fix argoCD and provide application yaml

Signed-off-by: Matthias Bertschy <[email protected]>

ArgoCDApplication.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubescape
+spec:
+  destination:
+    name: ''
+    namespace: kubescape
+    server: 'https://kubernetes.default.svc' # change to your server
+  source:
+    path: charts/kubescape-operator
+    repoURL: 'https://github.com/kubescape/helm-charts'
+    targetRevision: argo
+    helm:
+      valueFiles:
+        - values.yaml
+      parameters:
+        - name: account
+          value: '9e6c0c2c-6bd0-4919-815b-55030de7c9a0' # add account ID
+        - name: clusterName
+          value: 'kind-kind' # add cluster name
+        - name: server
+          value: 'api.armosec.io'
+  project: default
+  syncPolicy:
+    syncOptions:
+      - PruneLast=true
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: core
+      kind: ConfigMap
+      name: ks-cloud-config
+      namespace: kubescape
+      jsonPointers:
+        - /data
+        - /metadata

charts/kubescape-operator/templates/configs/cloudapi-configmap.yaml

@@ -7,6 +7,14 @@ metadata:
   labels:
     app: {{ .Values.global.cloudConfig }}
     tier: {{ .Values.global.namespaceTier }}
+  {{- if $components.serviceDiscovery.enabled }}
+  annotations:
+    "argocd.argoproj.io/sync-options": Delete=false
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": before-hook-creation
+    "helm.sh/resource-policy": keep
+  {{- end }}
 data:
   {{- if $components.serviceDiscovery.enabled }}
   metrics: '{{ .Values.serviceDiscovery.metrics }}'

charts/kubescape-operator/templates/gateway/deployment.yaml

@@ -44,16 +44,6 @@ spec:
       securityContext:
         runAsUser: 65532
         fsGroup: 65532
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-      - name: wait-for-cloud-config
-        image: "{{ .Values.serviceDiscovery.configMapCheck.image.repository }}:{{ .Values.serviceDiscovery.configMapCheck.image.tag }}"
-        imagePullPolicy: {{ .Values.serviceDiscovery.configMapCheck.image.pullPolicy }}
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
-            while true; do result=$(kubectl get configmap "{{ .Values.global.cloudConfig }}" -n "{{ .Values.ksNamespace }}" -o jsonpath='{.data.services}'); if [ -z "$result" ]; then sleep 5; else sleep 5 && break; fi; done
-      {{- end }}
       containers:
         - name: {{ .Values.gateway.name }}
           image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}"
@@ -154,13 +144,7 @@ spec:
 {{- if .Values.gateway.volumes }}
 {{ toYaml .Values.gateway.volumes | indent 8 }}
 {{- end }}
-      # service discovery init container
-      {{- if $components.serviceDiscovery.enabled }}
-      serviceAccountName: {{ .Values.gateway.name }}
-      automountServiceAccountToken: true
-      {{- else }}
       automountServiceAccountToken: false
-      {{- end }}
       {{- with .Values.gateway.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/kubescape-operator/templates/kollector/statefulset.yaml

@@ -37,16 +37,6 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-      - name: wait-for-cloud-config
-        image: "{{ .Values.serviceDiscovery.configMapCheck.image.repository }}:{{ .Values.serviceDiscovery.configMapCheck.image.tag }}"
-        imagePullPolicy: {{ .Values.serviceDiscovery.configMapCheck.image.pullPolicy }}
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
-            while true; do result=$(kubectl get configmap "{{ .Values.global.cloudConfig }}" -n "{{ .Values.ksNamespace }}" -o jsonpath='{.data.services}'); if [ -z "$result" ]; then sleep 5; else sleep 5 && break; fi; done
-      {{- end }}
       containers:
         - name: {{ .Values.kollector.name }}
           image: "{{ .Values.kollector.image.repository }}:{{ .Values.kollector.image.tag }}"

charts/kubescape-operator/templates/kubescape/deployment.yaml

@@ -54,16 +54,6 @@ spec:
       securityContext:
         runAsUser: 65532
         fsGroup: 65532
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-      - name: wait-for-cloud-config
-        image: "{{ .Values.serviceDiscovery.configMapCheck.image.repository }}:{{ .Values.serviceDiscovery.configMapCheck.image.tag }}"
-        imagePullPolicy: {{ .Values.serviceDiscovery.configMapCheck.image.pullPolicy }}
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
-            while true; do result=$(kubectl get configmap "{{ .Values.global.cloudConfig }}" -n "{{ .Values.ksNamespace }}" -o jsonpath='{.data.services}'); if [ -z "$result" ]; then sleep 5; else sleep 5 && break; fi; done
-      {{- end }}
       containers:
       - name: kubescape
         image: "{{ .Values.kubescape.image.repository }}:{{ .Values.kubescape.image.tag }}"

charts/kubescape-operator/templates/kubevuln/deployment.yaml

@@ -43,16 +43,6 @@ spec:
       securityContext:
         runAsUser: 65532
         fsGroup: 65532
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-      - name: wait-for-cloud-config
-        image: "{{ .Values.serviceDiscovery.configMapCheck.image.repository }}:{{ .Values.serviceDiscovery.configMapCheck.image.tag }}"
-        imagePullPolicy: {{ .Values.serviceDiscovery.configMapCheck.image.pullPolicy }}
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
-            while true; do result=$(kubectl get configmap "{{ .Values.global.cloudConfig }}" -n "{{ .Values.ksNamespace }}" -o jsonpath='{.data.services}'); if [ -z "$result" ]; then sleep 5; else sleep 5 && break; fi; done
-      {{- end }}
       containers:
         - name: {{ .Values.kubevuln.name }}
           image: "{{ .Values.kubevuln.image.repository }}:{{ .Values.kubevuln.image.tag }}"

charts/kubescape-operator/templates/operator/deployment.yaml

@@ -46,38 +46,6 @@ spec:
       securityContext:
         runAsUser: 65532
         fsGroup: 65532
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-        - name: {{ .Values.serviceDiscovery.urlDiscovery.name }}
-          image: "{{ .Values.serviceDiscovery.urlDiscovery.image.repository }}:{{ .Values.serviceDiscovery.urlDiscovery.image.tag }}"
-          imagePullPolicy: {{ .Values.serviceDiscovery.urlDiscovery.image.pullPolicy }}
-          env:
-          {{- if ne .Values.global.httpsProxy "" }}
-            - name: HTTPS_PROXY
-              value: "{{ .Values.global.httpsProxy }}"
-            - name : no_proxy
-              value: "{{ $no_proxy_envar_list }}"
-          {{- end }}
-          args:
-            - -method=get
-            - -scheme=https
-            - -host={{ .Values.server }}
-            - -path=api/v1/servicediscovery
-            - -path-output=/data/services.json
-          volumeMounts:
-          - name: tmp-dir
-            mountPath: /data
-        - name: {{ .Values.serviceDiscovery.configMapUpdate.name }}
-          image: "{{ .Values.serviceDiscovery.configMapUpdate.image.repository }}:{{ .Values.serviceDiscovery.configMapUpdate.image.tag }}"
-          imagePullPolicy: {{ .Values.serviceDiscovery.configMapUpdate.image.pullPolicy }}
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              kubectl create configmap {{ .Values.global.cloudConfig }} --from-literal=metrics=$(jq -r '.response.metrics' /data/services.json) --from-file=services=/data/services.json -n {{ .Values.ksNamespace }} --dry-run=client -o yaml | kubectl apply -f -
-          volumeMounts:
-          - name: tmp-dir
-            mountPath: /data
-      {{- end }}
       containers:
         - name: {{ .Values.operator.name }}
           image: "{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}"

charts/kubescape-operator/templates/otel-collector/deployment.yaml

@@ -41,16 +41,6 @@ spec:
       imagePullSecrets:
       - name: {{ toYaml .Values.imagePullSecrets }}
       {{- end }}
-      {{- if $components.serviceDiscovery.enabled }}
-      initContainers:
-      - name: wait-for-cloud-config
-        image: "{{ .Values.serviceDiscovery.configMapCheck.image.repository }}:{{ .Values.serviceDiscovery.configMapCheck.image.tag }}"
-        imagePullPolicy: {{ .Values.serviceDiscovery.configMapCheck.image.pullPolicy }}
-        command: ["/bin/sh", "-c"]
-        args:
-          - |
-            while true; do result=$(kubectl get configmap "{{ .Values.global.cloudConfig }}" -n "{{ .Values.ksNamespace }}" -o jsonpath='{.data.metrics}'); if [ -z "$result" ]; then sleep 5; else sleep 5 && break; fi; done
-      {{- end }}
       containers:
       - name: {{ .Values.otelCollector.name }}
         image: "{{ .Values.otelCollector.image.repository }}:{{ .Values.otelCollector.image.tag }}"
@@ -65,7 +55,7 @@ spec:
             protocol: TCP
         env:
         - name: CLOUD_OTEL_COLLECTOR_URL
-          valueFrom: 
+          valueFrom:
             configMapKeyRef:
               name: {{ .Values.global.cloudConfig }}
               key: metrics
@@ -113,13 +103,7 @@ spec:
 {{- if .Values.otelCollector.volumes }}
 {{ toYaml .Values.otelCollector.volumes | indent 6 }}
 {{- end }}
-      # service discovery init container
-      {{- if $components.serviceDiscovery.enabled }}
-      serviceAccountName: {{ .Values.otelCollector.name }}
-      automountServiceAccountToken: true
-      {{- else }}
       serviceAccountName: default
-      {{- end}}
       {{- with .Values.otelCollector.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}