v1.1.11 helm updates for supporting hostNetwork + dnsPolicy

Author: cs-pvyas

helm-charts/falcon-image-analyzer/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.1.10
+version: 1.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm-charts/falcon-image-analyzer/README.md

@@ -340,6 +340,17 @@ for e.g.  a docker-registry secret can be created as below
 ```
 use the above secret as `"my-app-ns:regcred,my-app-ns:regcred2"`
 
+### PROXY Usage
+If a customer us using proxy settings . Please make sure to add the registry domains ```myreg.some.com``` in the ```NO_PROXY```.
+This is so that the IAR can connect to the registries without proxy and authenticate if needed using secrets provided or download the public free images.
+
+***Note that some registries domains also have other urls based on the auth challange that is sent by the registry service. Please make sure to add those as well to ```NO_PROXY```
+for e.g. for gitlab registries there exists the 
+- registry domain ```my-reg.gitlab.com``` 
+- and the other ```www.gitlab.com```
+
+- The above is very registry provider specific. One needs to ensure nothing ie being blocked by Proxy 
+
 ### Pod Eviction
 If for some reason pod evivictions are observed in the Cluster due to exceeding ephemeral storage
 please set the `priorityClassName`  to `system-node-critical` or `system-cluster-critical` in `config-values.yaml` and update.

helm-charts/falcon-image-analyzer/templates/daemonset.yaml

@@ -104,4 +104,10 @@ spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }}
+      {{- else if .Values.dnsPolicy}}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
  {{- end }}

helm-charts/falcon-image-analyzer/templates/deployment.yaml

@@ -115,4 +115,10 @@ spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      dnsPolicy: {{ default "ClusterFirstWithHostNet" .Values.dnsPolicy }}
+      {{- else if .Values.dnsPolicy}}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
 {{- end }}

helm-charts/falcon-image-analyzer/values.yaml

@@ -112,6 +112,15 @@ exclusions:
   #    registry: "index.docker.io,my.private.registry,localhost,localhost:1234"
   registry: ""
 
+
+# set this to true will bypass the kubernetes network and use the node/host network. This is needed in some
+# setups where proxy rules are strict and if we IAR to make calls especially for private registry/auth via the host.
+# NOTE That setting this to true will also set the dnsPolicy: "ClusterFirstWithHostNet"
+hostNetwork: false
+
+# Define ImageAnalyzer POD DNS Policy, defaults to "ClusterFirstWithHostNet" when hostNetwork = true
+dnsPolicy:
+
 # Use this param to provide the comma separated registry secrets of the form namsepace1:secretname1,namespace:secret2
 # each secret should be of type docker-registry for each of the private registry that is used.
 # for e.g.  a docker-registry secret can be created as below