image and tag
       image: checkpoint/consec-imagescan-engine
-      tag: 2.30.0
+      tag: 2.36.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -194,7 +193,6 @@ addons:
       ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
       nodeSelector:
         kubernetes.io/os: linux
-        kubernetes.io/arch: amd64
       tolerations: []
       affinity: {}
       podAnnotations:
@@ -203,7 +201,7 @@ addons:
     list:
       ## Specify image and tag
       image: checkpoint/consec-imagescan-engine
-      tag: 2.30.0
+      tag: 2.36.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -225,7 +223,6 @@ addons:
       ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
       nodeSelector:
         kubernetes.io/os: linux
-        kubernetes.io/arch: amd64
       tolerations: [ ]
       affinity: { }
       podAnnotations:
@@ -260,7 +257,6 @@ addons:
       ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
       nodeSelector:
         kubernetes.io/os: linux
-        kubernetes.io/arch: amd64
       tolerations:
       - operator: Exists
       affinity: {}
@@ -276,7 +272,7 @@ addons:
       priorityClassName: "system-node-critical"
       ## Specify image and tag
       image: checkpoint/consec-flowlogs-daemon
-      tag: 0.14.0
+      tag: 0.15.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -316,7 +312,7 @@ addons:
     policy:
       ## Specify image and tag
       image: checkpoint/consec-admission-policy
-      tag: 1.8.0
+      tag: 1.9.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -346,7 +342,7 @@ addons:
     enforcer:
       ## Specify image and tag
       image: checkpoint/consec-admission-enforcer
-      tag: 2.12.0
+      tag: 2.13.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -452,7 +448,7 @@ addons:
 
       ## Specify custom image ("" to use default)
       image: checkpoint/consec-runtime-policy
-      tag: 1.8.0
+      tag: 1.9.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""

diff --git a/checkpoint/cloudguard/templates/_helpers.tpl b/checkpoint/cloudguard/templates/_helpers.tpl
@@ -74,8 +74,10 @@
 {{-     default $image $containerConfig.fullImage }}
 {{- end -}}
 
-{{- /* Labels commonly used in our k8s resources */ -}}
-{{- define "common.labels" -}}
+{{- /* Labels commonly used in our selectors - don't use anywhere else
+usage: `{{- include "common.selector.labels" $config -}}`
+*/ -}}
+{{- define "common.selector.labels" -}}
 app.kubernetes.io/name: {{ include "agent.resource.name" . }}
 app.kubernetes.io/instance: {{ include "name.prefix" . }}
 {{- end -}}
@@ -86,11 +88,13 @@ helm.sh/chart: {{ printf "%s-%s" .Chart.name .Chart.version | replace "+" "_" |
 app.kubernetes.io/managed-by: {{ $.Release.Service }}
 app.kubernetes.io/version: {{ $.Chart.appVersion }}
 app.created.by.template: {{ (include "is.helm.template.command" .) | quote }}
-{{ template "common.labels" . }}
+{{ include "common.selector.labels" . }}
 {{- end -}}
 
 {{- /* Pod annotations commonly used in agents */ -}}
 {{- define "common.pod.annotations" -}}
+{{- /* workloads would restart upon some configurations change */ -}}
+{{- include "annotations.sha256" . -}}
 {{- /* Openshift does not allow seccomp - So we don't add seccomp in openshift case */ -}}
 {{- /* From k8s 1.19 and up we use the seccomp in securityContext so no need for it here, in case of template we don't know the version so we fall back to annotation */ -}}
 {{- if and (not (contains "openshift" .platform)) (semverCompare "<1.19-0" .Capabilities.KubeVersion.Version) }}
@@ -567,3 +571,18 @@ usage:
 {{- define "supported.containerRuntimes" -}}
 docker containerd cri-o
 {{- end -}}
+
+{{- /* value for annotations to change so resources are triggered again
+usage: 
+{{- include "annotations.sha256" $config -}}`
+*/ -}}
+{{- define "annotations.sha256" -}}
+{{- if not (hasKey .Values "sha256annotations") -}}
+{{- $sha256AnnotationsDict := dict -}}
+{{- $_ := set $sha256AnnotationsDict "checksum/config" (include  (print .Template.BasePath "/cg-config.yaml") .  | sha256sum | trunc 63) -}}
+{{- $_ := set $sha256AnnotationsDict "checksum/cgsecret" (include  (print .Template.BasePath "/cg-creds-secret.yaml") .  | sha256sum | trunc 63) -}}
+{{- $_ := set $sha256AnnotationsDict "checksum/regsecret" (include  (print .Template.BasePath "/registry-creds-secret.yaml") .  | sha256sum | trunc 63) -}}
+{{- $_ := set .Values "sha256annotations" $sha256AnnotationsDict -}}
+{{- end -}}
+{{- .Values.sha256annotations | toYaml -}}
+{{- end -}}
diff --git a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
@@ -13,15 +13,15 @@ spec:
   replicas: {{ $config.agentConfig.replicaCount }}
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
         # adding it so workload will be restarted to be updated with a certificate that was re-generated
         timestamp: {{ now | quote }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
       # the affinity definition should be BEFORE include "common.pod.properties" .since in case the
       #user will add his own "affinity" we want to take his definition

diff --git a/checkpoint/cloudguard/templates/admission/enforcer/service.yaml b/checkpoint/cloudguard/templates/admission/enforcer/service.yaml
@@ -13,5 +13,5 @@ spec:
       port: 443
       targetPort: 8443
   selector:
-{{ include "common.labels" $config | indent 4 }}
+{{ include "common.selector.labels" $config | indent 4 }}
 {{ end }}
diff --git a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml
@@ -12,14 +12,14 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
   replicas: 1
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
       affinity:
 {{ include "common.node.affinity.multiarch" $config | indent 8 }}

diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml
@@ -14,14 +14,14 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
 {{ include "daemonset.updateStrategy" $config | indent 2}}
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
 {{ include "common.pod.properties" $config | indent 6 }}
       hostNetwork: true

diff --git a/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/armon/daemonset.yaml
@@ -12,15 +12,17 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
 {{ include "daemonset.updateStrategy" $config | indent 2}}
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
+      affinity:
+{{ include "common.node.affinity.multiarch" $config | indent 8 }}
 {{ include "common.pod.properties" $config | indent 6 }}
       containers:
       - name: {{ $config.agentName }}

diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml
@@ -14,7 +14,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
 {{ include "daemonset.updateStrategy" $config | indent 2}}
   template:
     metadata:
@@ -23,8 +23,10 @@ spec:
         # adding it so workload will be restarted to be updated with certificates that were re-generated
         timestamp: {{ now | quote }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
+      affinity:
+{{ include "common.node.affinity.multiarch" $config | indent 8 }}
 {{ include "common.pod.properties" $config | indent 6 }}
       containers:
       # Main container

diff --git a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml
@@ -12,7 +12,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
   replicas: {{ $config.agentConfig.replicaCount }}
   template:
     metadata:
@@ -21,8 +21,10 @@ spec:
         # adding it so workload will be restarted to be updated with certificates that were re-generated
         timestamp: {{ now | quote }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
+      affinity:
+{{ include "common.node.affinity.multiarch" $config | indent 8 }}
 {{ include "common.pod.properties" $config | indent 6 }}
       containers:
       # Main container

diff --git a/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/list/deployment.yaml
@@ -13,7 +13,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
       imagescan-agent-type: list
   replicas: 1
   template:
@@ -23,9 +23,11 @@ spec:
         # adding it so workload will be restarted to be updated with certificates that were re-generated
         timestamp: {{ now | quote }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
         imagescan-agent-type: list
     spec:
+      affinity:
+{{ include "common.node.affinity.multiarch" $config | indent 8 }}
 {{ include "common.pod.properties" $config | indent 6 }}
       containers:
       # Main container

diff --git a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml
@@ -12,13 +12,13 @@ spec:
   replicas: {{ $config.agentConfig.replicaCount }}
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
       affinity:
 {{ include "common.node.affinity.multiarch" $config | indent 8 }}

diff --git a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml
@@ -14,15 +14,15 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
 {{ include "daemonset.updateStrategy" $config | indent 2}}
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }}
         container.apparmor.security.beta.kubernetes.io/daemon: unconfined
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
 {{ include "common.pod.properties" $config | indent 6 }}
       hostNetwork: true  # needed for DNS request listener

diff --git a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml
@@ -12,14 +12,14 @@ metadata:
 spec:
   selector:
     matchLabels:
-{{ include "common.labels" $config | indent 6 }}
+{{ include "common.selector.labels" $config | indent 6 }}
   replicas: 1
   template:
     metadata:
       annotations:
 {{ include "common.pod.annotations" $config | indent 8 }} 
       labels:
-{{ include "common.labels" $config | indent 8 }}
+{{ include "common.labels.with.chart" $config | indent 8 }}
     spec:
       affinity:
 {{ include "common.node.affinity.multiarch" $config | indent 8 }}

diff --git a/repository/cloudguard-2.32.0.tgz b/repository/cloudguard-2.32.0.tgz