fix exporter templates

Signed-off-by: Matthias Bertschy <[email protected]>
kubescape · Dec 28, 2023 · 465452d · 465452d
1 parent 7bc392f
commit 465452d
Show file tree

Hide file tree

Showing 10 changed files with 230 additions and 92 deletions.
diff --git a/charts/kubescape-operator/templates/_helpers.tpl b/charts/kubescape-operator/templates/_helpers.tpl
@@ -58,11 +58,11 @@ serviceDiscovery:
   enabled: {{ $configurations.submit }}
 storage:
   enabled: true
+prometheusExporter:
+  enabled: {{ eq .Values.capabilities.prometheusExporter "enable" }}
 cloudSecret:
   create: {{ $configurations.createCloudSecret }}
   name: {{ if $configurations.createCloudSecret }}"cloud-secret"{{ else }}{{ .Values.credentials.cloudSecret }}{{ end }}
 synchronizer:
   enabled: {{ or (and $configurations.submit (eq .Values.capabilities.networkPolicyService "enable")) (and $configurations.submit (eq .Values.capabilities.runtimeObservability "enable")) }}
-prometheusExporter:
-  enabled: false
 {{- end -}}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/clusterrole.yaml b/charts/kubescape-operator/templates/prometheus-exporter/clusterrole.yaml
@@ -6,9 +6,6 @@ metadata:
   name: {{ .Values.prometheusExporter.name }}
 rules:
   - apiGroups: ["spdx.softwarecomposition.kubescape.io"]
-    resources: ["vulnerabilitymanifests", "vulnerabilitymanifestsummaries","openvulnerabilityexchangecontainers"]
+    resources: ["configurationscansummaries", "vulnerabilitysummaries"]
     verbs: ["get", "watch", "list"]
-  - apiGroups: ["spdx.softwarecomposition.kubescape.io"]
-    resources: ["sbomspdxv2p3filtereds"]
-    verbs: ["get", "watch", "list"]
-{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/clusterrolebinding.yaml b/charts/kubescape-operator/templates/prometheus-exporter/clusterrolebinding.yaml
@@ -4,12 +4,12 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Values.prometheusExporter.name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Values.prometheusExporter.name }}
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.prometheusExporter.name }}
   namespace: {{ .Values.ksNamespace }}
-{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.prometheusExporter.name }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml b/charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml
@@ -10,23 +10,23 @@ metadata:
     app.kubernetes.io/name: {{ .Values.prometheusExporter.name }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app: {{ .Values.prometheusExporter.name }}
-    tier: {{ .Values.global.namespaceTier}}
+    tier: {{ .Values.global.namespaceTier }}
 spec:
   replicas: {{ .Values.prometheusExporter.replicaCount }}
   revisionHistoryLimit: 2
-  strategy: 
+  strategy:
     type: Recreate
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ .Values.prometheusExporter.name }}
       app.kubernetes.io/instance: {{ .Release.Name }}
-      tier: {{ .Values.global.namespaceTier}}
+      tier: {{ .Values.global.namespaceTier }}
   template:
     metadata:
       labels:
         app.kubernetes.io/name: {{ .Values.prometheusExporter.name }}
         app.kubernetes.io/instance: {{ .Release.Name }}
-        tier: {{ .Values.global.namespaceTier}}
+        tier: {{ .Values.global.namespaceTier }}
         app: {{ .Values.prometheusExporter.name }}
     spec:
       {{- if .Values.imagePullSecrets }}
@@ -40,26 +40,24 @@ spec:
         - name: {{ .Values.prometheusExporter.name }}
           image: {{ .Values.prometheusExporter.image.repository }}:{{ .Values.prometheusExporter.image.tag }}
           imagePullPolicy: {{ .Values.prometheusExporter.image.pullPolicy }}
-          securityContext: 
+          securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true
           ports:
-            - name: metrics
-              containerPort: {{ .Values.prometheusExporter.service.port }}
-              protocol: TCP
+          - name: metrics
+            containerPort: {{ .Values.prometheusExporter.service.port }}
+            protocol: TCP
           livenessProbe:
-            httpGet:
-              path: /v1/liveness
+            tcpSocket:
               port: {{ .Values.prometheusExporter.service.port }}
             initialDelaySeconds: 3
             periodSeconds: 3
           readinessProbe:
-            httpGet:
-              path: /v1/readiness
+            tcpSocket:
               port: {{ .Values.prometheusExporter.service.port }}
-          resources: 
-{{ toYaml .Values.prometheusExporter.resources | indent 10 }}   
+          resources:
+{{ toYaml .Values.prometheusExporter.resources | indent 12 }}
           env:
             - name: GOMEMLIMIT
               value: "{{ .Values.prometheusExporter.resources.requests.memory }}B"
@@ -68,40 +66,46 @@ spec:
             - name: KS_LOGGER_NAME
               value: "{{ .Values.logger.name }}"
           volumeMounts:
-            - name: {{ .Values.global.clusterConfig }}
-              mountPath: ~/.kube/config
+            - name: {{ .Values.global.cloudConfig }}
+              mountPath: /etc/config
               readOnly: true
+{{- if .Values.volumeMounts }}
+{{ toYaml .Values.volumeMounts | indent 12 }}
+{{- end }}
+{{- if .Values.kubevuln.volumeMounts }}
+{{ toYaml .Values.kubevuln.volumeMounts | indent 12 }}
+{{- end }}
       volumes:
-          - name: {{ .Values.global.clusterConfig }}
-            configMap:
-              name: {{ .Values.global.clusterConfig }}
-              items:
-              - key: "config"
-                path: "config"
+        - name: {{ .Values.global.cloudConfig }}
+          configMap:
+            name: {{ .Values.global.cloudConfig }}
+            items:
+            - key: "clusterData"
+              path: "clusterData.json"
 {{- if .Values.volumes }}
-{{ toYaml .Values.volumes | indent 10 }}
+{{ toYaml .Values.volumes | indent 8 }}
 {{- end }}
 {{- if .Values.prometheusExporter.volumes }}
-{{ toYaml .Values.prometheusExporter.volumes | indent 10 }}
+{{ toYaml .Values.prometheusExporter.volumes | indent 8 }}
 {{- end }}
       serviceAccountName: {{ .Values.prometheusExporter.name }}
       automountServiceAccountToken: true
       nodeSelector:
       {{- if .Values.prometheusExporter.nodeSelector }}
-      {{- toYaml .Values.prometheusExporter.nodeSelector | nindent 6 }}
+      {{- toYaml .Values.prometheusExporter.nodeSelector | nindent 8 }}
       {{- else if .Values.customScheduling.nodeSelector }}
-      {{- toYaml .Values.customScheduling.nodeSelector | nindent 6 }}
+      {{- toYaml .Values.customScheduling.nodeSelector | nindent 8 }}
       {{- end }}
       affinity:
       {{- if .Values.prometheusExporter.affinity }}
-      {{- toYaml .Values.prometheusExporter.affinity | nindent 6 }}
+      {{- toYaml .Values.prometheusExporter.affinity | nindent 8 }}
       {{- else if .Values.customScheduling.affinity }}
-      {{- toYaml .Values.customScheduling.affinity | nindent 6 }}
+      {{- toYaml .Values.customScheduling.affinity | nindent 8 }}
       {{- end }}
       tolerations:
       {{- if .Values.prometheusExporter.tolerations }}
-      {{- toYaml .Values.prometheusExporter.tolerations | nindent 6 }}
+      {{- toYaml .Values.prometheusExporter.tolerations | nindent 8 }}
       {{- else if .Values.customScheduling.tolerations }}
-      {{- toYaml .Values.customScheduling.tolerations | nindent 6 }}
+      {{- toYaml .Values.customScheduling.tolerations | nindent 8 }}
       {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/networkpolicy.yaml b/charts/kubescape-operator/templates/prometheus-exporter/networkpolicy.yaml
@@ -16,24 +16,8 @@ spec:
       tier: {{ .Values.global.namespaceTier }}
   policyTypes:
     - Ingress
-  {{- if .Values.global.networkPolicy.createEgressRules }}
-    - Egress
-  egress:
-      # - eventReceiverHttpUrl ({{ .Values.eventReceiverHttpUrl }}/k8s/sysreport)
-      # - Grype's update-url (https://toolbox-data.anchore.io/grype/databases/listing.json)
-      # - All container registries
-    - ports:
-        - port: 443
-          protocol: TCP
-  {{- end }}
   ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/instance: kubescape
-              app.kubernetes.io/name: operator
-              tier: ks-control-plane
-      ports:
+    - ports:
         - port: {{ .Values.prometheusExporter.service.port }}
           protocol: TCP
-{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/service.yaml b/charts/kubescape-operator/templates/prometheus-exporter/service.yaml
@@ -1,6 +1,5 @@
 {{- $components := fromYaml (include "components" .) }}
 {{- if $components.prometheusExporter.enabled }}
-{{- $no_proxy_envar_list := (include "no_proxy_envar_list" .) -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -16,4 +15,4 @@ spec:
       protocol: {{ .Values.prometheusExporter.service.protocol }}
   selector:
     app: {{ .Values.prometheusExporter.name }}
-{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/prometheus-exporter/serviceaccount.yaml b/charts/kubescape-operator/templates/prometheus-exporter/serviceaccount.yaml
@@ -1,6 +1,5 @@
 {{- $components := fromYaml (include "components" .) }}
 {{- if $components.prometheusExporter.enabled }}
-{{- $no_proxy_envar_list := (include "no_proxy_envar_list" .) -}}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
@@ -16,4 +15,4 @@ metadata:
   name: {{ .Values.prometheusExporter.name }}
   namespace: {{ .Values.ksNamespace }}
 automountServiceAccountToken: false
-{{- end }}
+{{- end }}