From efc9d51d28c2849483f9c42b367803cb02bd3f6e Mon Sep 17 00:00:00 2001 From: Katie Hooley Date: Wed, 31 Jan 2024 11:51:39 -0500 Subject: [PATCH 1/4] update codeowners to just sudo (#112) --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 9af94ec..2144184 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @CloudHealth/team-cheapsk8s @Cloudhealth/team-sudo +* @Cloudhealth/team-sudo From 279d1186ec0cd4fe6df05a1f4a87994e9cd6c2c6 Mon Sep 17 00:00:00 2001 From: Govind Mudumbai <87672958+gm-cht@users.noreply.github.com> Date: Mon, 26 Feb 2024 20:28:18 -0500 Subject: [PATCH 2/4] [SDO-2806] Support proxy on CH Agent (#113) * Add Truststore support * Make secret optional * Update chart minor version * Better Name for initContainer * Make Truststore password same as cert --- charts/cloudhealth-collector/Chart.yaml | 2 +- .../templates/deployment.yaml | 28 +++++++++++++++++++ .../templates/secrets.yaml | 3 ++ charts/cloudhealth-collector/values.yaml | 8 ++++++ 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/charts/cloudhealth-collector/Chart.yaml b/charts/cloudhealth-collector/Chart.yaml index 7e31278..f0e1baf 100644 --- a/charts/cloudhealth-collector/Chart.yaml +++ b/charts/cloudhealth-collector/Chart.yaml @@ -5,7 +5,7 @@ apiVersion: v2 name: cloudhealth-collector description: A Helm chart for CloudHealth's Kubernetes Collector Agent type: application -version: 4.4.1 +version: 4.5.0 appVersion: "5.2.0" home: https://cloudhealth.vmware.com/ icon: https://d1fto35gcfffzn.cloudfront.net/images/Tanzu-Logomark.svg diff --git a/charts/cloudhealth-collector/templates/deployment.yaml b/charts/cloudhealth-collector/templates/deployment.yaml index 528c72f..cb15d6e 100644 --- a/charts/cloudhealth-collector/templates/deployment.yaml +++ b/charts/cloudhealth-collector/templates/deployment.yaml @@ -32,6 +32,26 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} priorityClassName: {{ .Values.priorityClassName }} + {{- if .Values.proxy.sslCert }} + initContainers: + - name: "{{ .Chart.Name }}-pem-to-truststore" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + env: + - name: ca_bundle + value: {{ .Values.proxy.caBundlePath }} + - name: truststore_jks + value: {{ .Values.proxy.truststorePath }} + - name: truststore_pwd + valueFrom: + secretKeyRef: + name: {{ include "cloudhealth-collector.secretName" . }} + key: certPassword + command: ['/bin/bash'] + args: ['-c', "csplit -z -f crt- $ca_bundle '/-----BEGIN CERTIFICATE-----/' '{*}' && for file in crt-*; do keytool -import -noprompt -keystore $truststore_jks -file $file -storepass $truststore_pwd -alias service-$file; done"] + volumeMounts: + - name: truststore-volume + mountPath: /etc/ssl/certs + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -69,6 +89,10 @@ spec: value: {{ .Values.collectionIntervalSecs | quote }} - name: CHT_JVM_MEM value: {{ .Values.jvmMemory }} + {{- if .Values.proxy.sslCert }} + - name: JAVA_OPTS + value: {{ .Values.proxy.params }} + {{- end }} {{- range .Values.customEnvVars}} - name: {{ .name }} value: {{ .value }} @@ -101,4 +125,8 @@ spec: volumes: - name: tmpfs emptyDir: {} + {{- if .Values.proxy.sslCert }} + - name: truststore-volume + emptyDir: {} + {{- end }} {{- end }} diff --git a/charts/cloudhealth-collector/templates/secrets.yaml b/charts/cloudhealth-collector/templates/secrets.yaml index aa003d8..9d2a832 100644 --- a/charts/cloudhealth-collector/templates/secrets.yaml +++ b/charts/cloudhealth-collector/templates/secrets.yaml @@ -13,4 +13,7 @@ metadata: type: Opaque data: apiToken: {{ .Values.apiToken | b64enc | quote }} + {{- if .Values.proxy.sslCert }} + certPassword: {{ .Values.proxy.certPassword | quote }} + {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/cloudhealth-collector/values.yaml b/charts/cloudhealth-collector/values.yaml index 646f313..0b4d2bc 100644 --- a/charts/cloudhealth-collector/values.yaml +++ b/charts/cloudhealth-collector/values.yaml @@ -65,6 +65,14 @@ containerSecurityContext: { capabilities: {drop: [all]} } +proxy: + sslCert: false + #-Dhttps.proxyHost=$PROXY_SERVER -Dhttps.proxyPort=$PROXY_PORT -Dhttps.nonProxyHosts=kubernetes.default.svc -Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit + params: "" + certPassword: "" + caBundlePath: "/etc/ssl/certs/bundle.pem" + truststorePath: "/etc/ssl/certs/truststore.jks" + resources: limits: cpu: 1000m From b935d3448e44548bc8201be7537c58279ba925ff Mon Sep 17 00:00:00 2001 From: Govind Mudumbai <87672958+gm-cht@users.noreply.github.com> Date: Fri, 8 Mar 2024 10:19:49 -0500 Subject: [PATCH 3/4] Add Permissions for New Resources (#116) --- charts/cloudhealth-collector/Chart.yaml | 4 ++-- charts/cloudhealth-collector/templates/clusterrole.yaml | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/cloudhealth-collector/Chart.yaml b/charts/cloudhealth-collector/Chart.yaml index f0e1baf..ed1250d 100644 --- a/charts/cloudhealth-collector/Chart.yaml +++ b/charts/cloudhealth-collector/Chart.yaml @@ -5,8 +5,8 @@ apiVersion: v2 name: cloudhealth-collector description: A Helm chart for CloudHealth's Kubernetes Collector Agent type: application -version: 4.5.0 -appVersion: "5.2.0" +version: 4.6.0 +appVersion: "6.0.0" home: https://cloudhealth.vmware.com/ icon: https://d1fto35gcfffzn.cloudfront.net/images/Tanzu-Logomark.svg sources: diff --git a/charts/cloudhealth-collector/templates/clusterrole.yaml b/charts/cloudhealth-collector/templates/clusterrole.yaml index 7880aa5..ab57d95 100644 --- a/charts/cloudhealth-collector/templates/clusterrole.yaml +++ b/charts/cloudhealth-collector/templates/clusterrole.yaml @@ -11,7 +11,7 @@ metadata: {{- include "cloudhealth-collector.labels" . | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "nodes", "namespaces", "services", "resourcequotas", "limitranges"] + resources: ["pods", "nodes", "namespaces", "services", "resourcequotas", "limitranges", "persistentvolumes", "persistentvolumeclaims"] verbs: ["get", "list"] - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] @@ -22,3 +22,6 @@ rules: - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["get", "list"] +- apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list"] From 8b53c9c2b971933ef038e1f6ec9cbcfdec91906d Mon Sep 17 00:00:00 2001 From: Govind Mudumbai <87672958+gm-cht@users.noreply.github.com> Date: Mon, 11 Mar 2024 10:56:04 -0400 Subject: [PATCH 4/4] [ENG-50657] Upgrade for Security Vulnerabilities (#117) * Update Helm chart with latest image * Format CVEs * Fix Sorting of CVEs * Update Upper version of kubernetes tested * Improve ReadMe --- README.md | 8 ++--- charts/cloudhealth-collector/Chart.yaml | 4 +-- charts/cloudhealth-collector/values.yaml | 2 +- cloudhealth-collector-image-docs/CHANGELOG.md | 30 ++++++++++++++++++- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7cb643f..6f2bd37 100644 --- a/README.md +++ b/README.md @@ -25,18 +25,18 @@ Use the helm chart to deploy the CloudHealth Collector into each [Kubernetes](ht ## Installing the Chart -To install the chart with the release name `cloudhealth-collector`, run the following command: +To install the chart with the release name `cloudhealth-collector` in a particular namespace `` (create if it does not exist), run the following commands: ```console $ helm repo add cloudhealth https://cloudhealth.github.io/helm/ -$ helm install cloudhealth-collector --set apiToken=,clusterName=,chtEndpointPrefix= cloudhealth/cloudhealth-collector +$ helm install cloudhealth-collector -n --create-namespace --set apiToken=,clusterName=,chtEndpointPrefix= cloudhealth/cloudhealth-collector --debug ``` -To install the chart with the release name `cloudhealth-collector` in a particular namespace ``, run the following commands: +To install the chart with the release name `cloudhealth-collector` in `default` namespace, run the following command: ```console $ helm repo add cloudhealth https://cloudhealth.github.io/helm/ -$ helm install cloudhealth-collector -n --set apiToken=,clusterName=,chtEndpointPrefix= cloudhealth/cloudhealth-collector +$ helm install cloudhealth-collector --set apiToken=,clusterName=,chtEndpointPrefix= cloudhealth/cloudhealth-collector ``` The `apiToken` is required for `cloudhealth-collector` to work and should be either set while running helm install command as in the example above or in a secret object with the following data structure: diff --git a/charts/cloudhealth-collector/Chart.yaml b/charts/cloudhealth-collector/Chart.yaml index ed1250d..b4f8a0b 100644 --- a/charts/cloudhealth-collector/Chart.yaml +++ b/charts/cloudhealth-collector/Chart.yaml @@ -5,8 +5,8 @@ apiVersion: v2 name: cloudhealth-collector description: A Helm chart for CloudHealth's Kubernetes Collector Agent type: application -version: 4.6.0 -appVersion: "6.0.0" +version: 4.6.1 +appVersion: "7.0.0" home: https://cloudhealth.vmware.com/ icon: https://d1fto35gcfffzn.cloudfront.net/images/Tanzu-Logomark.svg sources: diff --git a/charts/cloudhealth-collector/values.yaml b/charts/cloudhealth-collector/values.yaml index 0b4d2bc..29d1fb6 100644 --- a/charts/cloudhealth-collector/values.yaml +++ b/charts/cloudhealth-collector/values.yaml @@ -27,7 +27,7 @@ jvmMemory: "-Xmx891M" image: repository: cloudhealth/container-collector - tag: "1423" + tag: "1458" imagePullSecrets: [] nameOverride: "" diff --git a/cloudhealth-collector-image-docs/CHANGELOG.md b/cloudhealth-collector-image-docs/CHANGELOG.md index 91d5443..e84815b 100644 --- a/cloudhealth-collector-image-docs/CHANGELOG.md +++ b/cloudhealth-collector-image-docs/CHANGELOG.md @@ -5,11 +5,39 @@ All notable changes for each upgraded tag of the CloudHealth Container Collector The agent has been verified against: [Kubernetes Versions ≥ 1.12](https://kubernetes.io/releases/)
-[Kubernetes Versions ≤ 1.26](https://kubernetes.io/releases/)
+[Kubernetes Versions ≤ 1.29](https://kubernetes.io/releases/)
[OC Version ≥ 4.1](https://docs.openshift.com/container-platform) All versions before June 20, 2022 have been deprecated. +## [1458] - 2024-03-11 + +### Added + +* PersistentVolumes, PersistentVolumeClaims, Ingress and Service collected to prepare for comprehensive Kubernetes Cost Calculation + +### Security + +* Vulnerabilities patched: + * [CVE-2023-0767](https://avd.aquasec.com/nvd/cve-2023-0767) + * [CVE-2023-3320](https://avd.aquasec.com/nvd/cve-2023-3320) + * [CVE-2023-4641](https://avd.aquasec.com/nvd/cve-2023-4641) + * [CVE-2023-5981](https://avd.aquasec.com/nvd/cve-2023-5981) + * [CVE-2023-6246](https://avd.aquasec.com/nvd/cve-2023-6246) + * [CVE-2023-6779](https://avd.aquasec.com/nvd/cve-2023-6779) + * [CVE-2023-6780](https://avd.aquasec.com/nvd/cve-2023-6780) + * [CVE-2023-7104](https://avd.aquasec.com/nvd/cve-2023-7104) + * [CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383) + * [CVE-2023-33201](https://avd.aquasec.com/nvd/cve-2023-33201) + * [CVE-2023-33202](https://avd.aquasec.com/nvd/cve-2023-33202) + * [CVE-2023-48795](https://avd.aquasec.com/nvd/cve-2023-48795) + * [CVE-2023-52425](https://avd.aquasec.com/nvd/cve-2023-52425) + * [CVE-2023-52426](https://avd.aquasec.com/nvd/cve-2023-52426) + * [CVE-2024-0553](https://avd.aquasec.com/nvd/cve-2024-0553) + * [CVE-2024-0567](https://avd.aquasec.com/nvd/cve-2024-0567) + * [CVE-2024-0727](https://avd.aquasec.com/nvd/cve-2024-0727) + * [CVE-2024-22365](https://avd.aquasec.com/nvd/cve-2024-22365) + ## [1423] - 2023-12-14 ### Added