diff --git a/assets/kasten/k10-6.5.1301.tgz b/assets/kasten/k10-6.5.1301.tgz new file mode 100644 index 000000000..6a914df22 Binary files /dev/null and b/assets/kasten/k10-6.5.1301.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.1.320.tgz b/assets/speedscale/speedscale-operator-2.1.320.tgz new file mode 100644 index 000000000..cbf1c731a Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.1.320.tgz differ diff --git a/charts/kasten/k10/Chart.lock b/charts/kasten/k10/Chart.lock index 3dd4bf512..96fc2e846 100644 --- a/charts/kasten/k10/Chart.lock +++ b/charts/kasten/k10/Chart.lock @@ -6,4 +6,4 @@ dependencies: repository: "" version: 25.18.0 digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066 -generated: "2024-04-20T03:47:20.475656567Z" +generated: "2024-05-03T18:14:59.697223332Z" diff --git a/charts/kasten/k10/Chart.yaml b/charts/kasten/k10/Chart.yaml index 4a7a91418..8a3c48c42 100644 --- a/charts/kasten/k10/Chart.yaml +++ b/charts/kasten/k10/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.5.12 +appVersion: 6.5.13 dependencies: - condition: grafana.enabled name: grafana @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.5.1201 +version: 6.5.1301 diff --git a/charts/kasten/k10/README.md b/charts/kasten/k10/README.md index f03e250cc..bd93317d0 100644 --- a/charts/kasten/k10/README.md +++ b/charts/kasten/k10/README.md @@ -59,6 +59,7 @@ Parameter | Description | Default `license` | License string obtained from Kasten | `None` `rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true` `scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false` +`scc.priority` | Sets the SecurityContextConstraints priority | `15` `services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false` `services.executor.hostNetwork` | Whether the executor pods may use the node network | `false` `services.executor.workerCount` | Specifies count of running executor workers | 8 @@ -103,6 +104,7 @@ Parameter | Description | Default `secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` `secrets.awsSecretAccessKey` | AWS access key secret | `None` `secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` +`secrets.awsClientSecretName` | The secret that contains AWS access key ID, AWS access key secret and AWS IAM role for AWS | `None` `secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None` `secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None` `secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` @@ -118,6 +120,7 @@ Parameter | Description | Default `secrets.vsphereEndpoint` | vSphere endpoint for login | `None` `secrets.vsphereUsername` | vSphere username for login | `None` `secrets.vspherePassword` | vSphere password for login | `None` +`secrets.vsphereClientSecretName` | The secret that contains vSphere username, vSphere password and vSphere endpoint | `None` `secrets.dockerConfig` | Set base64 encoded docker config to use for image pull operations. Alternative to the ``secrets.dockerConfigPath`` | `None` `secrets.dockerConfigPath` | Use ``--set-file secrets.dockerConfigPath=path_to_docker_config.yaml`` to specify docker config for image pull. Will be overwritten if ``secrets.dockerConfig`` is set | `None` `cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None` diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index 5016b775e..023848d72 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -35,8 +35,8 @@ crypto: dashboardbff: - vbrintegrationapi state: -- admin - events +- admin {{- end -}} {{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}} {{- define "k10.configAPIs" -}}config{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 6e9a0c6a7..2e4a59114 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -118,11 +118,7 @@ {{- /* FIPS */ -}} {{- $fips := .Values.fips | default dict -}} {{- if $fips.enabled -}} - {{- $internal_capabilities = append $internal_capabilities "fips" -}} - - {{- if not $fips.allowNonFIPSImports -}} - {{- $internal_capabilities = append $internal_capabilities "fips.strict.migrations" -}} - {{- end -}} + {{- $internal_capabilities = append $internal_capabilities "fips.strict" -}} {{- end -}} {{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}} @@ -467,6 +463,12 @@ Check if AWS creds are specified {{- end -}} {{- end -}} +{{- define "check.awsSecretName" -}} +{{- if .Values.secrets.awsClientSecretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + {{/* Check if Azure MSI with Default ID is specified */}} @@ -602,14 +604,29 @@ Check if Google creds are specified {{- end -}} {{- end -}} +{{- define "check.googleCredsSecret" -}} +{{- if .Values.secrets.googleClientSecretName -}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.googleCredsOrSecret" -}} +{{- if or (eq (include "check.googlecreds" .) "true") (eq (include "check.googleCredsSecret" .) "true")}} + {{- print true -}} +{{- end -}} +{{- end -}} + {{/* -Check if Google Project ID is specified +Check if Google Project ID is not set without Google API Key */}} {{- define "check.googleproject" -}} {{- if .Values.secrets.googleProjectId -}} {{- if not .Values.secrets.googleApiKey -}} - {{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}} + {{- print false -}} + {{- else -}} + {{- print true -}} {{- end -}} +{{- else -}} {{- print true -}} {{- end -}} {{- end -}} @@ -638,6 +655,12 @@ Check if Vsphere creds are specified {{- end -}} {{- end -}} +{{- define "check.vsphereClientSecret" -}} +{{- if .Values.secrets.vsphereClientSecretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + {{/* Check if Vault token secret creds are specified */}} @@ -1158,6 +1181,55 @@ running in the same cluster. {{- end -}} {{- end -}} +{{/* Fail if FIPS is enabled and Grafana is turned on */}} +{{- define "k10.fail.fipsGrafana" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.grafana.enabled) -}} + {{- fail "fips.enabled and grafana.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and Prometheus is turned on */}} +{{- define "k10.fail.fipsPrometheus" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.prometheus.server.enabled) -}} + {{- fail "fips.enabled and prometheus.server.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and Multicluster is turned on */}} +{{- define "k10.fail.fipsMulticluster" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.multicluster.enabled) -}} + {{- fail "fips.enabled and multicluster.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and PDF reporting is turned on */}} +{{- define "k10.fail.fipsPDFReports" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.reporting.pdfReports) -}} + {{- fail "fips.enabled and reporting.pdfReports cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and next gen gateway is turned off */}} +{{- define "k10.fail.fipsGatewayNextGen" -}} + {{- if and ((.Values.fips | default dict).enabled) (not .Values.gateway.next_gen) -}} + {{- fail "gateway.next_gen must be enabled if fips.enabled=true" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and auth.ldap is turned on */}} +{{- define "k10.fail.fipsDexAuthLDAP" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.auth.ldap.enabled) -}} + {{- fail "fips.enabled and auth.ldap.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and auth.openshift is turned on */}} +{{- define "k10.fail.fipsDexAuthOpenshift" -}} + {{- if and ((.Values.fips | default dict).enabled) (.Values.auth.openshift.enabled) -}} + {{- fail "fips.enabled and auth.openshift.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + {{/* Check to see whether SIEM logging is enabled */}} {{- define "k10.siemEnabled" -}} {{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}} @@ -1188,3 +1260,14 @@ running in the same cluster. {{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}} {{ printf "%s-k10-secret" $serviceAccount | quote }} {{- end -}} + +{{/* +Returns the required environment variables to enforce FIPS mode using +the Microsoft Go toolchain and Red Hat's OpenSSL. +*/}} +{{- define "k10.enforceFIPSEnvironmentVariables" }} +- name: GOFIPS + value: "1" +- name: OPENSSL_FORCE_FIPS_MODE + value: "1" +{{- end }} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index f41d33cc5..0895015f2 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -94,16 +94,27 @@ stating that types are not same for the equality check - name: {{ include "k10.disabledServicesEnvVar" . }} value: {{ include "get.disabledServices" . | quote }} {{- end -}} -{{- if eq (include "check.googlecreds" .) "true" }} - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/var/run/secrets/kasten.io/kasten-gke-sa.json" +{{- if not (eq (include "check.googleproject" . ) "true") -}} + {{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}} +{{- end -}} +{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }} +{{- $gkeProjectId := "kasten-gke-project" }} +{{- $gkeApiKey := "/var/run/secrets/kasten.io/kasten-gke-sa.json"}} +{{- if eq (include "check.googleCredsSecret" .) "true" }} + {{- $gkeProjectId = "google-project-id" }} + {{- $gkeApiKey = "/var/run/secrets/kasten.io/google-api-key" }} {{- end }} -{{- if eq (include "check.googleproject" .) "true" }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: {{ $gkeApiKey }} +{{- end }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} - name: projectID valueFrom: secretKeyRef: - name: google-secret - key: kasten-gke-project + name: {{ $gkeSecret }} + key: {{ $gkeProjectId }} + optional: true {{- end }} {{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }} {{- if eq (include "check.azuresecret" .) "true" }} @@ -190,24 +201,44 @@ stating that types are not same for the equality check value: "{{ .Values.azure.useDefaultMSI }}" {{- end }} {{- end }} -{{- if eq (include "check.awscreds" .) "true" }} + +{{- /* +There are 3 valid states of the secret provided by customer: +1. Only role set +2. Both aws_access_key_id and aws_secret_access_key are set +3. All of role, aws_access_key_id and aws_secret_access_key are set. +*/}} +{{- if eq (include "check.awsSecretName" .) "true" }} + {{- $customerSecret := (lookup "v1" "Secret" .Release.Namespace .Values.secrets.awsClientSecretName )}} + {{- if $customerSecret }} + {{- if and (not $customerSecret.data.role) (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key) }} + {{ fail "Provided secret must contain at least AWS IAM Role or AWS access key ID together with AWS secret access key"}} + {{- end }} + {{- if not (or (and $customerSecret.data.aws_access_key_id $customerSecret.data.aws_secret_access_key) (and (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key))) }} + {{ fail "Provided secret lacks aws_access_key_id or aws_secret_access_key" }} + {{- end }} + {{- end }} +{{- end }} +{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "metering" "kanister" | has $service}} +{{- $awsSecretName := default "aws-creds" .Values.secrets.awsClientSecretName }} - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: - name: aws-creds + name: {{ $awsSecretName }} key: aws_access_key_id + optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: aws-creds + name: {{ $awsSecretName }} key: aws_secret_access_key -{{- if .Values.secrets.awsIamRole }} + optional: true - name: K10_AWS_IAM_ROLE valueFrom: secretKeyRef: - name: aws-creds + name: {{ $awsSecretName }} key: role -{{- end }} + optional: true {{- end }} {{- if list "controllermanager" "executor" "catalog" | has $service}} {{- if eq (include "check.gwifenabled" .) "true"}} @@ -242,21 +273,22 @@ stating that types are not same for the equality check {{- end }} {{- end }} {{- end }} -{{- if eq (include "check.vspherecreds" .) "true" }} +{{- if or (eq (include "check.vspherecreds" .) "true") (eq (include "check.vsphereClientSecret" .) "true") }} +{{- $vsphereSecretName := default "vsphere-creds" .Values.secrets.vsphereClientSecretName }} - name: VSPHERE_ENDPOINT valueFrom: secretKeyRef: - name: vsphere-creds + name: {{ $vsphereSecretName }} key: vsphere_endpoint - name: VSPHERE_USERNAME valueFrom: secretKeyRef: - name: vsphere-creds + name: {{ $vsphereSecretName }} key: vsphere_username - name: VSPHERE_PASSWORD valueFrom: secretKeyRef: - name: vsphere-creds + name: {{ $vsphereSecretName }} key: vsphere_password {{- end }} - name: VERSION @@ -270,6 +302,9 @@ stating that types are not same for the equality check configMapKeyRef: name: k10-config key: clustername +{{- end }} +{{- if (.Values.fips | default dict).enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} {{- end }} {{- with $capabilities := include "k10.capabilities" . }} - name: K10_CAPABILITIES @@ -730,7 +765,7 @@ stating that types are not same for the equality check value: {{ .Values.multicluster.primary.ingressURL | quote }} {{- end }} {{- end -}} -{{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} +{{- if or $.stateful (or (eq (include "check.googleCredsOrSecret" .) "true") (eq $service "auth" "logging")) }} volumeMounts: {{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} volumeMounts: @@ -777,7 +812,7 @@ stating that types are not same for the equality check readOnly: true {{- end }} {{- end }} -{{- if eq (include "check.googlecreds" .) "true" }} +{{- if eq (include "check.googleCredsOrSecret" .) "true"}} - name: service-account mountPath: "/var/run/secrets/kasten.io" {{- end }} @@ -812,6 +847,10 @@ stating that types are not same for the equality check image: {{ include "get.kanisterToolsImage" .}} imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} +{{- if (.Values.fips | default dict).enabled }} + env: + {{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }} +{{- end }} volumeMounts: - name: {{ $service }}-persistent-storage mountPath: {{ .Values.global.persistence.mountPath | quote }} @@ -831,6 +870,10 @@ stating that types are not same for the equality check image: {{ include "get.dexImage" . }} {{- if .Values.auth.ldap.enabled }} command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] +{{- if (.Values.fips | default dict).enabled }} + env: + {{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }} +{{- end }} {{- else if .Values.auth.openshift.enabled }} {{- /* In the case of OpenShift, a template config is used instead of a plain config for Dex. @@ -852,6 +895,9 @@ stating that types are not same for the equality check {{- else }} value: {{ .Values.auth.openshift.clientSecret }} {{- end }} +{{- if (.Values.fips | default dict).enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} {{- end }} ports: - name: http diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 7d7eb0082..c0c4d5772 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.5.12{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.5.13{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_metering.tpl b/charts/kasten/k10/templates/_k10_metering.tpl index 4ddc870ff..860b4373e 100644 --- a/charts/kasten/k10/templates/_k10_metering.tpl +++ b/charts/kasten/k10/templates/_k10_metering.tpl @@ -181,6 +181,9 @@ spec: configMapKeyRef: name: k10-config key: clustername +{{- end }} +{{- if (.Values.fips | default dict).enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} {{- end }} {{- with $capabilities := include "k10.capabilities" . }} - name: K10_CAPABILITIES diff --git a/charts/kasten/k10/templates/_k10_template.tpl b/charts/kasten/k10/templates/_k10_template.tpl index 052dd8e0c..235eb3ddf 100644 --- a/charts/kasten/k10/templates/_k10_template.tpl +++ b/charts/kasten/k10/templates/_k10_template.tpl @@ -164,10 +164,11 @@ spec: persistentVolumeClaim: claimName: {{ $statefulContainer }}-pv-claim {{- end }} -{{- if eq (include "check.googlecreds" .) "true" }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} +{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }} - name: service-account secret: - secretName: google-secret + secretName: {{ $gkeSecret }} {{- end }} {{- if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" .) "true")}} - name: bound-sa-token diff --git a/charts/kasten/k10/templates/gateway.yaml b/charts/kasten/k10/templates/gateway.yaml index 4d26109a5..616c4140e 100644 --- a/charts/kasten/k10/templates/gateway.yaml +++ b/charts/kasten/k10/templates/gateway.yaml @@ -150,6 +150,9 @@ spec: configMapKeyRef: name: k10-config key: version +{{- if (.Values.fips | default dict).enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} {{- with $capabilities := include "k10.capabilities" . }} - name: K10_CAPABILITIES value: {{ $capabilities | quote }} diff --git a/charts/kasten/k10/templates/ironbank.tpl b/charts/kasten/k10/templates/ironbank.tpl deleted file mode 100644 index 1dd7ba1cf..000000000 --- a/charts/kasten/k10/templates/ironbank.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{/* -This file is used to fail the helm deployment if certain values are set which are -not compatible with an Ironbank deployment. -*/}} -{{- include "k10.fail.ironbankGrafana" . -}} -{{- include "k10.fail.ironbankPdfReports" . -}} -{{- include "k10.fail.ironbankPrometheus" . -}} -{{- include "k10.fail.ironbankRHMarketplace" . -}} diff --git a/charts/kasten/k10/templates/k10-scc.yaml b/charts/kasten/k10/templates/k10-scc.yaml index 221f8e965..12a449f6f 100644 --- a/charts/kasten/k10/templates/k10-scc.yaml +++ b/charts/kasten/k10/templates/k10-scc.yaml @@ -22,7 +22,7 @@ defaultAddCapabilities: - DAC_OVERRIDE fsGroup: type: RunAsAny -priority: 15 +priority: {{ .Values.scc.priority }} readOnlyRootFilesystem: false requiredDropCapabilities: - ALL diff --git a/charts/kasten/k10/templates/rbac.yaml b/charts/kasten/k10/templates/rbac.yaml index 155e08136..9755907fa 100644 --- a/charts/kasten/k10/templates/rbac.yaml +++ b/charts/kasten/k10/templates/rbac.yaml @@ -94,7 +94,11 @@ rules: resources: - configmaps verbs: + - create + - delete - get + - list + - update - apiGroups: - "batch" resources: diff --git a/charts/kasten/k10/templates/secrets.yaml b/charts/kasten/k10/templates/secrets.yaml index 9eda4b87e..85a3275d6 100644 --- a/charts/kasten/k10/templates/secrets.yaml +++ b/charts/kasten/k10/templates/secrets.yaml @@ -1,7 +1,7 @@ {{- include "enforce.singlecloudcreds" . -}} {{- include "enforce.singleazurecreds" . -}} {{- include "check.validateImagePullSecrets" . -}} -{{- if eq (include "check.awscreds" . ) "true" }} +{{- if and (eq (include "check.awscreds" . ) "true") (not (eq (include "check.awsSecretName" . ) "true")) }} apiVersion: v1 kind: Secret metadata: @@ -30,7 +30,7 @@ type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} {{- end }} -{{- if eq (include "check.googlecreds" .) "true" }} +{{- if and (eq (include "check.googlecreds" .) "true") ( not (eq (include "check.googleCredsSecret" .) "true")) }} --- apiVersion: v1 kind: Secret @@ -73,7 +73,7 @@ data: azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }} azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} {{- end }} -{{- if eq (include "check.vspherecreds" .) "true" }} +{{- if and (eq (include "check.vspherecreds" .) "true") (not (eq (include "check.vsphereClientSecret" . ) "true")) }} --- apiVersion: v1 kind: Secret diff --git a/charts/kasten/k10/templates/secure_deployment.tpl b/charts/kasten/k10/templates/secure_deployment.tpl new file mode 100644 index 000000000..73ef0e679 --- /dev/null +++ b/charts/kasten/k10/templates/secure_deployment.tpl @@ -0,0 +1,23 @@ +{{/* +This file is used to fail the helm deployment if certain values are set which are +not compatible with a secure deployment. + +A secure deployment is defined as one of the following: +- Iron Bank +- FIPS +*/}} + +{{/* Iron Bank */}} +{{- include "k10.fail.ironbankGrafana" . -}} +{{- include "k10.fail.ironbankPdfReports" . -}} +{{- include "k10.fail.ironbankPrometheus" . -}} +{{- include "k10.fail.ironbankRHMarketplace" . -}} + +{{/* FIPS */}} +{{- include "k10.fail.fipsGrafana" . -}} +{{- include "k10.fail.fipsPrometheus" . -}} +{{- include "k10.fail.fipsMulticluster" . -}} +{{- include "k10.fail.fipsPDFReports" . -}} +{{- include "k10.fail.fipsGatewayNextGen" . -}} +{{- include "k10.fail.fipsDexAuthLDAP" . -}} +{{- include "k10.fail.fipsDexAuthOpenshift" . -}} diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index b3d07f464..3b851c69e 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -44,6 +44,12 @@ "default": false, "title": "Create K10 SSC", "description": "Whether to create a SecurityContextConstraints for K10 ServiceAccounts" + }, + "priority": { + "type": "integer", + "default": 15, + "title": "SCC priority", + "description": "Sets the SecurityContextConstraints priority" } } }, @@ -1002,6 +1008,12 @@ "title": "AWS IAM Role", "description": "ARN of the AWS IAM role assumed by K10 to perform any AWS operation" }, + "awsClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with AWS credentials and/or IAM Role", + "description": "Specify a Secret directly instead of having to provide awsAccessKeyId, awsSecretAccessKey and awsIamRole" + }, "googleApiKey": { "type": "string", "default": "", @@ -1014,6 +1026,12 @@ "title": "Google Project ID", "description": "Set Google Project ID other than the one in the GCP Service Account" }, + "googleClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with Google credentials", + "description": "Specify a Secret directly instead of having to provide googleApiKey and googleProjectId" + }, "tlsSecret": { "type": "string", "default": "", @@ -1121,6 +1139,12 @@ "default": "", "title": "vSphere password", "description": "vSphere password for login" + }, + "vsphereClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with vSphere credentials", + "description": "Specify a Secret directly instead of having to provide vsphereUsername, vspherePassword and vspherePassword" } } }, diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index 66e90c53d..925b8d518 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -13,6 +13,7 @@ serviceAccount: scc: create: false + priority: 15 networkPolicy: create: true @@ -203,8 +204,10 @@ secrets: awsAccessKeyId: '' awsSecretAccessKey: '' awsIamRole: '' + awsClientSecretName: '' googleApiKey: '' googleProjectId: '' + googleClientSecretName: '' dockerConfig: '' dockerConfigPath: '' azureTenantId: '' @@ -223,6 +226,7 @@ secrets: vsphereEndpoint: '' vsphereUsername: '' vspherePassword: '' + vsphereClientSecretName: '' metering: reportingKey: "" #[base64-encoded key] diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index 3e1c9143e..3ee2d5730 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.1.313 +appVersion: 2.1.320 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.1.313 +version: 2.1.320 diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 636363244..34374434f 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.1.313 + tag: v2.1.320 pullPolicy: Always # Log level for Speedscale components. diff --git a/index.yaml b/index.yaml index 8693cc622..6ceb0a994 100644 --- a/index.yaml +++ b/index.yaml @@ -29745,6 +29745,34 @@ entries: - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.13 + created: "2024-05-04T00:52:28.271815838Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.3.2 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.18.0 + description: Kasten’s K10 Data Management Platform + digest: 2507b1c0b00fe153b6c6f31a8f0146300908d97d428b6dafead2c8bc756f2cc1 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.1301.tgz + version: 6.5.1301 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -49882,6 +49910,37 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.1.320 + created: "2024-05-04T00:52:30.78129258Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: f705993719557e7cdb62d4b525b683db63e9c42d5686ec9d5fbccf6d660227f4 + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.1.320.tgz + version: 2.1.320 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator