Merge remote-tracking branch 'origin/main' into dependabot/go_modules…

…/tests/github.com/docker/docker-25.0.6incompatible
otterize · Oct 22, 2024 · 0fd89ec · 0fd89ec
2 parents f367ded + 772ea14
commit 0fd89ec
Show file tree

Hide file tree

Showing 22 changed files with 232 additions and 425 deletions.
diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml
@@ -105,6 +105,10 @@ jobs:
           helm install otterize ./otterize-kubernetes -n otterize-system --wait --create-namespace $OPERATOR_FLAGS $TELEMETRY_FLAG
 
   test-postgresql-integration:
+    permissions:
+      id-token: write
+      contents: read
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -123,7 +127,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.1
+          go-version: 1.23.1
           cache-dependency-path: tests/go.sum
 
       - name: Install go-junit-report
@@ -196,6 +200,10 @@ jobs:
         if: always() && github.event.pull_request.user.login != 'dependabot[bot]'
 
   test-mysql-integration:
+    permissions:
+      id-token: write
+      contents: read
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -214,7 +222,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.1
+          go-version: 1.23.1
           cache-dependency-path: tests/go.sum
 
       - name: Install go-junit-report
@@ -332,7 +340,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.1
+          go-version: 1.23.1
           cache-dependency-path: tests/go.sum
 
       - name: Install go-junit-report

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.1
+          go-version: 1.23.1
           cache-dependency-path: tests/go.sum
 
       - name: go vet
@@ -42,7 +42,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.55.2
+          version: v1.61.0
 
           # Optional: working directory, useful for monorepos
           working-directory: tests

diff --git a/credentials-operator/Chart.yaml b/credentials-operator/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: credentials-operator
 description: credentials-operator
 type: application
-version: 3.0.8
-appVersion: v3.0.4
+version: 3.0.13
+appVersion: v3.0.8
 home: https://github.com/otterize/credentials-operator
 sources:
   - https://github.com/otterize/credentials-operator
diff --git a/credentials-operator/templates/credentials-operator-webhook-service.yaml b/credentials-operator/templates/credentials-operator-webhook-service.yaml
@@ -23,4 +23,34 @@ spec:
     targetPort: 9443
   selector:
     app: credentials-operator
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-access-to-credentials-operator-webhook-and-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+  annotations:
+    {{- with .Values.global.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+spec:
+  podSelector:
+    matchLabels:
+      app: intents-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 9443
+        - protocol: TCP
+          port: 8443
 {{ end }}
diff --git a/intents-operator/Chart.yaml b/intents-operator/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: intents-operator
 description: Otterize intents operator
 type: application
-version: 3.0.35
-appVersion: v2.0.20
+version: 3.0.43
+appVersion: v2.0.25
 home: https://github.com/otterize/intents-operator
 sources:
   - https://github.com/otterize/intents-operator
diff --git a/intents-operator/README.md b/intents-operator/README.md
diff --git a/intents-operator/templates/intents-operator-controller-manager-metrics-service.yaml b/intents-operator/templates/intents-operator-controller-manager-metrics-service.yaml
@@ -22,3 +22,29 @@ spec:
     targetPort: 2112
   selector:
     app: intents-operator
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-access-to-intents-operator-metrics-server
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+  annotations:
+    {{- with .Values.global.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+spec:
+  podSelector:
+    matchLabels:
+      app: intents-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 2112
diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml
@@ -200,7 +200,11 @@ spec:
             value: "false"
           {{- end }}
           {{- if eq true .Values.operator.enableEgressNetworkPolicyCreation }}
-          - name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES
+          - name: OTTERIZE_ENABLE_EGRESS_NETWORK_POLICIES
+            value: "true"
+          {{- end }}
+          {{- if eq true .Values.operator.separateNetpolsForIngressAndEgress }}
+          - name: OTTERIZE_SEPARATE_NETPOLS_FOR_INGRESS_AND_EGRESS
             value: "true"
           {{- end }}
           {{- if .Values.global.aws.rolesAnywhere.enabled }}

diff --git a/intents-operator/templates/validation-webhook-service.yaml b/intents-operator/templates/validation-webhook-service.yaml
@@ -20,3 +20,31 @@ spec:
       targetPort: 9443
   selector:
     app: intents-operator
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-access-to-intents-operator-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- with .Values.global.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+  annotations:
+    {{- with .Values.global.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/version: {{ .Chart.Version }}
+spec:
+  podSelector:
+    matchLabels:
+      app: intents-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 9443
diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml
@@ -50,7 +50,13 @@ operator:
   allowExternalTraffic: ifBlockedByOtterize
   enableIstioPolicyCreation: true
   enableDatabasePolicyCreation: true
+
+  # If set to true, the operator will create network policies for egress traffic.
   enableEgressNetworkPolicyCreation: false
+
+  # If set to true, the operator will create separate network policies for ingress and egress traffic.
+  # (Only available with enableEgressNetworkPolicyCreation set to true)
+  separateNetpolsForIngressAndEgress: false
   ingressControllerAWSALBExempt: false
   extraEnvVars:
 

diff --git a/network-mapper/Chart.yaml b/network-mapper/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: network-mapper
 type: application
-version: 2.0.21
-appVersion: v2.0.7
+version: 2.0.26
+appVersion: v2.0.11
 home: https://github.com/otterize/network-mapper
 sources:
   - https://github.com/otterize/network-mapper
diff --git a/network-mapper/README.md b/network-mapper/README.md
@@ -93,14 +93,14 @@ Deployed only when `aws.visibility.enabled` is set to `true`.
 
 ## Cloud parameters
 
-| Key                                                        | Description                                                                                                                                                                                  | Default  |
-|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
-| `global.otterizeCloud.credentials.clientId`                | Client ID for connecting to Otterize Cloud.                                                                                                                                                  | `(none)` |
-| `global.otterizeCloud.credentials.clientSecret`            | Client secret for connecting to Otterize Cloud.                                                                                                                                              | `(none)` |
-| `global.otterizeCloud.credentials.secretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.                                                            | `(none)` |
-| `global.otterizeCloud.credentials.secretKeyRef.secretKey`  | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.                                        | `(none)` |
-| `global.otterizeCloud.apiAddress`                          | Overrides Otterize Cloud default API address.                                                                                                                                                | `(none)` |
-| `global.otterizeCloud.apiExtraCAPEMSecret`                 | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` |
+| Key                                                              | Description                                                                                                                                                                                  | Default  |
+|------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
+| `global.otterizeCloud.credentials.clientId`                      | Client ID for connecting to Otterize Cloud.                                                                                                                                                  | `(none)` |
+| `global.otterizeCloud.credentials.clientSecret`                  | Client secret for connecting to Otterize Cloud.                                                                                                                                              | `(none)` |
+| `global.otterizeCloud.credentials.clientSecretKeyRef.secretName` | If specified, the name of a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.                                                            | `(none)` |
+| `global.otterizeCloud.credentials.clientSecretKeyRef.secretKey`  | If specified, the key for the clientSecret in a pre-created Kubernetes Secret to be used instead of creating a secret with the value of clientSecret.                                        | `(none)` |
+| `global.otterizeCloud.apiAddress`                                | Overrides Otterize Cloud default API address.                                                                                                                                                | `(none)` |
+| `global.otterizeCloud.apiExtraCAPEMSecret`                       | The name of a secret containing a single `CA.pem` file for an extra root CA used to connect to Otterize Cloud. The secret should be placed in the same namespace as the Otterize deployment. | `(none)` |
 
 ## Global parameters
 

diff --git a/network-mapper/templates/sniffer-daemonset.yaml b/network-mapper/templates/sniffer-daemonset.yaml
@@ -110,6 +110,10 @@ spec:
           - name: OTTERIZE_CLIENT_ID
             value: "{{ .Values.global.otterizeCloud.credentials.clientId }}"
           {{- end }}
+          {{- if eq true .Values.sniffer.useExtendedProcfsResolution }}
+          - name: OTTERIZE_USE_EXTENDED_PROCFS_RESOLUTION
+            value: "true"
+          {{- end }}
         livenessProbe:
           httpGet:
             path: /healthz

diff --git a/network-mapper/values.yaml b/network-mapper/values.yaml
@@ -72,6 +72,7 @@ sniffer:
   # requests:
   #   cpu: 100m
   #   memory: 128Mi
+  useExtendedProcfsResolution: false
 
 kafkawatcher:
   enable: false # enable/disable entire installation of the kafka-watcher

diff --git a/otterize-kubernetes/Chart.yaml b/otterize-kubernetes/Chart.yaml
@@ -3,7 +3,7 @@ name: otterize-kubernetes
 description: |
   This chart contains the Otterize credentials-operator, SPIRE (server+agent), the Otterize intents operator, and the Otterize network mapper.
 type: application
-version: 4.0.34
+version: 4.0.54
 home: https://github.com/otterize/helm-charts
 kubeVersion: ">=1.19.0-0"
 dependencies: