Merge remote-tracking branch 'origin/main' into APL-940

Author: svcAPLBot

.github/templates/wiz-admission-control.yaml

@@ -0,0 +1,14 @@
+wizApiToken:
+  clientId: "__WIZ_CLIENT_ID__"
+  clientToken: "__WIZ_CLIENT_TOKEN__"
+  clientEndpoint: ""
+wiz-kubernetes-connector:
+  enabled: true
+autoCreateConnector:
+  connectorName: "<connectorName>"
+webhook:
+  clusterExternalId: "<clusterExternalId>"
+wiz-admission-controller:
+  enabled: true
+kubernetesAuditLogsWebhook:
+  enabled: true

.github/templates/wiz-kubernetes-integration.yaml

@@ -0,0 +1,30 @@
+global:
+  wizApiToken:
+    clientId: "__WIZ_CLIENT_ID__"
+    clientToken: "__WIZ_CLIENT_TOKEN__"
+    clientEndpoint: ""
+
+wiz-kubernetes-connector:
+  enabled: true
+  autoCreateConnector:
+    connectorName: "<connectorName>"
+    clusterExternalId: "<clusterExternalId>"
+  wiz-broker:
+    enabled: true
+
+wiz-sensor:
+  enabled: true
+  imagePullSecret:
+    create: false
+    name: "sensor-image-pull"
+
+wiz-admission-controller:
+  enabled: true
+  kubernetesAuditLogsWebhook:
+    enabled: true
+  opaWebhook:
+    enabled: true
+  imageIntegrityWebhook:
+    enabled: false
+    policies:
+      - my-image-trust-policy

.github/workflows/integration.yml

@@ -253,6 +253,48 @@ jobs:
             sleep 10
           done
           echo LINODE_CLUSTER_CONTEXT=`kubectl config current-context` >> $GITHUB_ENV
+      - name: Set up Wiz
+        if: ${{ inputs.install_profile != 'no-apl' }}
+        run: |
+
+          # Use cluster information from environment variables
+          CLUSTER_NAME="${{ env.LINODE_CLUSTER_NAME }}"
+          CLUSTER_ID="${{ env.LINODE_CLUSTER_ID }}"
+
+          echo "Setting up Wiz for cluster: $CLUSTER_NAME (ID: $CLUSTER_ID)"
+
+          # Create YAML configuration files from templates
+          KUB_INTEGRATION_PATH="./${CLUSTER_NAME}_kub_integration.yaml"
+          ADMISSION_PATH="./${CLUSTER_NAME}_admission_control.yaml"
+
+          sed "s/__WIZ_CLIENT_ID__/${{ secrets.WIZ_CLIENT_ID }}/g; s/__WIZ_CLIENT_TOKEN__/${{ secrets.WIZ_CLIENT_TOKEN }}/g; s/<connectorName>/${CLUSTER_NAME}/g; s/<clusterExternalId>/${CLUSTER_ID}/g" .github/templates/wiz-kubernetes-integration.yaml > "$KUB_INTEGRATION_PATH"
+          sed "s/__WIZ_CLIENT_ID__/${{ secrets.WIZ_CLIENT_ID }}/g; s/__WIZ_CLIENT_TOKEN__/${{ secrets.WIZ_CLIENT_TOKEN }}/g; s/<connectorName>/${CLUSTER_NAME}/g; s/<clusterExternalId>/${CLUSTER_ID}/g" .github/templates/wiz-admission-control.yaml > "$ADMISSION_PATH"
+
+          # Verify cluster connectivity
+          echo "Verifying cluster connectivity..."
+          kubectl get nodes
+
+          # Add Helm repo for Wiz
+          helm repo add wiz-sec https://charts.wiz.io/
+          helm repo update
+
+          # Create namespace if not exists
+          kubectl create namespace wiz --dry-run=client -o yaml | kubectl apply -f -
+
+          # Set release name
+          RELEASE_NAME="wiz-${CLUSTER_NAME//_/-}"
+          RELEASE_NAME="${RELEASE_NAME,,}"  # Convert to lowercase
+          NAMESPACE="wiz"
+
+          # Install Wiz components
+          echo "🚀 Installing Wiz Kubernetes Integration..."
+          helm install "$RELEASE_NAME" wiz-sec/wiz-kubernetes-integration --values "$KUB_INTEGRATION_PATH" -n "$NAMESPACE"
+
+          echo "🚀 Installing Wiz Admission Controller..."
+          helm install wiz-lke-ac wiz-sec/wiz-admission-controller --values "$ADMISSION_PATH" -n "$NAMESPACE" --wait
+
+          echo "✅ Wiz deployment for cluster $CLUSTER_NAME completed."
+
       - name: Create image pull secret on test cluster
         if: ${{ inputs.install_profile != 'no-apl' }}
         run: |

.values/.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+indent_style = space
+indent_size = 2
+
+[*.md]
+trim_trailing_whitespace = false
+
+[env/**.{yaml,yaml.dec}]
+indent_size = 4

src/cmd/apply-as-apps.ts

@@ -92,27 +92,24 @@ const getArgocdAppManifest = (release: HelmRelease, values: Record<string, any>,
 const setFinalizers = async (name: string) => {
   d.info(`Setting finalizers for ${name}`)
   const resPatch =
-    await $`kubectl -n argocd patch application ${name} -p '{"metadata": {"finalizers": ["resources-finalizer.argocd.argoproj.io"]}}' --type merge`
+    await $`kubectl -n argocd patch applications.argoproj.io ${name} -p '{"metadata": {"finalizers": ["resources-finalizer.argocd.argoproj.io"]}}' --type merge`
   if (resPatch.exitCode !== 0) {
     throw new Error(`Failed to set finalizers for ${name}: ${resPatch.stderr}`)
   }
 }
 
 const getFinalizers = async (name: string): Promise<string[]> => {
-  const res = await $`kubectl -n argocd get application ${name} -o jsonpath='{.metadata.finalizers}'`
+  const res = await $`kubectl -n argocd get applications.argoproj.io ${name} -o jsonpath='{.metadata.finalizers}'`
   return res.stdout ? JSON.parse(res.stdout) : []
 }
 
-const removeApplication = async (release: HelmRelease): Promise<void> => {
-  const name = getAppName(release)
-  if (!(await isResourcePresent('application', name, 'argocd'))) return
-
+const removeApplication = async (name: string): Promise<void> => {
   try {
     const finalizers = await getFinalizers(name)
     if (!finalizers.includes('resources-finalizer.argocd.argoproj.io')) {
       await setFinalizers(name)
     }
-    const resDelete = await $`kubectl -n argocd delete application ${name}`
+    const resDelete = await $`kubectl -n argocd delete applications.argoproj.io ${name}`
     d.info(resDelete.stdout.toString().trim())
   } catch (e) {
     d.error(`Failed to delete application ${name}: ${e.message}`)
@@ -149,6 +146,11 @@ async function patchArgocdResources(release: HelmRelease, values: Record<string,
   }
 }
 
+const getApplications = async (): Promise<string[]> => {
+  const res = await $`kubectl get application.argoproj.io -n argocd -oname`
+  return res.stdout.split('\n')
+}
+
 const writeApplicationManifest = async (release: HelmRelease, otomiVersion: string): Promise<void> => {
   const appName = `${release.namespace}-${release.name}`
   const applicationPath = `${appsDir}/${appName}.yaml`
@@ -186,6 +188,7 @@ export const applyAsApps = async (argv: HelmArguments): Promise<void> => {
   const errors: Array<any> = []
   // Generate JSON object with all helmfile releases defined in helmfile.d
   const releases: [] = JSON.parse(res.stdout.toString())
+  const currentApplications = await getApplications()
   await Promise.allSettled(
     releases.map(async (release: HelmRelease) => {
       try {
@@ -197,7 +200,11 @@ export const applyAsApps = async (argv: HelmArguments): Promise<void> => {
 
         if (release.installed) await writeApplicationManifest(release, otomiVersion)
         else {
-          await removeApplication(release)
+          const appName = getAppName(release)
+          const resourceName = `application.argoproj.io/${appName}`
+          if (currentApplications.includes(resourceName)) {
+            await removeApplication(appName)
+          }
         }
       } catch (e) {
         errors.push(e)

src/cmd/bootstrap.ts

@@ -256,7 +256,7 @@ export const copyBasicFiles = async (
 
   // force copy all these
   await Promise.allSettled(
-    ['.gitignore', '.prettierrc.yml', 'README.md'].map(async (val) =>
+    ['.editorconfig', '.gitignore', '.prettierrc.yml', 'README.md'].map(async (val) =>
       deps.copyFile(`${rootDir}/.values/${val}`, `${ENV_DIR}/${val}`),
     ),
   )

src/server.ts

@@ -8,6 +8,7 @@ import { hfValues } from './common/hf'
 import { setValuesFile, unsetValuesFile } from './common/repo'
 import { loadYaml, rootDir } from './common/utils'
 import { objectToYaml } from './common/values'
+import { copyFile } from 'fs/promises'
 
 const d = terminal('server')
 const app = express()
@@ -42,6 +43,8 @@ app.get('/prepare', async (req: Request, res: Response): Promise<void> => {
   const { envDir, files } = req.query as QueryParams
   try {
     d.log('Request to prepare values repo on', envDir)
+    const file = '.editorconfig'
+    await copyFile(`${rootDir}/.values/${file}`, `${envDir}/${file}`)
     await bootstrapSops(envDir)
     await setValuesFile(envDir)
     // Encrypt ensures that a brand new secret file is encrypted in place