diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml
index 02e916961..87dd59c50 100644
--- a/charts/admission-controller/Chart.yaml
+++ b/charts/admission-controller/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
-version: 0.16.3
+version: 0.17.0
appVersion: 3.9.46
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md
index 0870ecec4..7ea746c58 100644
--- a/charts/admission-controller/README.md
+++ b/charts/admission-controller/README.md
@@ -176,6 +176,10 @@ The following table lists the configurable parameters of the `admission-controll
| webhook.denyOnError | Deny request when an error happened evaluating request. | false |
| webhook.dryRun | Dry Run request | false |
| webhook.logLevel | Specifies the log level. The valid values are error, info, debug, trace. | info |
+| webhook.ssl.certManager.enabled | Whether to use cert-manager for certificate management | false |
+| webhook.ssl.certManager.issuer.group | The group of the existing issuer to use. | cert-manager.io |
+| webhook.ssl.certManager.issuer.kind | The kind of the existing issuer to use. | ClusterIssuer |
+| webhook.ssl.certManager.issuer.name | The name of the existing (Cluster)Issuer to use. Required if using cert-manager. | "" |
| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade. | false |
| webhook.ssl.ca.cert | Used for outbound connections, such as Secure backend and proxy.
Used also for inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority. | "" |
| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl
index 0bf82ddb3..159f51a35 100644
--- a/charts/admission-controller/templates/_helpers.tpl
+++ b/charts/admission-controller/templates/_helpers.tpl
@@ -411,7 +411,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /validate
port: {{ .Values.webhook.v2.service.port }}
- caBundle: {{ .Cert }}
+ {{- with .Cert }}
+ caBundle: {{ . }}
+ {{- end }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
@@ -453,7 +455,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /allow-pod
port: {{ .Values.webhook.service.port }}
- caBundle: {{ .Cert }}
+ {{- with .Cert }}
+ caBundle: {{ . }}
+ {{- end }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
@@ -476,7 +480,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /k8s-audit
port: {{ .Values.webhook.service.port }}
- caBundle: {{ .Cert }}
+ {{- with .Cert }}
+ caBundle: {{ . }}
+ {{- end }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml
index 13e68f2a2..e100966c2 100644
--- a/charts/admission-controller/templates/webhook/admissionregistration.yaml
+++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml
@@ -1,3 +1,19 @@
+{{- if .Values.webhook.ssl.certManager.enabled }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ annotations:
+ cert-manager.io/inject-ca-from: {{ include "admissionController.namespace" . }}/{{ include "admissionController.webhook.fullname" . }}
+ helm.sh/hook: "post-install, post-upgrade"
+ meta.helm.sh/release-name: {{ .Release.Name }}
+ meta.helm.sh/release-namespace: {{ .Release.Namespace }}
+ labels:
+ app.kubernetes.io/managed-by: Helm
+ name: {{ include "admissionController.webhook.fullname" . }}
+ namespace: {{ include "admissionController.namespace" . }}
+{{- include "admissionController.webhookTemplate" . }}
+{{- else }}
{{/*
We need to put all resources that need certificate or CA Bundle together,
so the template is executed just once
@@ -38,3 +54,4 @@ data:
tls.crt: {{ $certList._0 }}
tls.key: {{ $certList._1 }}
ca.crt: {{ $certList._2 }}
+{{- end }}
diff --git a/charts/admission-controller/templates/webhook/certificate.yaml b/charts/admission-controller/templates/webhook/certificate.yaml
new file mode 100644
index 000000000..e891a1f5a
--- /dev/null
+++ b/charts/admission-controller/templates/webhook/certificate.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.webhook.ssl.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ {{- include "admissionController.webhook.labels" . | nindent 4 }}
+ name: {{ include "admissionController.webhook.fullname" . }}
+ namespace: {{ include "admissionController.namespace" . }}
+spec:
+ dnsNames:
+ - {{ include "admissionController.webhook.fullname" . }}
+ - {{ include "admissionController.webhook.fullname" . }}.{{ include "admissionController.namespace" . }}.svc
+ issuerRef:
+ {{- with .Values.webhook.ssl.certManager.issuer.group }}
+ group: {{ . }}
+ {{- end }}
+ {{- with .Values.webhook.ssl.certManager.issuer.kind }}
+ kind: {{ . }}
+ {{- end }}
+ {{- with .Values.webhook.ssl.certManager.issuer.name }}
+ name: {{ . }}
+ {{- end }}
+ secretName: {{ include "admissionController.webhook.fullname" . }}-tls
+{{- end }}
diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml
index b099ce2d9..ede2fc2b3 100644
--- a/charts/admission-controller/values.yaml
+++ b/charts/admission-controller/values.yaml
@@ -300,6 +300,14 @@ webhook:
logLevel: info
ssl:
+ certManager:
+ # Use cert-manager for certificate management
+ enabled: false
+ issuer:
+ group: cert-manager.io
+ kind: ClusterIssuer
+ # Required if webhook.ssl.certManager.enabled is true
+ name: ""
# Reuse existing TLS Secret during chart upgrade.
reuseTLSSecret: false
ca:
diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml
index dbfb0037c..019960d56 100644
--- a/charts/sysdig-deploy/Chart.yaml
+++ b/charts/sysdig-deploy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
-version: 1.56.11
+version: 1.57.0
maintainers:
- name: AlbertoBarba
email: alberto.barba@sysdig.com
@@ -20,7 +20,7 @@ dependencies:
- name: admission-controller
# repository: https://charts.sysdig.com
repository: file://../admission-controller
- version: ~0.16.3
+ version: ~0.17.0
alias: admissionController
condition: admissionController.enabled
- name: agent