2.4.0: IA memory limit, telemetry fix, update references to CP (#62)

IA: change memory limit for imagescan-engine to be max image size + 500MB
telemetry: AC and RP fix agent version

checkpoint/cloudguard/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
-appVersion: 2.3.5
-version: 2.3.5
+appVersion: 2.4.0
+version: 2.4.0
 description: A Helm chart for Check Point CloudGuard Workload Security
 name: cloudguard
 keywords:
@@ -15,8 +15,5 @@ keywords:
 - threat intelligence
 - admission control
 - runtime protection
-home: https://secure.dome9.com/v2/
-icon: https://secure.dome9.com/v2/assets/images/dome9/d9-logo-white.svg
-maintainers:
-- name: Check Point
-  email: [email protected]
+home: https://portal.checkpoint.com
+icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png

checkpoint/cloudguard/README.md

@@ -2,7 +2,7 @@
 
 ## Introduction
 
-This chart deploys the agents required by [Check Point CloudGuard](https://secure.dome9.com/) to provide Inventory Management, Posture Management, Image Assurance, Visibility, Threat Intelligence, Runtime Protection, Admission Control, and Monitoring capabilities. 
+This chart deploys the agents required by [Check Point CloudGuard](https://portal.checkpoint.com/) to provide Inventory Management, Posture Management, Image Assurance, Visibility, Threat Intelligence, Runtime Protection, Admission Control, and Monitoring capabilities.
 
 Note: notice that some of the above capabilities require enrollment in the Early Availability program (contact a Check Point representative for more details).
 
@@ -73,7 +73,7 @@ This command removes all the Kubernetes components associated with the chart and
 
 ## Configuration
 
-In order to get the [Check Point CloudGuard](https://secure.dome9.com/) Cluster ID & credentials, you must first complete the Kubernetes Cluster onboarding process in [Check Point CloudGuard](https://secure.dome9.com/) website.
+In order to get the [Check Point CloudGuard](https://portal.checkpoint.com/) Cluster ID & credentials, you must first complete the Kubernetes Cluster onboarding process in [Check Point CloudGuard](https://portal.checkpoint.com/) website.
 
 Refer to [values.yaml](values.yaml) for the full run-down on defaults. These are a mixture of Kubernetes and CloudGuard directives that map to environment variables.
 
@@ -91,7 +91,18 @@ $ helm install my-release checkpoint/cloudguard -f values.yaml
 
 > **Tip**: You can use the default [values.yaml](values.yaml)
 
-The following tables list the configurable parameters of this chart and their default values.
+**Maximal image size for Image Assurance**
+
+For Image Assurance feature the default maximal image size to scan is 2GB, and the relevant imageScan-engine pod memory limit is 2.5GB. In order to configure a different maximal image size, *addons.imageScan.maxImageSizeMb* parameter should be set with the maximal image size in MB. Pay attention, using this flag defines also the memory limit of imagescan-engine pod to this value + 500MB. E.g., to scan images of size of up to 3000MB, helm install command should be appended with:
+```bash
+     --set addons.imageScan.maxImageSizeMb=3000
+```
+
+It will define memory limit for *imagescan-engine* pod to be 3.5GB.
+
+## Configurable parameters
+
+The following table list the configurable parameters of this chart and their default values.
 
 | Parameter                                                  | Description                                                     | Default                                          |
 | ---------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------ |
@@ -119,7 +130,7 @@ The following tables list the configurable parameters of this chart and their de
 | `inventory.agent.tolerations`                              | List of node taints to tolerate for Inventory agent             | `[]`                                             |
 | `inventory.agent.affinity`                                 | Affinity settings for Inventory agent                           | `{}`                                             |
 | `addons.imageScan.enabled`                                 | Specifies whether the Image Scan addon should be installed      | `false`                                          |
-| `addons.imageScan.maxImageSizeMb`                          | Specifies in MiBytes maximal image size to be scanned, imageScan.engine main container memory limit will be a double of it | ``                                               |
+| `addons.imageScan.maxImageSizeMb`                          | Specifies in MiBytes maximal image size to scan, its value + 500MB will be imageScan.engine main container memory limit | ``                                               |
 | `addons.imageScan.daemon.image`                            | Specify image for the agent                                     | `checkpoint/consec-imagescan-daemon`             |
 | `addons.imageScan.daemon.tag`                              | Specify image tag for the agent                                 |`0.4.2`                                           |
 | `addons.imageScan.daemon.serviceAccountName`               | Specify custom Service Account for the agent                    | ``                                               |

checkpoint/cloudguard/defaults.yaml

@@ -168,7 +168,7 @@ addons:
           memory: 500Mi
         limits:
           cpu: 1000m
-          memory: 4000Mi
+          memory: 2500Mi
 
       ## Configuration options for nodeSelector, tolerations and affinity for pod
       ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

checkpoint/cloudguard/templates/NOTES.txt

@@ -1 +1 @@
-For further actions please visit https://secure.dome9.com/
+For further actions please visit https://portal.checkpoint.com/

checkpoint/cloudguard/templates/admission/enforcer/configmap-fluentbit.yaml

@@ -15,7 +15,7 @@
         Uri                         ${CP_KUBERNETES_ADMISSION_CONTROLLER_ALERTS_URI}
         storage.total_limit_size    100M
         Retry_Limit                 False         
-{{ include "fluentbit-http-output-param.conf" $config | indent 8 }}
+{{ include "fluentbit-http-output-param.conf" $params | indent 8 }}
 
 
 {{- end -}}

checkpoint/cloudguard/templates/imagescan/engine/_helpers.tpl

@@ -22,10 +22,10 @@ resources:
   limits:
     cpu: {{ .agentConfig.resources.limits.cpu }}
 {{- if .featureConfig.maxImageSizeMb }}
-{{- /*the memory consumption of imagescan engine is up to 2x the largest image size it is configured to scan*/}}
-    memory: {{ mul 2 .featureConfig.maxImageSizeMb }}Mi
+{{- /* the memory consumption of imagescan engine is the largest image size it is configured to scan + 500Mi */}}
+    memory: {{ add 500 .featureConfig.maxImageSizeMb }}Mi
 {{- else }}
     memory: {{ .agentConfig.resources.limits.memory }}
 {{- end }}
 {{- end -}}
-{{- end }}
+{{- end }}

checkpoint/cloudguard/templates/runtime/daemon/configmap-fluentbit.yaml

@@ -39,20 +39,20 @@ data:
         Uri                         ${CP_KUBERNETES_RUNTIME_ALERT_URI}
         storage.total_limit_size    100M
         Retry_Limit                 False        
-{{ include "fluentbit-http-output-param.conf" $config | indent 8 }}
+{{ include "fluentbit-http-output-param.conf" $params | indent 8 }}
 
     [OUTPUT]
         Match                       rp-profiling
         Uri                         ${CP_KUBERNETES_RUNTIME_PROFILING_URI}
         storage.total_limit_size    100M  
         Retry_Limit                 False
-{{ include "fluentbit-http-output-param.conf" $config | indent 8 }}
+{{ include "fluentbit-http-output-param.conf" $params | indent 8 }}
 
     [OUTPUT]
         Match                       rp-telemetry
         Uri                         ${CP_KUBERNETES_RUNTIME_TELEMETRY_URI}
         Retry_Limit                 3
-{{ include "fluentbit-http-output-param.conf" $config | indent 8 }}
+{{ include "fluentbit-http-output-param.conf" $params | indent 8 }}
 
 
 {{- end -}}

repository/index.yaml

@@ -1,9 +1,32 @@
 apiVersion: v1
 entries:
   cloudguard:
+  - apiVersion: v2
+    appVersion: 2.4.0
+    created: "2021-07-20T20:01:45.113496+03:00"
+    description: A Helm chart for Check Point CloudGuard Workload Security
+    digest: 766b3224138ad56b9825e52aa1c3a1d14d9fb37e0aa2ce4a962bb5846fb4eb44
+    home: https://portal.checkpoint.com
+    icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
+    keywords:
+    - check point
+    - cloudguard
+    - workload security
+    - inventory
+    - posture management
+    - vulnerability assessment
+    - image assurance
+    - flow logs
+    - threat intelligence
+    - admission control
+    - runtime protection
+    name: cloudguard
+    urls:
+    - https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/cloudguard-2.4.0.tgz
+    version: 2.4.0
   - apiVersion: v2
     appVersion: 2.3.5
-    created: "2021-06-29T22:24:22.6768164+03:00"
+    created: "2021-07-20T20:01:45.1094665+03:00"
     description: A Helm chart for Check Point CloudGuard Workload Security
     digest: 47195d99813fa84d1ff3b552dabc067183f354d4353a3c55bea8b4bf053750af
     home: https://secure.dome9.com/v2/
@@ -29,7 +52,7 @@ entries:
     version: 2.3.5
   - apiVersion: v2
     appVersion: 2.3.3
-    created: "2021-06-29T22:24:22.6759118+03:00"
+    created: "2021-07-20T20:01:45.1074977+03:00"
     description: A Helm chart for Check Point CloudGuard Workload Security
     digest: 7e8ecac90cc603f7e83507358b67647ebffbee078ce5c79e2d25bad4be69d78a
     home: https://secure.dome9.com/v2/
@@ -55,7 +78,7 @@ entries:
     version: 2.3.3
   - apiVersion: v2
     appVersion: 2.3.2
-    created: "2021-06-29T22:24:22.6746594+03:00"
+    created: "2021-07-20T20:01:45.1054945+03:00"
     description: A Helm chart for Check Point CloudGuard Workload Security
     digest: 81a7be75584877e4373be4fd2ef1dd11d111cc4d9964007c40ea610dc652a4d1
     home: https://secure.dome9.com/v2/
@@ -81,7 +104,7 @@ entries:
     version: 2.3.2
   - apiVersion: v2
     appVersion: 2.3.1
-    created: "2021-06-29T22:24:22.6684768+03:00"
+    created: "2021-07-20T20:01:45.104465+03:00"
     description: A Helm chart for Check Point CloudGuard Workload Security
     digest: 91fbc7b612a6cf21abe69e40ac3b8459cb8eb46ebe4245a1c583b99515c9e5a4
     home: https://secure.dome9.com/v2/
@@ -107,7 +130,7 @@ entries:
     version: 2.3.1
   - apiVersion: v2
     appVersion: 2.3.0
-    created: "2021-06-29T22:24:22.6676082+03:00"
+    created: "2021-07-20T20:01:45.1034935+03:00"
     description: A Helm chart for Check Point CloudGuard Workload Security
     digest: 8be89cebf15b52831dab2c86495f61c1e11d8054a37d5dedb33cbedd5f18dcef
     home: https://secure.dome9.com/v2/
@@ -134,7 +157,7 @@ entries:
   cp-resource-management:
   - apiVersion: v1
     appVersion: 1.11.0
-    created: "2021-06-29T22:24:22.6892768+03:00"
+    created: "2021-07-20T20:01:45.1204997+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 194ba8d8578b0691900d3af3e51e71b5b9a679b9e8e250b9e07559638f1f5bf1
     home: https://secure.dome9.com/v2/
@@ -155,7 +178,7 @@ entries:
     version: 1.11.0
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.68893+03:00"
+    created: "2021-07-20T20:01:45.1194935+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: a0010f440f43895e2ed1268555663451b0185d3ad1147f7dfad2d5d6026065f4
     home: https://secure.dome9.com/v2/
@@ -176,7 +199,7 @@ entries:
     version: 1.09.3
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6886019+03:00"
+    created: "2021-07-20T20:01:45.1184949+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 123efdfe387e20ee7b97d537eb85d950c15bcc6814933fdb4ee9214067b4c27b
     home: https://secure.dome9.com/v2/
@@ -197,7 +220,7 @@ entries:
     version: 1.09.2
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6882584+03:00"
+    created: "2021-07-20T20:01:45.1184949+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 71b7b5c3928d7fc6e1c2625651311763710a50ccb970860da7f0de85c93b58ed
     home: https://secure.dome9.com/v2/
@@ -219,7 +242,7 @@ entries:
     version: 1.09.1
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6878332+03:00"
+    created: "2021-07-20T20:01:45.1174949+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 5e976c6fb56ed34ea76a60c71bce292a6769f885d0ddb80464b532a03c9c4b29
     home: https://secure.dome9.com/v2/
@@ -241,7 +264,7 @@ entries:
     version: 1.09.0
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6873531+03:00"
+    created: "2021-07-20T20:01:45.1164935+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 5e616877265d618bfd075fd1df8a58b9b929c0332cc61f6a28ac64f676566503
     home: https://secure.dome9.com/v2/
@@ -263,7 +286,7 @@ entries:
     version: 1.07.1
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6869268+03:00"
+    created: "2021-07-20T20:01:45.1164935+03:00"
     description: A Helm chart for CloudGuard Workload Security
     digest: 8920c6606a6038ee4ed0b1e201fc28ea094b8a0d564b262435273907d7e65e82
     home: https://secure.dome9.com/v2/
@@ -285,7 +308,7 @@ entries:
     version: 1.07.0
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6864859+03:00"
+    created: "2021-07-20T20:01:45.1154649+03:00"
     description: A Helm chart for Dome9 inventory uploader
     digest: bebb6e83ed371d2501879219a72540a2e7f45518f32ede0c64f7109b5b443033
     home: https://secure.dome9.com/v2/
@@ -304,7 +327,7 @@ entries:
     version: "1.06"
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6861565+03:00"
+    created: "2021-07-20T20:01:45.1144938+03:00"
     description: A Helm chart for Dome9 inventory uploader
     digest: ebaf4da8a836f017cb4cbd0012b063e293e3ae805ebddb92ce49d666fe328cf4
     home: https://secure.dome9.com/v2/
@@ -323,7 +346,7 @@ entries:
     version: "1.05"
   - apiVersion: v1
     appVersion: v1.1.0
-    created: "2021-06-29T22:24:22.6840387+03:00"
+    created: "2021-07-20T20:01:45.1144938+03:00"
     description: A Helm chart for Dome9 inventory uploader
     digest: 54fa558ffa87cd41617ce2422b643680ff975ae4e76252dd9dc0a6bde483af38
     home: https://secure.dome9.com/v2/
@@ -342,7 +365,7 @@ entries:
     version: "1.03"
   - apiVersion: v1
     appVersion: "1.01"
-    created: "2021-06-29T22:24:22.6777088+03:00"
+    created: "2021-07-20T20:01:45.113496+03:00"
     description: A Helm chart for Dome9 inventory uploader
     digest: c2514f34c7d80d704d13e7233f660ad55cd56895f671ad68128affe47ada14a5
     home: https://secure.dome9.com/v2/
@@ -361,7 +384,7 @@ entries:
     version: "1.02"
   - apiVersion: v1
     appVersion: "1"
-    created: "2021-06-29T22:24:22.6895956+03:00"
+    created: "2021-07-20T20:01:45.1204997+03:00"
     description: A Helm chart for Dome9 inventory uploader
     digest: ee75a01ae09e8ceec83cda0d16621198ebb2139b87c323966e65ba6ca65024f0
     home: https://secure.dome9.com/v2/
@@ -378,4 +401,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/cp-resource-management-1.tgz
     version: "1"
-generated: "2021-06-29T22:24:22.6660677+03:00"
+generated: "2021-07-20T20:01:45.1014978+03:00"