Merge branch '9-enable-configuration' into 'main'

Enable customization via values.yaml

See merge request platform-one/big-bang/apps/security-tools/twistlock!61

CHANGELOG.md

@@ -3,6 +3,10 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
+## [0.9.0-bb.2] - 2022-07-04
+### Updated
+- Make Twistlock more customization via values.yaml
+
 ## [0.9.0-bb.1] - 2022-06-28
 ### Updated
 - Updated bb base image to 2.0.0

README.md

 # twistlock
 
-![Version: 0.9.0-bb.1](https://img.shields.io/badge/Version-0.9.0--bb.1-informational?style=flat-square) ![AppVersion: 22.06.179](https://img.shields.io/badge/AppVersion-22.06.179-informational?style=flat-square)
+![Version: 0.9.0-bb.2](https://img.shields.io/badge/Version-0.9.0--bb.2-informational?style=flat-square) ![AppVersion: 22.06.179](https://img.shields.io/badge/AppVersion-22.06.179-informational?style=flat-square)
 
 ## Learn More
 * [Application Overview](docs/overview.md)
@@ -43,13 +43,22 @@ helm install twistlock chart/
 | networkPolicies.controlPlaneCidr | string | `"0.0.0.0/0"` | Control Plane CIDR to allow init job communication to the Kubernetes API.  Use `kubectl get endpoints kubernetes` to get the CIDR range needed for your cluster |
 | networkPolicies.nodeCidr | string | `nil` | Node CIDR to allow defender to communicate with console.  Defaults to allowing "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10" networks. use `kubectl get nodes -owide` and review the `INTERNAL-IP` column to derive CIDR range. Must be an IP CIDR range (x.x.x.x/x - ideally a /16 or /24 to include multiple IPs) |
 | imagePullSecrets | list | `[]` | Defines the secrets to use when pulling the container images NOTE: Only first entry in the list will be used for Defender deployment |
+| selinuxLabel | string | `"disable"` | Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration |
+| systemd | object | `{"enabled":false}` | systemd configuration |
+| systemd.enabled | bool | `false` | option to install Twistlock as systemd service. true or false |
+| console.dataRecovery | bool | `true` | Enables or Disables data recovery. Values: true or false. |
 | console.image.repository | string | `"registry1.dso.mil/ironbank/twistlock/console/console"` | Full image name for console |
 | console.image.tag | string | `"22.06.179"` | Full image tag for console |
 | console.image.imagePullPolicy | string | `"IfNotPresent"` | Pull policy for console image |
+| console.ports.managementHttp | int | `8081` | Enables the management HTTP listener. |
+| console.ports.managementHttps | int | `8083` | Enables the management HTTPS listener. |
+| console.ports.communication | int | `8084` | Sets the port for communication between the Defender(s) and the Console |
 | console.persistence.size | string | `"100Gi"` | Size of Twistlock PVC |
 | console.persistence.accessMode | string | `"ReadWriteOnce"` | Access mode for Twistlock PVC |
 | console.syslogAuditIntegration | object | `{"enabled":false}` | Enable syslog audit feature When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types. |
+| console.disableCgroupLimits | bool | `false` | Controls console container's resource constraints. Set to "true" to run without limits. See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources |
 | console.license | string | `""` | The license key to use.  If not specified, the license must be installed manually. |
+| console.runAsRoot | bool | `false` | Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false |
 | console.credentials | object | `{"password":"change_this_password","username":"admin"}` | Required if init is enabled.  Admin account to use for configuration through API.  Will create account if Twistlock is a new install.  Otherwise, an existing account needs to be provided. |
 | console.credentials.username | string | `"admin"` | Username of account |
 | console.credentials.password | string | `"change_this_password"` | Password of account |
@@ -61,7 +70,7 @@ helm install twistlock chart/
 | console.options.network.host | bool | `true` | Toggle network monitoring of hosts |
 | console.options.logging | bool | `true` | Toggle logging Prisma Cloud events to standard output |
 | console.options.telemetry | bool | `false` | Toggle sending product usage data to Palo Alto Networks |
-| defender | object | `{"clusterName":"","collectLabels":true,"cri":true,"dockerSocket":"","enabled":true,"image":{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.179"},"monitorServiceAccounts":true,"privileged":false,"proxy":{},"selinux":true,"uniqueHostName":false}` | Configuration of Twistlock's container defenders.  This requires `init.enabled`=`true`, valid credentials, and a valid license. |
+| defender | object | `{"certCn":"","clusterName":"","collectLabels":true,"cri":true,"dockerListenerType":"","dockerSocket":"","enabled":true,"image":{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.179"},"monitorServiceAccounts":true,"privileged":false,"proxy":{},"selinux":true,"uniqueHostName":false}` | Configuration of Twistlock's container defenders.  This requires `init.enabled`=`true`, valid credentials, and a valid license. |
 | defender.image | object | `{"repository":"registry1.dso.mil/ironbank/twistlock/defender/defender","tag":"22.06.179"}` | Image for Twistlock defender.  Leave blank to use twistlock official repo. |
 | defender.image.repository | string | `"registry1.dso.mil/ironbank/twistlock/defender/defender"` | Repository and path for defender image |
 | defender.image.tag | string | `"22.06.179"` | Image tag for defender |
@@ -69,6 +78,7 @@ helm install twistlock chart/
 | defender.collectLabels | bool | `true` | Collect Deployment and Namespace labels |
 | defender.cri | bool | `true` | Use Container Runtime Interface (CRI) instead of Docker |
 | defender.dockerSocket | string | `""` | Path to Docker socket.  Leave blank to use /var/run/docker.sock |
+| defender.dockerListenerType | string | `""` | Sets the type of the Docker listener (TCP or NONE) |
 | defender.monitorServiceAccounts | bool | `true` | Monitor service accounts |
 | defender.privileged | bool | `false` | Run as privileged.  If `selinux` is `true`, this automatically gets set to `false` |
 | defender.proxy | object | `{}` | Proxy settings |

chart/Chart.yaml

 apiVersion: v2
 name: twistlock
-version: 0.9.0-bb.1
+version: 0.9.0-bb.2
 appVersion: 22.06.179
 dependencies:
   - name: gluon

chart/templates/bigbang/consolePeerAuthentication.yaml

@@ -12,6 +12,6 @@ spec:
     matchLabels:
       {{- include "twistlock-console.selector" . | nindent 8 }}
   portLevelMtls:
-    "8084":
+    "{{ .Values.console.ports.communication }}":
       mode: PERMISSIVE
 {{- end }}
\ No newline at end of file

chart/templates/console/configmap.yaml

@@ -27,12 +27,12 @@ data:
     # The system that you use to configure Twistlock must be able to connect to the Twistlock Console on these ports
     # To enable the HTTP listener, set the value of MANAGEMENT_PORT_HTTP (e.g. MANAGEMENT_PORT_HTTP=8081)
     # Accessing Console over plain, unencrypted HTTP isn't recommended, as sensitive information can be exposed
-    MANAGEMENT_PORT_HTTP=${MANAGEMENT_PORT_HTTP:-8081}
-    MANAGEMENT_PORT_HTTPS=8083
+    MANAGEMENT_PORT_HTTP={{ .Values.console.ports.managementHttp }}
+    MANAGEMENT_PORT_HTTPS={{ .Values.console.ports.managementHttps }}
 
     ##### Inter-system communication port #####
     # Sets the port for communication between the Defender(s) and the Console
-    COMMUNICATION_PORT=8084
+    COMMUNICATION_PORT={{ .Values.console.ports.communication }}
 
     ##### Certificate common names (optional) #####
     # Determines how to construct the CN in the Console's certificate
@@ -41,7 +41,7 @@ data:
     # Determines how to construct the CN in the Defenders' certificates
     # Each Defender authenticates to the Console with this certificate and each cert must have a unique CN
     # These values should not be modified unless instructed to by Twistlock Support
-    DEFENDER_CN=${DEFENDER_CN:-}
+    DEFENDER_CN={{ default "" .Values.defender.certCn }}
 
     #############################################
     #     Twistlock system configuration
@@ -51,7 +51,7 @@ data:
     # Daily, weekly, and monthly snapshots are retained
     # The exported configuration can be stored on durable storage or backed up remotely with other tools
     # Sets data recovery state (enabled or disabled)
-    DATA_RECOVERY_ENABLED=true
+    DATA_RECOVERY_ENABLED={{ .Values.console.dataRecovery }}
     # Sets the directory to which Twistlock data is exported
     DATA_RECOVERY_VOLUME=/var/lib/twistlock-backup
 
@@ -65,35 +65,35 @@ data:
 
     ##### Docker socket #####
     # Sets the location of the Docker socket file
-    DOCKER_SOCKET=${DOCKER_SOCKET:-/var/run/docker.sock}
+    DOCKER_SOCKET={{ default "/var/run/docker.sock" .Values.defender.dockerSocket }}
     # Sets the type of the Docker listener (TCP or NONE)
-    DEFENDER_LISTENER_TYPE=${DEFENDER_LISTENER_TYPE:-NONE}
+    DEFENDER_LISTENER_TYPE={{ default "NONE" .Values.defender.dockerListenerType }}
 
     #### systemd configuration ####
     # Installs Twistlock as systemd service
-    SYSTEMD_ENABLED=${SYSTEMD_ENABLED:-false}
+    SYSTEMD_ENABLED={{ .Values.systemd.enabled }}
 
     #### userid configuration ####
     # Run Twistlock Console processes as root (default, twistlock user account)
     # Typically used to run Console on standard (tcp/443) privileged port for TLS
-    RUN_CONSOLE_AS_ROOT=${RUN_CONSOLE_AS_ROOT:-false}
+    RUN_CONSOLE_AS_ROOT={{ .Values.console.runAsRoot }}
 
     #### SELinux configuration ####
     # If SELinux is enabled in dockerd, enable running Twistlock Console and Defender with a dedicated SELinux label
     # See https://docs.docker.com/engine/reference/run/#security-configuration
-    SELINUX_LABEL=disable
+    SELINUX_LABEL={{ .Values.selinuxLabel }}
 
     #### Console cgroup limits ####
     # Controls console container's resource constraints. Set to "true" to run without limits.
     # See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
-    DISABLE_CONSOLE_CGROUP_LIMITS=false
+    DISABLE_CONSOLE_CGROUP_LIMITS={{ .Values.console.disableCgroupLimits }}
 
     #############################################
     #      Twistlock repository configuration
     #############################################
     # Sets the version tag of the Twistlock containers
     # Do not modify unless instructed to by Twistlock Support
-    DOCKER_TWISTLOCK_TAG=_22_01_880
+    DOCKER_TWISTLOCK_TAG=_{{ regexReplaceAll "\\." .Values.console.image.tag "_" }}
 metadata:
   name: {{ template "twistlock.name" . }}-console
   namespace: {{ .Release.Namespace }}

chart/templates/console/deployment.yaml

@@ -46,11 +46,11 @@ spec:
           {{- toYaml .Values.resources | nindent 10 }}
         ports:
         - name: mgmt-https
-          containerPort: 8083
+          containerPort: {{ .Values.console.ports.managementHttps }}
         - name: communication
-          containerPort: 8084
+          containerPort: {{ .Values.console.ports.communication }}
         - name: mgmt-http
-          containerPort: 8081
+          containerPort: {{ .Values.console.ports.managementHttp }}
         env:
         - name: HIGH_AVAILABILITY_ENABLED
           value: "false"
@@ -58,14 +58,6 @@ spec:
           value: /data/config/twistlock.cfg
         - name: LOG_PROD
           value: "true"
-        - name: DATA_RECOVERY_ENABLED
-          value: "true"
-        - name: COMMUNICATION_PORT
-          value: "8084"
-        - name: MANAGEMENT_PORT_HTTPS
-          value: "8083"
-        - name: MANAGEMENT_PORT_HTTP
-          value: "8081"
         securityContext:
           readOnlyRootFilesystem: true
         volumeMounts:

chart/templates/console/service.yaml

@@ -7,9 +7,9 @@ metadata:
 spec:
   ports:
   - name: tcp-communication-port
-    port: 8084
+    port: {{ .Values.console.ports.communication }}
   - name: http-management-port-https
-    port: 8083
+    port: {{ .Values.console.ports.managementHttps }}
   - name: http-mgmt-http
-    port: 8081
+    port: {{ .Values.console.ports.managementHttp }}
   selector: {{- include "twistlock-console.selector" . | nindent 4 }}
\ No newline at end of file

chart/templates/console/virtualservice.yaml

@@ -25,6 +25,6 @@ spec:
   - route:
     - destination:
         port:
-          number: 8081
+          number: {{ .Values.console.ports.managementHttp }}
         host: {{ template "twistlock-console.name" . }}.{{ .Release.Namespace }}.svc.cluster.local
 {{- end }}
\ No newline at end of file

chart/templates/init/secret-console.yaml

@@ -6,7 +6,7 @@ metadata:
   labels: {{- include "twistlock-init.labels" . | nindent 4 }}
 stringData:
   TWISTLOCK_CONSOLE_SERVICE: {{ template "twistlock-console.name" . }}
-  TWISTLOCK_CONSOLE_SERVICE_PORT_HTTP_MGMT_HTTP: "8081"
+  TWISTLOCK_CONSOLE_SERVICE_PORT_HTTP_MGMT_HTTP: "{{ .Values.console.ports.managementHttp }}"
   {{- if .Values.console.license }}
   TWISTLOCK_LICENSE: {{ .Values.console.license }}
   {{- end }}

chart/templates/networkpolicies/allow-defender-to-console.yaml

@@ -22,5 +22,5 @@ spec:
       {{- end }}
   {{- end }}
       ports:
-      - port: 8084
+      - port: {{ .Values.console.ports.communication }}
 {{- end }}

chart/templates/networkpolicies/ingress-istio-ingressgateway.yml

@@ -19,8 +19,8 @@ spec:
           matchLabels:
             {{- toYaml .Values.networkPolicies.ingressLabels | nindent 12}}
       ports:
-      - port: 8081 #Default UI console Port
+      - port: {{ .Values.console.ports.managementHttp }} #Default UI console Port
         protocol: TCP
-      - port: 8083 #TLS configured UI console Port
+      - port: {{ .Values.console.ports.managementHttps }} #TLS configured UI console Port
         protocol: TCP
 {{- end }}

chart/templates/networkpolicies/ingress-monitoring.yml

@@ -15,7 +15,7 @@ spec:
           matchLabels:
             app: prometheus
       ports:
-      - port: 8081
+      - port: {{ .Values.console.ports.managementHttp }}
   podSelector:
     matchLabels: {{- include "twistlock-console.selector" . | nindent 6 }}
   policyTypes:

chart/values.yaml

@@ -45,7 +45,17 @@ networkPolicies:
 # NOTE: Only first entry in the list will be used for Defender deployment
 imagePullSecrets: []
 
+# -- Run Twistlock Console and Defender with a dedicated SELinux label. See https://docs.docker.com/engine/reference/run/#security-configuration
+selinuxLabel: disable
+
+# -- systemd configuration
+systemd:  
+  # -- option to install Twistlock as systemd service. true or false
+  enabled: false
+
 console:
+  # -- Enables or Disables data recovery. Values: true or false.
+  dataRecovery: true
   image:
     # -- Full image name for console
     repository: registry1.dso.mil/ironbank/twistlock/console/console
@@ -53,20 +63,35 @@ console:
     tag: 22.06.179
     # -- Pull policy for console image
     imagePullPolicy: IfNotPresent
+  ports:
+    # -- Enables the management HTTP listener.
+    managementHttp: 8081
+    # -- Enables the management HTTPS listener.
+    managementHttps: 8083
+    # -- Sets the port for communication between the Defender(s) and the Console
+    communication: 8084
 
   persistence:
     # -- Size of Twistlock PVC
     size: 100Gi
     # -- Access mode for Twistlock PVC
     accessMode: ReadWriteOnce
+
   # -- Enable syslog audit feature
   # When integrating with BigBang, make sure to include an exception to Gatekeeper and/or Kyverno for Volume Types.
   syslogAuditIntegration:
     enabled: false
 
+  # -- Controls console container's resource constraints. Set to "true" to run without limits.
+  # See https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources
+  disableCgroupLimits: false
+
   # -- The license key to use.  If not specified, the license must be installed manually.
   license: ""
 
+  # -- Run Twistlock Console processes as root (default false, twistlock user account). Values: true or false
+  runAsRoot: false
+
   # -- Required if init is enabled.  Admin account to use for configuration through API.  Will create account if Twistlock is a new install.  Otherwise, an existing account needs to be provided.
   credentials:
     # -- Username of account
@@ -111,6 +136,8 @@ defender:
     repository: registry1.dso.mil/ironbank/twistlock/defender/defender
     # -- Image tag for defender
     tag: 22.06.179
+  # This value should not be modified unless instructed to by Twistlock Support
+  certCn: ""
   # -- Name of cluster
   clusterName: ""
   # -- Collect Deployment and Namespace labels
@@ -119,6 +146,10 @@ defender:
   cri: true
   # -- Path to Docker socket.  Leave blank to use /var/run/docker.sock
   dockerSocket: ""
+  
+  # -- Sets the type of the Docker listener (TCP or NONE)
+  dockerListenerType: ""
+
   # -- Monitor service accounts
   monitorServiceAccounts: true
   # -- Run as privileged.  If `selinux` is `true`, this automatically gets set to `false`
@@ -129,8 +160,10 @@ defender:
     # ca: "" # CA certificate to trust (optional)
     # username: "" # Proxy username (optional)
     # password: "" # Proxy password (optional)
+
   # -- Deploy with SELinux Policy
   selinux: true
+
   # -- Assign globally unique names to hosts
   uniqueHostName: false