feat(base-cluster/tetragon): add tetragon (#1056)

Ref.: #1046
teutonet · Aug 23, 2024 · 9be7543 · 9be7543
1 parent b343ce2
commit 9be7543
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 0 deletions.
diff --git a/charts/base-cluster/templates/tetragon/tetragon.yaml b/charts/base-cluster/templates/tetragon/tetragon.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.tetragon.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: tetragon
+  namespace: kube-system
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: tetragon
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "tetragon" "chart" "tetragon" "context" $) | nindent 6 }}
+  interval: 5m
+  driftDetection:
+    mode: enabled
+  {{- if .Values.monitoring.prometheus.enabled }}
+  dependsOn:
+    - name: kube-prometheus-stack
+      namespace: monitoring
+  {{- end }}
+  values:
+    export:
+      {{- if .Values.global.imageRegistry }}
+      stdout:
+        image:
+          repository: {{ printf "%s/cilium/hubble-export-stdout" .Values.global.imageRegistry }}
+      {{- end }}
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+    crds:
+      installMethod: helm
+    tetragonOperator:
+      enabled: false
+    tetragon:
+      {{- if .Values.global.imageRegistry }}
+      image:
+        repository: {{ printf "%s/cilium/tetragon" .Values.global.imageRegistry }}
+      {{- end }}
+      enableProcessCred: true
+      enableProcessNs: true
+      {{- if .Values.monitoring.prometheus.enabled }}
+      prometheus:
+        serviceMonitor:
+          enabled: true
+          labelsOverride: {{- toYaml .Values.monitoring.labels | nindent 12 }}
+      {{- end }}
+  {{- end }}
diff --git a/charts/base-cluster/values.schema.json b/charts/base-cluster/values.schema.json
@@ -549,6 +549,15 @@
       },
       "additionalProperties": false
     },
+    "tetragon": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean"
+        }
+      },
+      "additionalProperties": false
+    },
     "monitoring": {
       "type": "object",
       "properties": {

diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml
@@ -141,6 +141,10 @@ global:
         kyverno: 3.x.x
         kyverno-policies: 3.x.x
       condition: "{{ .Values.kyverno.enabled }}"
+    tetragon:
+      url: https://helm.cilium.io
+      charts:
+        tetragon: 1.x.x
     cetic:
       url: https://cetic.github.io/helm-charts
       charts:
@@ -457,3 +461,6 @@ backup:
 
 kube-janitor:
   enabled: false
+
+tetragon:
+  enabled: false