Helm chart update: AutoPilotHelmFix-rc

checkpoint/cloudguard/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.22.0
+appVersion: 2.23.0
 description: A Helm chart for Check Point CloudGuard Workload Security
 home: https://portal.checkpoint.com
 icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
@@ -31,4 +31,4 @@ keywords:
 - gke
 - autopilot
 name: cloudguard
-version: 2.22.0
+version: 2.23.0

checkpoint/cloudguard/README.md

@@ -136,7 +136,7 @@ The following table list the configurable parameters of this chart and their def
 | `proxy`                                                    | Proxy settings (e.g. http://my-proxy.com:8080)                  | `{}`                                             |
 | `containerRuntime`                                         | Container runtime (docker/containerd/cri-o) overriding auto-detection | ``                                         |
 | `containerRuntimeSocket`                                   | Container runtime socket path overriding auto-detection         | ``                                               |
-| `platform`                                                 | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks/eks.bottlerocket/gke.cos/gke.autopilot/k3s) overriding auto-detection | `kubernetes`                                |
+| `platform`                                                 | Kubernetes platform (kubernetes/tanzu/openshift/openshift.v3/eks/eks.bottlerocket/gke.cos/gke.autopilot/k3s/kubernetes.coreos) overriding auto-detection | `kubernetes`                                |
 | `seccompProfile`                                           | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault`                                |
 | `podAnnotations.seccomp`                                   | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default`                                |
 | `podAnnotations.apparmor`                                  | Apparmor Linux kernel security module profile.                  | `{}`                                             |

checkpoint/cloudguard/defaults.yaml

@@ -240,7 +240,7 @@ addons:
       priorityClassName: "system-node-critical"
       ## Specify image and tag
       image: checkpoint/consec-flowlogs-daemon
-      tag: 0.9.0
+      tag: 0.10.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -354,7 +354,7 @@ addons:
       ## Main container settings
       ## Specify image and tag
       image: checkpoint/consec-runtime-daemon
-      tag: 1.8.8
+      tag: 1.11.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -376,7 +376,7 @@ addons:
       probe:
         ## Specify image and tag
         image: checkpoint/consec-runtime-probe
-        tag: 0.30.2-cp-5
+        tag: 0.30.2-cp-6
 
         ## Configure resource requests and limits
         ## ref: http://kubernetes.io/docs/user-guide/compute-resources/

checkpoint/cloudguard/templates/_helpers.tpl

@@ -53,7 +53,7 @@
 {{-     if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages }}
 {{-         $tag = printf "%s-debug" .agentConfig.tag }}
 {{-     end }}
-{{-     if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) (ne .agentConfig.image "checkpoint/consec-runtime-daemon") -}}
+{{-     if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) -}}
 {{-         $tag = regexFind "\\d+.\\d+" $tag }}
 {{-     end -}}
 {{-     $image := printf "%s/%s:%s" .Values.imageRegistry.url .agentConfig.image $tag }}
@@ -175,8 +175,11 @@ imagePullSecrets:
       fieldPath: spec.nodeName
 - name: PLATFORM
   value: {{ .platform }}
+{{- /* having this in autopilot made some issues */ -}}
+{{- if and (eq .platform "gke.autopilot") (contains "daemon" .agentName) | not }}
 - name: CONTAINER_RUNTIME
   value: {{ .containerRuntime }}
+{{- end }}
 {{- if eq (include "get.autoUpgrade" .) "true" }}
 - name: AUTO_UPGRADE_ENABLED
   value: "true"
@@ -303,7 +306,8 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
 {{- end -}}
 
 {{- define "get.platform" -}}
-{{-   if (include "is.helm.template.command" .) -}}
+{{- /* use platform value if it's a helm template command or when the provided value is not the default kubernetes */ -}}
+{{-   if or (include "is.helm.template.command" .) (and .Values.platform (ne .Values.platform "kubernetes")) -}}
 {{-     include "validate.platform" .Values -}}
 {{-     lower .Values.platform -}}
 {{-   else if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
@@ -327,6 +331,8 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
 {{-       printf "eks.bottlerocket" -}}
 {{-     else if contains "Container-Optimized" $osImage -}}
 {{-       printf "gke.cos" -}}
+{{-     else if contains "Fedora CoreOS" $osImage -}}
+{{-       printf "kubernetes.coreos" -}}
 {{-     else if hasKey $firstNode.metadata.annotations "k3s.io/hostname"  -}}
 {{-       printf "k3s" -}}
 {{-     else if or (hasKey $firstNode.metadata.labels "eks.amazonaws.com/nodegroup") (hasKey $firstNode.metadata.labels "alpha.eksctl.io/nodegroup-name")  -}}
@@ -351,10 +357,10 @@ if registry is not quay do not enable auto upgrade
 {{- end -}}
 
 
-{{/*
+{{- /*
   use to know if we run from template (which mean wo have no connection to the cluster and cannot check Capabilities/nodes etc.)
   if there is no namespace probably we are running template
-*/}}
+*/ -}}
 {{- define "is.helm.template.command" -}}
 {{- $namespace := lookup "v1" "Namespace" "" "" -}}
 {{- if eq (len $namespace) 0 -}}
@@ -382,7 +388,7 @@ true
 {{- /* validate platform is one of the allowed values. 
 takes a context (such as $config or .Values) that has a .platform field */ -}}
 {{- define "validate.platform" -}}
-{{- $allowedPlatforms := list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks" "eks.bottlerocket" "gke.cos" "gke.autopilot" "k3s" -}}
+{{- $allowedPlatforms := list "kubernetes" "tanzu" "openshift" "openshift.v3" "eks" "eks.bottlerocket" "gke.cos" "gke.autopilot" "k3s" "kubernetes.coreos" -}}
 {{- if has (.platform | lower) $allowedPlatforms -}}
 {{- else -}}
 {{- $err := printf "\n\nERROR: Invalid platform: %s (should be one of: %s)" .platform $allowedPlatforms -}}

checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
 {{ include "common.pod.properties" $config | indent 6 }}
       hostNetwork: true  # needed for DNS request listener
-      {{- if or $config.featureConfig.enableFileReputation (eq $config.platform "eks.bottlerocket") }}
+      {{- if or $config.featureConfig.enableFileReputation (or (eq $config.platform "kubernetes.coreos") (eq $config.platform "eks.bottlerocket")) }}
       hostPID: true
       {{- end }}
       initContainers:
@@ -40,6 +40,9 @@ spec:
         command: [ "/bin/sh", "-c", "--" ]
         securityContext:
           privileged: true
+          {{- if (eq $config.platform "kubernetes.coreos") }}
+          runAsUser: 0
+          {{- end }}
         args: [ "nsenter --mount=/proc/1/ns/mnt -- mount --make-shared /var/lib/containers/storage/overlay" ]
       {{- end }}
       # probe (sysdig)
@@ -57,6 +60,10 @@ spec:
           value: "/sysdig"
         - name: SYSDIG_BPF_PROBE
           value: ""
+        {{- if (eq $config.platform "kubernetes.coreos") }}
+        - name: FCOS_AUTO_KERNEL_HEADERS
+          value: "1"
+        {{- end }}
         {{- if eq "eks" $config.platform }}
         - name: AMAZON_AUTO_KERNEL_HEADERS
           value: "1"
@@ -72,7 +79,7 @@ spec:
         {{- end }}
 {{ include "common.env" $config | indent 8 }}
         securityContext:
-        {{- if eq $config.platform "eks.bottlerocket" }}
+        {{- if or (eq $config.platform "eks.bottlerocket") (eq $config.platform "kubernetes.coreos") }}
           privileged: true
           runAsUser: 0
         {{- else if or (not $config.featureConfig.BPF) (contains "openshift" $config.platform) }}
@@ -100,7 +107,7 @@ spec:
         - name: host-dev-vol
           mountPath: /host/dev
         {{- end }}
-        {{- if eq "eks" $config.platform }}
+        {{- if or (eq $config.platform "kubernetes.coreos") (eq "eks" $config.platform) }}
         - name: host-root-vol
           mountPath: /host/root
         {{- end }}
@@ -151,7 +158,7 @@ spec:
         - name: SBA_USE_DOME9_FORWARDER
           value: "1"
         - name: SBA_FORWARDER_AGENT_VERSION
-          value: {{ $config.agentConfig.tag }}
+          value: {{ $config.agentConfig.tag | quote }}
         - name: TELEMETRY_VERSION
           value: {{ $config.Values.telemetryVersion }}
         - name: CP_KUBERNETES_DOME9_URL
@@ -182,6 +189,9 @@ spec:
         securityContext:
         {{- if or (not $config.featureConfig.BPF) (contains "openshift" $config.platform) }}
           privileged: true
+        {{- else if (eq $config.platform "kubernetes.coreos") }}
+          privileged: true
+          runAsUser: 0
         {{- else }}
           runAsUser: 0
           {{- if and ($config.featureConfig.enableFileReputation) (eq $config.platform "eks.bottlerocket") }}
@@ -358,7 +368,7 @@ spec:
       - name: crashdumps-vol
         emptyDir: 
           sizeLimit: 200Ki
-      {{- if eq "eks" $config.platform }}
+      {{- if or (eq $config.platform "kubernetes.coreos") (eq "eks" $config.platform) }}
       - name: host-root-vol
         hostPath:
           path: /