alcideio · rotemjac · Jul 4, 2021 · Jul 5, 2021 · Jul 8, 2021 · assafShapira
diff --git a/deploy/charts/kaudit/templates/config.yaml b/deploy/charts/kaudit/templates/config.yaml
@@ -13,17 +13,20 @@ data:
   audit-source: |
     audit-env: {{ .Values.k8sAuditEnvironment | quote }}    # Audit Logs Source - one of: k8s, gke, aks, eks, s3
     cluster: {{ .Values.clusterName | quote }}              # Name of cluster. For GKE - the GKE cluster name, otherwise - user provided unique name.
+
     project: {{ .Values.gke.projectId | quote  }}                           # GKE-project (for GKE)
     pubsub-subscription-id: {{ .Values.gke.pubsubSubscriptionId | quote  }} # GKE PubSub subscription ID (only if consuming audit logs via PubSub instead of StackDriver)
+
     event-hub-name: {{ .Values.aks.eventHubName | quote  }}                 # Azure EventHubName name (for AKS). If using a non-default ConsumerGroup ($Default), configure it in 'consumer-group-name'.
     consumer-group-name: {{ .Values.aks.consumerGroupName | quote  }}       # Azure ConsumerGroup name (for AKS), if using a non-default ConsumerGroup (i.e. \$Default).
+
     stream-name: {{ .Values.aws.kinesisStreamName | quote  }}         # AWS Kinesis stream name (for EKS)
     region: {{ .Values.aws.region | quote  }}                         # AWS Kinesis stream region (for EKS and S3)
     access-key-id: {{ .Values.aws.accessKeyId | quote  }}             # AWS Kinesis stream credentials (for EKS and S3)
-    assumed-role: ""                                                  # AWS role (ARN) that can be assumed using STS, instead of access-key-id & awsSecretAccessKey (for EKS and S3)    
+    assumed-role: {{ .Values.aws.serviceAccountRoleArn }}             # AWS role (ARN) that can be assumed using STS, instead of access-key-id & awsSecretAccessKey (for EKS and S3)
     bucket-name: {{ .Values.aws.s3BucketName | quote  }}              # AWS S3 bucket name (for S3)
     resource-key-prefix: {{ .Values.aws.s3ResourceKeyPrefix | quote  }} # AWS S3 logs resources keys prefix (for S3)
-    #s3-custom-scheme: ""                            # AWS S3 custom scheme, use value "kaudit" when files generated by kAudit (for S3)    
+    #s3-custom-scheme: ""                                               # AWS S3 custom scheme, use value "kaudit" when files generated by kAudit (for S3)
 
 ---
 apiVersion: v1

diff --git a/deploy/charts/kaudit/templates/kaudit.yaml b/deploy/charts/kaudit/templates/kaudit.yaml
@@ -72,6 +72,11 @@ spec:
       - name: cert-volume
         secret:
           secretName: kaudit-{{ .Values.clusterName }}-certs
+      {{ if eq .Values.license.enabled true}}
+      - name: entitlement-volume
+        secret:
+          secretName: kaudit-entitlement
+      {{- end }}
       - name: config-volume
         configMap:
             name: kaudit-{{ .Values.clusterName }}
@@ -176,6 +181,11 @@ spec:
           mountPath: /kaudit/integration          
         - name: data-volume
           mountPath: /data
+        {{ if eq .Values.license.enabled true}}
+        - name: entitlement-volume
+          mountPath: /kaudit/entitlement
+          readOnly: true
+        {{- end }}
         ports:
           - containerPort: 8443
             protocol: TCP

diff --git a/deploy/charts/kaudit/templates/secret.yaml b/deploy/charts/kaudit/templates/secret.yaml
@@ -172,3 +172,20 @@ webhooks:
   # admission failure handling: Fail to reject API request on error/failure, Ignore to allow it
   failurePolicy: Ignore
 {{- end }}
+
+{{ if eq .Values.license.enabled true}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kaudit-entitlement
+  namespace: {{ .Values.namespace }}
+  labels:
+    app: kaudit
+type: Opaque
+data:
+  # Alcide customer ID
+  customer-id: {{ .Values.license.customerId | b64enc | quote }}
+  # Alcide entitlement
+  entitlement: {{ .Values.license.entitlement | b64enc | quote }}
+{{- end }}
diff --git a/deploy/charts/kaudit/templates/service_account.yaml b/deploy/charts/kaudit/templates/service_account.yaml
@@ -7,3 +7,7 @@ metadata:
   labels:
     app: kaudit
     app-name: kaudit-{{ .Values.clusterName }}
+  {{ if .Values.aws.serviceAccountRoleArn }}
+  annotations:
+    eks.amazonaws.com/role-arn: "{{ .Values.aws.serviceAccountRoleArn }}"
+  {{ end }}
diff --git a/deploy/charts/kaudit/templates/testing_values/only_one_provider_is_used.yaml b/deploy/charts/kaudit/templates/testing_values/only_one_provider_is_used.yaml
@@ -0,0 +1,21 @@
+{{ $aksIsEnabled := (eq .Values.aks.enabled  true) }}
+{{ $gkeIsEnabled := (eq .Values.gke.enabled  true) }}
+{{ $eksIsEnabled := (eq .Values.aws.enabled  true) }}
+{{ $aksIsUsed    := and (eq .Values.k8sAuditEnvironment "aks") (eq $aksIsEnabled  true) }}
+{{ $gkeIsUsed    := and (eq .Values.k8sAuditEnvironment "gke") (eq $gkeIsEnabled  true) }}
+{{ $eksIsUsed    := and (eq .Values.k8sAuditEnvironment "eks") (eq $eksIsEnabled  true) }}
+{{ $s3IsUsed     := and (eq .Values.k8sAuditEnvironment "s3")   (eq .Values.aws.enabled  true) }}
+
+{{ $enabledCount := add ($aksIsEnabled | int) ($gkeIsEnabled | int) ($eksIsUsed | int)   }}
+# Debug: Number of cloud provers being used: {{ $enabledCount | toString |  printf "%q"}}
+{{ if gt $enabledCount 1  }}
+  {{ fail "Only one cloud provider can be used!" }}
+{{ else if eq $enabledCount 1 }}
+  {{ if eq .Values.k8sAuditEnvironment "k8s" }}
+  {{ fail "k8sAuditEnvironment of 'k8s' can't ne used with a cloud provider enabled!" }}
+  {{ end }}
+{{ else }}
+  {{ if not (eq .Values.k8sAuditEnvironment "k8s") }}
+  {{ fail "You have to setup at least one cloud provider as enabled or k8 as the k8sAuditEnvironment!" }}
+  {{ end }}
+{{ end }}
diff --git a/deploy/charts/kaudit/values.schema.json b/deploy/charts/kaudit/values.schema.json
@@ -0,0 +1,165 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema",
+  "required": [
+    "namespace",
+    "clusterName",
+    "image",
+    "tls",
+    "k8sAuditEnvironment",
+    "kauditPolicyFile",
+    "kauditIntegrationsFile",
+    "runOptions",
+    "ingress",
+    "storage",
+    "resources",
+    "aks",
+    "gke",
+    "aws",
+    "k8s",
+    "license"
+  ],
+  "properties": {
+    "image": {
+      "required": [
+        "source","kaudit", "pullPolicy", "pullSecretToken"
+      ],
+      "properties": {
+        "Sales": {
+          "type": "string"
+        },
+        "kaudit": {
+          "type": "string"
+        },
+        "pullPolicy": {
+          "type": "string"
+        },
+        "pullSecretToken": {
+          "type": "string"
+        }
+      }
+    },
+    "tls": {
+      "required": [
+        "mode","selfSigned"
+      ],
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["self-signed" , "external"]
+        },
+        "selfSigned": {
+          "type": "object"
+        }
+      }
+    },
+    "storage": {
+      "required": [
+        "size"
+      ],
+      "properties": {
+        "className": {
+          "type": "string"
+        },
+        "size": {
+          "type": "string"
+        }
+      }
+    },
+    "resources": {
+      "required": [
+        "javaXmX",
+        "memoryRequest",
+        "cpuRequest",
+        "memoryLimit",
+        "cpuLimit"
+      ],
+      "properties": {
+        "javaXmX": {
+          "type": "string"
+        },
+        "memoryRequest": {
+          "type": "string"
+        },
+        "cpuRequest": {
+          "type": "string"
+        },
+        "memoryLimit": {
+          "type": "string"
+        },
+        "cpuLimit": {
+          "type": "string"
+        }
+      }
+    },
+    "aks": {
+      "type": "object",
+      "required": [
+        "enabled"
+      ],
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      }
+    },
+    "gke": {
+      "type": "object",
+      "required": [
+        "enabled"
+      ],
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      }
+    },
+    "aws": {
+      "type": "object",
+      "required": [
+        "enabled",
+        "kinesisStreamName",
+        "region"
+      ],
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "kinesisStreamName": {
+          "type": "string"
+        },
+        "region": {
+          "type": "string"
+        }
+      }
+    },
+    "k8s": {
+      "type": "object",
+      "required": [
+        "mode"
+      ],
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["webhook" , "auditsink"]
+        }
+      }
+    },
+    "license" : {
+      "type": "object",
+      "required": [
+        "enabled", "customerId", "entitlement"
+      ],
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        },
+        "customerId": {
+          "type": "string"
+        },
+        "entitlement": {
+          "type": "string"
+        }
+      }
+    }
+  }
+}
diff --git a/deploy/charts/kaudit/values.yaml b/deploy/charts/kaudit/values.yaml
@@ -1,10 +1,10 @@
-namespace: alcide-kaudit
-clusterName: mycluster
+namespace: kaudit
+clusterName: my-cluster
 image:
   source: Sales
-  kaudit: "gcr.io/dcvisor-162009/alcide/dcvisor/kaudit:latest"
+  kaudit: "gcr.io/dcvisor-162009/alcide/dcvisor/kaudit-testing:license-test"
   pullPolicy: Always #Always for :latest or no tag, IfNotPresent for other tags
-  pullSecretToken: GetYourTokenFromAlcide
+  pullSecretToken:
 
 tls:
   # self-signed | external
@@ -17,7 +17,7 @@ tls:
     alternativeNames: [] #["kaudit.yourdomain.io"]
 
 
-k8sAuditEnvironment:  k8s # Audit Logs Source - one of: k8s, gke, aks, eks, s3
+k8sAuditEnvironment:  eks # Audit Logs Source - one of: k8s, gke, aks, eks, s3
 
 # Customise Alcide kAudit Policy
 kauditPolicyFile: kaudit-policy/default-policy.yaml
@@ -57,7 +57,7 @@ ingress:
 #  AKS: "managed-premium" or default
 #  "local-storage" (a configured StorageClass, see above, as well as related toleration/affinity configuration below)
 storage:
-  className:
+  className: ""
   size: 100Gi
 
 resources:
@@ -70,26 +70,33 @@ resources:
 
 # Azure
 aks:
+  enabled : false
   eventHubName: ""              # Azure EventHubName name (for AKS). If using a non-default ConsumerGroup ($Default), configure it in 'consumer-group-name'.
   eventHubconnectionString: ""  # Azure EventHub connection string (for AKS)
   consumerGroupName: ""         # Azure EventHubName ConsumerGroup name (for AKS), if using a non-default ConsumerGroup (i.e. \$Default).
 
 # GCP
 gke:
+  enabled : false
   projectId: ""                 # GKE-project (for GKE)
   pubsubSubscriptionId: ""      # GKE PubSub subscription ID (only if consuming audit logs via PubSub instead of StackDriver)
   token: ""
   storageType: "pd-ssd"  # Or pd-standard
 
 # EKS or S3
 aws:
+  enabled : true
   kinesisStreamName: ""  # AWS Kinesis stream name (for EKS)
-  region: ""             # AWS Kinesis stream region (for EKS and S3)
+  region:            ""          # AWS Kinesis stream region (for EKS and S3)
+
   accessKeyId: ""        # AWS Kinesis stream credentials (for EKS and S3)
   secretAccessKey: ""
+  serviceAccountRoleArn: "" # Can be used instead of (accessKeyId + secretAccessKey)
+
   s3BucketName: ""       # AWS S3 bucket name (for S3)
   s3ResourceKeyPrefix: "" # AWS S3 logs resources keys prefix (for S3)
 
+
 k8s:
   # webhook or auditsink
   mode: "auditsink"
@@ -98,7 +105,7 @@ alcide:
   token:
 
 prometheus:
-  token:  
+  token:
 
 #
 # Vault 
@@ -132,4 +139,11 @@ vault:
   mode: "none" # none | vault | agent-inject
   # For "vault" mode this parameter is required
   vaultServer: "http://vault.demo:8200" 
-  image: "vault:1.3.2"
+  image: "vault:1.3.2"
+
+
+license:
+  enabled : true
+  customerId : ""
+  entitlement: ""
+