CheckPointSW · chkp-rigor · Dec 3, 2023 · Dec 3, 2023
diff --git a/checkpoint/cloudguard/Chart.yaml b/checkpoint/cloudguard/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 2.24.3
+appVersion: 2.25.0
 description: A Helm chart for Check Point CloudGuard Workload Security
 home: https://portal.checkpoint.com
 icon: https://www.checkpoint.com/wp-content/uploads/icon-cloudguard-nav.png
@@ -32,4 +32,4 @@ keywords:
 - gke
 - autopilot
 name: cloudguard
-version: 2.24.3
+version: 2.25.0
diff --git a/checkpoint/cloudguard/README.md b/checkpoint/cloudguard/README.md
@@ -140,7 +140,7 @@ The following table list the configurable parameters of this chart and their def
 | `seccompProfile`                                           | Computer Security facility profile. (to be used in kubernetes 1.19 and up) | `RuntimeDefault`                                |
 | `podAnnotations.seccomp`                                   | Computer Security facility profile. (to be used in kubernetes below 1.19) | `runtime/default`                                |
 | `podAnnotations.apparmor`                                  | Apparmor Linux kernel security module profile.                  | `{}`                                             |
-| `autoUpgrade`                                              | Enable auto-upgrade (true or false). 'major.minor' tags will be set for images rather than 'major.minor.patch'" | `false`    |
+| `autoUpgrade`                                              | Enable auto-upgrade (preserve, true or false). 'major.minor' tags will be set for images rather than 'major.minor.patch'" | `preserve`    |
 | `podAnnotations.custom`                                    | Custom Pod annotations (for all agent Pods)                     | `{}`                                             |
 | `priorityClassName`                                        | Specifies custom priorityClassName                              | ``                                               |
 | `daemonSetStrategy.rollingUpdate.maxUnavailable`           | Maximum unavailable daemonset pods during a rolling update                 | `50%`                                            |

diff --git a/checkpoint/cloudguard/defaults.yaml b/checkpoint/cloudguard/defaults.yaml
@@ -56,7 +56,7 @@ platform: kubernetes # kubernetes, openshift, openshift.v3, tanzu, eks, eks.bott
 seccompProfile:
   type: RuntimeDefault
 
-autoUpgrade: false # true or false
+autoUpgrade: preserve # true, false or preserve
 
 daemonSetStrategy:
   rollingUpdate:
@@ -111,7 +111,7 @@ addons:
       priorityClassName: "system-node-critical"
       ## Specify image and tag
       image: checkpoint/consec-imagescan-daemon
-      tag: 2.25.0
+      tag: 2.27.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -133,7 +133,7 @@ addons:
       shim:
         ## Specify image and tag
         image: checkpoint/consec-imagescan-shim
-        tag: 2.25.0
+        tag: 2.27.0
 
         ## Configure resource requests and limits
         ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
@@ -169,7 +169,7 @@ addons:
     engine:
       ## Specify image and tag
       image: checkpoint/consec-imagescan-engine
-      tag: 2.25.0
+      tag: 2.27.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -202,7 +202,7 @@ addons:
     list:
       ## Specify image and tag
       image: checkpoint/consec-imagescan-engine
-      tag: 2.25.0
+      tag: 2.27.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""
@@ -309,7 +309,7 @@ addons:
     enforcer:
       ## Specify image and tag
       image: checkpoint/consec-admission-enforcer
-      tag: 2.9.0
+      tag: 2.10.0
 
       ## Specify existing service account name ("" to create)
       serviceAccountName: ""

diff --git a/checkpoint/cloudguard/templates/_helpers.tpl b/checkpoint/cloudguard/templates/_helpers.tpl
@@ -67,7 +67,7 @@
 {{-     if or .Values.debugImages .featureConfig.debugImages .agentConfig.debugImages $containerConfig.debugImage }}
 {{-         $tag = printf "%s-debug" $containerConfig.tag }}
 {{-     end }}
-{{-     if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) (ne .agentConfig.image "checkpoint/consec-runtime-probe") -}}
+{{-     if and (eq (include "get.autoUpgrade" .) "true") (regexMatch "^\\d+.\\d+.\\d+$" $tag) (ne $containerConfig.image "checkpoint/consec-runtime-probe") (ne $containerConfig.image "checkpoint/consec-runtime-cos-compat") -}}
 {{-         $tag = regexFind "\\d+.\\d+" $tag }}
 {{-     end -}}
 {{-     $image := printf "%s/%s:%s" .Values.imageRegistry.url $containerConfig.image $tag }}
@@ -179,10 +179,8 @@ imagePullSecrets:
       fieldPath: spec.nodeName
 - name: PLATFORM
   value: {{ .platform }}
-{{- if eq (include "get.autoUpgrade" .) "true" }}
 - name: AUTO_UPGRADE_ENABLED
-  value: "true"
-{{- end -}}
+  value: {{ (include "get.autoUpgrade" .) | quote }}
 {{- if .Values.proxy }}
 - name: HTTPS_PROXY
   value: "{{ .Values.proxy }}"
@@ -343,16 +341,50 @@ takes a context (such as $config, .Values or (dict "containerRuntime" $container
 {{-   end -}}
 {{- end -}}
 
+{{- define "inventory.resource.name" -}}
+    {{- $inventoryConfig := fromYaml (include "inventory.agent.config" .) -}}
+    {{ template "agent.resource.name" $inventoryConfig }}
+{{- end }}
 
 {{/*
-if registry is not quay do not enable auto upgrade
+If the registry is not "quay" do not enable automatic upgrades.
+If a user manually defines a value, that choice takes precedence.
+If a user opts for the default "preserve" option:
+	If there was no prior deployment, automatic upgrades are enabled.
+	If there was a previous deployment, we examine the value that deployment had and apply it.
+	If there was no previous value, automatic upgrades are enabled.
+	note: In the case of Helm templates, we won't have knowledge of the previous value, and unless a value is provided, "autoUpgrade" will default to "true"
  */}}
 {{- define "get.autoUpgrade" -}}
-{{-   if ne .Values.imageRegistry.url "quay.io" -}}
-{{-     printf "false" -}}
-{{-   else -}}
-{{-     printf (.Values.autoUpgrade | toString) -}}
-{{-   end -}}
+{{-     if ne .Values.imageRegistry.url "quay.io" -}}
+{{-         printf "false" -}}
+{{-     else -}}
+{{-         if eq (.Values.autoUpgrade | toString) "true" -}}
+{{-             printf "true" -}}
+{{-         else -}}
+{{-             if eq (.Values.autoUpgrade | toString) "false" -}}
+{{-                 printf "false" -}}
+{{-             else -}}
+{{/*            preserve */}}
+{{-                 $inventoryDeploymentName := trim (include "inventory.resource.name" .) -}}
+{{-                 $inventoryDeployment := lookup "apps/v1" "Deployment" .Release.Namespace $inventoryDeploymentName -}}
+{{-                 if not $inventoryDeployment -}}
+{{-                     printf "true" -}}
+{{-                 else -}}
+{{-                     $isAutoUpgradeEnv := true -}}
+{{-                     $firstContainer := first $inventoryDeployment.spec.template.spec.containers -}}
+{{-                     range $index, $env := $firstContainer.env -}}
+{{-                         if eq $env.name "AUTO_UPGRADE_ENABLED"}}
+{{-                             if eq $env.value "false" -}}
+{{-                                 $isAutoUpgradeEnv = false -}}
+{{-                             end -}}
+{{-                         end -}}
+{{-                     end -}}
+{{-                     printf ($isAutoUpgradeEnv | toString) -}}
+{{-                 end -}}
+{{-             end -}}
+{{-         end -}}
+{{-     end -}}
 {{- end -}}
 
 

diff --git a/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml b/checkpoint/cloudguard/templates/admission/enforcer/deployment.yaml
@@ -1,4 +1,6 @@
 {{- $config := fromYaml (include "admission.enforcer.config" .) -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" .Files -}}
 {{ if $config.featureConfig.enabled }}
 apiVersion: apps/v1
 kind: Deployment

diff --git a/checkpoint/cloudguard/templates/admission/policy/deployment.yaml b/checkpoint/cloudguard/templates/admission/policy/deployment.yaml
@@ -1,4 +1,6 @@
 {{- $config := fromYaml (include "admission.policy.config" .) -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" .Files -}}
 {{- if $config.featureConfig.enabled -}}
 apiVersion: apps/v1
 kind: Deployment

diff --git a/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/flowlogs/daemon/daemonset.yaml
@@ -1,6 +1,8 @@
 {{- $configs := fromYaml (include "flowlogs.daemon.config.multiple" .) -}}
 {{- range $_, $config := $configs -}}
 {{- $config = $config | fromYaml -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" $.Files -}}
 {{- if $config.featureConfig.enabled -}}
 apiVersion: apps/v1
 kind: DaemonSet

diff --git a/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/imagescan/daemon/daemonset.yaml
@@ -1,6 +1,8 @@
 {{- $configs := fromYaml (include "imagescan.daemon.config.multiple" .) -}}
 {{- range $_, $config := $configs -}}
 {{- $config = $config | fromYaml -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" $.Files -}}
 {{- if $config.featureConfig.enabled -}}
 apiVersion: apps/v1
 kind: DaemonSet

diff --git a/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml b/checkpoint/cloudguard/templates/imagescan/engine/deployment.yaml
@@ -53,12 +53,14 @@ spec:
           value: {{ include "name.prefix" $config }}
         - name: CLOUDGUARD_REGION
           value: {{ include "dome9.subdomain" $config | default "us" }}
+        - name: CP_RUNTIME
+          value: {{ $config.containerRuntime }}
 {{- if eq $config.containerRuntime "cri-o" }}
 {{- if $config.featureConfig.mountPodman }}
-        - name: USE_PODMAN_EXPORT
+        - name: CP_USE_PODMAN_EXPORT
           value: "both"
 {{- else }}
-        - name: USE_PODMAN_EXPORT
+        - name: CP_USE_PODMAN_EXPORT
           value: "false"
 {{- end }}
 {{- end }}

diff --git a/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml b/checkpoint/cloudguard/templates/inventory/agent/deployment.yaml
@@ -1,4 +1,6 @@
 {{- $config := fromYaml (include "inventory.agent.config" .) -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" .Files -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

diff --git a/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml b/checkpoint/cloudguard/templates/runtime/daemon/daemonset.yaml
@@ -1,6 +1,8 @@
 {{- $configs := fromYaml (include "runtime.daemon.config.multiple" .) -}}
 {{- range $_, $config := $configs -}}
 {{- $config = $config | fromYaml -}}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" $.Files -}}
 {{- if $config.featureConfig.enabled -}}
 apiVersion: apps/v1
 kind: DaemonSet

diff --git a/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml b/checkpoint/cloudguard/templates/runtime/policy/deployment.yaml
@@ -1,4 +1,6 @@
 {{- $config := fromYaml (include "runtime.policy.config" .) }}
+{{- /* Make ".Files" of the chart accessible and properly formatted when accessed via $config' */ -}}
+{{- $_ := set $config "Files" .Files -}}
 {{- if $config.featureConfig.enabled -}}
 apiVersion: apps/v1
 kind: Deployment

diff --git a/repository/cloudguard-2.25.0.tgz b/repository/cloudguard-2.25.0.tgz