Skip to content

Commit

Permalink
*2.18.0: auto-detect EKS + k3s, linux amd64 node selector, more* (#113)
Browse files Browse the repository at this point in the history
- Auto-detection: added k3s (Rancher) and improved for EKS.
- Add containerRuntimeSocket helm parameter for runtime socket path.
- Run pods only on Linux amd64 nodes - default node selector updated.
- Fix helm install warning when setting environment variables for a pod.
  • Loading branch information
chkp-rigor authored Jan 9, 2023
1 parent 515b30b commit e57ac1b
Show file tree
Hide file tree
Showing 7 changed files with 217 additions and 137 deletions.
11 changes: 9 additions & 2 deletions checkpoint/cloudguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 2.17.0
appVersion: 2.18.0
description: A Helm chart for Check Point CloudGuard Workload Security
home: https://portal.checkpoint.com
icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
Expand All @@ -18,6 +18,13 @@ keywords:
- registry scan
- acr
- ecr
- gcr
- gar
- harbor
- jfrog artifactory
- ecs
- tanzu
- k3s
- openshift
name: cloudguard
version: 2.17.0
version: 2.18.0
74 changes: 38 additions & 36 deletions checkpoint/cloudguard/README.md

Large diffs are not rendered by default.

33 changes: 25 additions & 8 deletions checkpoint/cloudguard/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,9 @@ inventory:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations: []
affinity: {}
podAnnotations:
Expand Down Expand Up @@ -153,7 +155,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations:
- operator: Exists
affinity: {}
Expand Down Expand Up @@ -186,7 +190,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations: []
affinity: {}
podAnnotations:
Expand Down Expand Up @@ -215,7 +221,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: { }
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations: [ ]
affinity: { }
podAnnotations:
Expand Down Expand Up @@ -252,7 +260,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations:
- operator: Exists
affinity: {}
Expand Down Expand Up @@ -285,7 +295,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
affinity: {}
tolerations: []
podAnnotations:
Expand Down Expand Up @@ -317,7 +329,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations: []
affinity: {}
podAnnotations:
Expand Down Expand Up @@ -387,6 +401,7 @@ addons:
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations:
- operator: Exists
affinity: {}
Expand Down Expand Up @@ -418,7 +433,9 @@ addons:

## Configuration options for nodeSelector, tolerations and affinity for pod
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
tolerations: []
affinity: {}
podAnnotations:
Expand Down
84 changes: 46 additions & 38 deletions checkpoint/cloudguard/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,6 @@ imagePullSecrets:
- name: AUTO_UPGRADE_ENABLED
value: "true"
{{- end -}}
{{- template "user.defined.env" . -}}

{{- if .Values.proxy }}
- name: HTTPS_PROXY
Expand Down Expand Up @@ -411,45 +410,47 @@ key: {{ $cert.Key | b64enc }}
{{- end -}}

{{- define "get.platform" -}}
{{- if (include "is.helm.template.command" .) -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- else if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
openshift
{{- else if has "security.openshift.io/v1" .Capabilities.APIVersions -}}
openshift.v3
{{- else if has "nsx.vmware.com/v1" .Capabilities.APIVersions -}}
tanzu
{{- else -}}
{{- $nodes := lookup "v1" "Node" "" "" -}}
{{- if (include "is.helm.template.command" .) -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- else if has "config.openshift.io/v1" .Capabilities.APIVersions -}}
{{- printf "openshift" -}}
{{- else if has "security.openshift.io/v1" .Capabilities.APIVersions -}}
{{- printf "openshift.v3" -}}
{{- else if has "nsx.vmware.com/v1" .Capabilities.APIVersions -}}
{{- printf "tanzu" -}}
{{- else -}}
{{- $nodes := lookup "v1" "Node" "" "" -}}
{{/*
nodeInfo.osImage example values:
- "Bottlerocket OS 1.7.2 (aws-k8s-1.21)"
- "Container-Optimized OS from Google"
nodeInfo.osImage example values:
- "Bottlerocket OS 1.7.2 (aws-k8s-1.21)"
- "Container-Optimized OS from Google"
*/}}
{{- $firstNode := (first $nodes.items) -}}
{{- $osImage := $firstNode.status.nodeInfo.osImage }}
{{- if contains "Bottlerocket" $osImage -}}
eks.bottlerocket
{{- else if hasKey $firstNode.metadata.labels "eks.amazonaws.com/nodegroup" -}}
eks
{{- else -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- end -}}
{{- end -}}
{{- $firstNode := (first $nodes.items) -}}
{{- $osImage := $firstNode.status.nodeInfo.osImage }}
{{- if contains "Bottlerocket" $osImage -}}
{{- printf "eks.bottlerocket" -}}
{{- else if hasKey $firstNode.metadata.annotations "k3s.io/hostname" -}}
{{- printf "k3s" -}}
{{- else if or (hasKey $firstNode.metadata.labels "eks.amazonaws.com/nodegroup") (hasKey $firstNode.metadata.labels "alpha.eksctl.io/nodegroup-name") -}}
{{- printf "eks" -}}
{{- else -}}
{{- include "validate.platform" . -}}
{{- lower .Values.platform -}}
{{- end -}}
{{- end -}}
{{- end -}}


{{/*
if registry is not quay do not enable auto upgrade
*/}}
{{- define "get.autoUpgrade" -}}
{{- if ne .Values.imageRegistry.url "quay.io" -}}
{{- printf "false" -}}
{{- else -}}
{{- printf (.Values.autoUpgrade | toString) -}}
{{- end -}}
{{- if ne .Values.imageRegistry.url "quay.io" -}}
{{- printf "false" -}}
{{- else -}}
{{- printf (.Values.autoUpgrade | toString) -}}
{{- end -}}
{{- end -}}


Expand All @@ -465,13 +466,20 @@ true
{{- end -}}

{{- define "containerd.sock.path" -}}
{{- if eq (include "get.platform" .) "eks.bottlerocket" -}}
/run/dockershim.sock
{{- else if eq (include "get.platform" .) "k3s" -}}
/run/k3s/containerd/containerd.sock
{{- else -}}
/run/containerd/containerd.sock
{{- end -}}
{{- if .Values.containerRuntimeSocket -}}
{{/* container runtime socket path validation: should contain '/run/' substring and end with '.sock' */}}
{{- if or (not (contains "/run" .Values.containerRuntimeSocket)) (not (hasSuffix ".sock" .Values.containerRuntimeSocket)) -}}
{{- $err := printf "\n\nERROR: Invalid container runtime socket path: '%s' (should contain '/run' substring and end with '.sock'.)" .Values.containerRuntimeSocket -}}
{{- fail $err -}}
{{- end -}}
{{ printf (.Values.containerRuntimeSocket | toString) }}
{{- else if eq (include "get.platform" .) "eks.bottlerocket" -}}
{{- printf "/run/dockershim.sock" -}}
{{- else if eq (include "get.platform" .) "k3s" -}}
{{- printf "/run/k3s/containerd/containerd.sock" -}}
{{- else -}}
{{- printf "/run/containerd/containerd.sock" -}}
{{- end -}}
{{- end -}}

{{- define "validate.platform" -}}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,20 @@ spec:
- 'hostPath'
- 'emptyDir'
allowedHostPaths:
{{- if eq $config.containerRuntime "docker" }}
{{- if eq (include "get.platform" $config) "tanzu" }}
- pathPrefix: /var/vcap/sys/run/docker/docker.sock
{{- else }}
- pathPrefix: /var/run/docker.sock
{{- end }}
readOnly: true
{{- else if eq $config.containerRuntime "containerd" }}
- pathPrefix: {{ include "containerd.sock.path" $config }}
readOnly: true
{{- else if eq $config.containerRuntime "cri-o" }}
- pathPrefix: /run/crio/crio.sock
readOnly: true
{{- end }}
- pathPrefix: /boot
readOnly: true
- pathPrefix: /lib/modules
Expand Down
Binary file added repository/cloudguard-2.18.0.tgz
Binary file not shown.
Loading

0 comments on commit e57ac1b

Please sign in to comment.