Merge branch 'main' into gmudumbai/sdo-2649-k8s-optimizer

# Conflicts:
#	README.md
#	charts/cloudhealth-collector/Chart.yaml
#	charts/cloudhealth-collector/templates/clusterrole.yaml
#	charts/cloudhealth-collector/templates/secrets.yaml

Author: gm-cht

CODEOWNERS

@@ -1 +1 @@
-* @CloudHealth/team-cheapsk8s @Cloudhealth/team-sudo
+* @Cloudhealth/team-sudo

README.md

@@ -25,18 +25,18 @@ Use the helm chart to deploy the CloudHealth Collector into each [Kubernetes](ht
 
 ## Installing the Collector Chart
 
-To install the chart with the release name `cloudhealth-collector` in the `default` namespace, run the following commands:
+To install the chart with the release name `cloudhealth-collector` in a particular namespace `<target_namespace>` (create if it does not exist), run the following commands:
 
 ```console
 $ helm repo add cloudhealth https://cloudhealth.github.io/helm/
-$ helm install cloudhealth-collector --set apiToken=<Unique Customer API Token>,clusterName=<Cluster Name>,chtEndpointPrefix=<Cloudhealth Endpoint Prefix> cloudhealth/cloudhealth-collector
+$ helm install cloudhealth-collector -n <target_namespace> --create-namespace --set apiToken=<Unique Customer API Token>,clusterName=<Cluster Name>,chtEndpointPrefix=<Cloudhealth Endpoint Prefix> cloudhealth/cloudhealth-collector --debug
 ```
 
-To install the chart with the release name `cloudhealth-collector` in a specified namespace `<target_namespace>`, run the following commands:
+To install the chart with the release name `cloudhealth-collector` in `default` namespace, run the following command:
 
 ```console
 $ helm repo add cloudhealth https://cloudhealth.github.io/helm/
-$ helm install cloudhealth-collector -n <target_namespace> --set apiToken=<Unique Customer API Token>,clusterName=<Cluster Name>,chtEndpointPrefix=<Cloudhealth Endpoint Prefix> cloudhealth/cloudhealth-collector
+$ helm install cloudhealth-collector --set apiToken=<Unique Customer API Token>,clusterName=<Cluster Name>,chtEndpointPrefix=<Cloudhealth Endpoint Prefix> cloudhealth/cloudhealth-collector
 ```
 
 The `apiToken` is required for `cloudhealth-collector` to work and should be either set while running helm install command as in the example above or in a secret object with the following data structure:

charts/cloudhealth-collector/Chart.yaml

@@ -5,8 +5,8 @@ apiVersion: v2
 name: cloudhealth-collector
 description: A Helm chart for CloudHealth's Kubernetes Collector and Optimizer Agent
 type: application
-version: 5.9.0-beta
-appVersion: "5.4.0"
+version: 5.9.1-beta
+appVersion: "7.0.0"
 dependencies:
   - name: k8s-optimization
     repository: oci://projects.registry.vmware.com/kubernetes-optimization

charts/cloudhealth-collector/templates/clusterrole.yaml

@@ -11,7 +11,7 @@ metadata:
     {{- include "cloudhealth-collector.labels" . | nindent 4 }}
 rules:
 - apiGroups: [""]
-  resources: ["pods", "nodes", "namespaces", "services", "resourcequotas", "limitranges"]
+  resources: ["pods", "nodes", "namespaces", "services", "resourcequotas", "limitranges", "persistentvolumes", "persistentvolumeclaims"]
   verbs: ["get", "list"]
 - apiGroups: ["metrics.k8s.io"]
   resources: ["pods", "nodes"]
@@ -22,6 +22,9 @@ rules:
 - apiGroups: ["batch"]
   resources: ["cronjobs", "jobs"]
   verbs: ["get", "list"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list"]
 {{- if .Values.optimizer.enabled }}
 - apiGroups: ["cloudhealth.containers.com"]
   resources: ["rz-recommendation-settings"]

charts/cloudhealth-collector/templates/deployment.yaml

@@ -32,6 +32,26 @@ spec:
       securityContext: {{- toYaml . | nindent 8 }}
       {{- end }}
       priorityClassName: {{ .Values.priorityClassName }}
+      {{- if .Values.proxy.sslCert }}
+      initContainers:
+        - name: "{{ .Chart.Name }}-pem-to-truststore"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          env:
+            - name: ca_bundle
+              value: {{ .Values.proxy.caBundlePath }}
+            - name: truststore_jks
+              value: {{ .Values.proxy.truststorePath }}
+            - name: truststore_pwd
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "cloudhealth-collector.secretName" . }}
+                  key: certPassword    
+          command: ['/bin/bash']
+          args: ['-c', "csplit -z -f crt- $ca_bundle '/-----BEGIN CERTIFICATE-----/' '{*}' && for file in crt-*; do keytool -import -noprompt -keystore $truststore_jks -file $file -storepass $truststore_pwd -alias service-$file; done"]
+          volumeMounts:
+            - name: truststore-volume
+              mountPath: /etc/ssl/certs 
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default "latest" }}"
@@ -69,6 +89,10 @@ spec:
               value: {{ .Values.collectionIntervalSecs | quote }}
             - name: CHT_JVM_MEM
               value: {{ .Values.jvmMemory }}
+            {{- if .Values.proxy.sslCert }}
+            - name: JAVA_OPTS
+              value: {{ .Values.proxy.params }}
+            {{- end }}
             {{- range .Values.customEnvVars}}
             - name: {{ .name }}
               value: {{ .value }}
@@ -101,4 +125,8 @@ spec:
       volumes:
         - name: tmpfs
           emptyDir: {}
+        {{- if .Values.proxy.sslCert }}
+        - name: truststore-volume
+          emptyDir: {}
+        {{- end }}
       {{- end }}

charts/cloudhealth-collector/templates/secrets.yaml

@@ -13,6 +13,9 @@ metadata:
 type: Opaque
 data:
   apiToken:  {{ .Values.apiToken | b64enc | quote }}
+  {{- if .Values.proxy.sslCert }}
+  certPassword:  {{ .Values.proxy.certPassword | quote }}
+  {{- end }}
   {{- if .Values.optimizer.enabled }}
   chapiKey:  {{ .Values.optimizer.chapiKey | b64enc | quote }}
   {{- end }}

charts/cloudhealth-collector/values.yaml

@@ -27,7 +27,7 @@ jvmMemory: "-Xmx891M"
 
 image:
   repository: cloudhealth/container-collector
-  tag: "1423"
+  tag: "1458"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -64,6 +64,14 @@ containerSecurityContext:
   capabilities: 
     drop: [all]
 
+proxy:
+  sslCert: false
+  #-Dhttps.proxyHost=$PROXY_SERVER -Dhttps.proxyPort=$PROXY_PORT -Dhttps.nonProxyHosts=kubernetes.default.svc -Djavax.net.ssl.trustStore=/etc/ssl/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
+  params: ""
+  certPassword: ""
+  caBundlePath: "/etc/ssl/certs/bundle.pem"
+  truststorePath: "/etc/ssl/certs/truststore.jks"
+
 resources:
   limits:
     cpu: 1000m

cloudhealth-collector-image-docs/CHANGELOG.md

@@ -5,11 +5,39 @@ All notable changes for each upgraded tag of the CloudHealth Container Collector
 The agent has been verified against:
 
 [Kubernetes Versions ≥ 1.12](https://kubernetes.io/releases/)</br>
-[Kubernetes Versions ≤ 1.26](https://kubernetes.io/releases/)</br>
+[Kubernetes Versions ≤ 1.29](https://kubernetes.io/releases/)</br>
 [OC Version ≥ 4.1](https://docs.openshift.com/container-platform)
 
 All versions before June 20, 2022 have been deprecated.
 
+## [1458] - 2024-03-11
+
+### Added
+
+* PersistentVolumes, PersistentVolumeClaims, Ingress and Service collected to prepare for comprehensive Kubernetes Cost Calculation
+
+### Security
+
+* Vulnerabilities patched:
+  * [CVE-2023-0767](https://avd.aquasec.com/nvd/cve-2023-0767)
+  * [CVE-2023-3320](https://avd.aquasec.com/nvd/cve-2023-3320)
+  * [CVE-2023-4641](https://avd.aquasec.com/nvd/cve-2023-4641)
+  * [CVE-2023-5981](https://avd.aquasec.com/nvd/cve-2023-5981)
+  * [CVE-2023-6246](https://avd.aquasec.com/nvd/cve-2023-6246)
+  * [CVE-2023-6779](https://avd.aquasec.com/nvd/cve-2023-6779)
+  * [CVE-2023-6780](https://avd.aquasec.com/nvd/cve-2023-6780)
+  * [CVE-2023-7104](https://avd.aquasec.com/nvd/cve-2023-7104)
+  * [CVE-2023-29383](https://avd.aquasec.com/nvd/cve-2023-29383)
+  * [CVE-2023-33201](https://avd.aquasec.com/nvd/cve-2023-33201)
+  * [CVE-2023-33202](https://avd.aquasec.com/nvd/cve-2023-33202)
+  * [CVE-2023-48795](https://avd.aquasec.com/nvd/cve-2023-48795)
+  * [CVE-2023-52425](https://avd.aquasec.com/nvd/cve-2023-52425)
+  * [CVE-2023-52426](https://avd.aquasec.com/nvd/cve-2023-52426)
+  * [CVE-2024-0553](https://avd.aquasec.com/nvd/cve-2024-0553)
+  * [CVE-2024-0567](https://avd.aquasec.com/nvd/cve-2024-0567)
+  * [CVE-2024-0727](https://avd.aquasec.com/nvd/cve-2024-0727)
+  * [CVE-2024-22365](https://avd.aquasec.com/nvd/cve-2024-22365)
+
 ## [1423] - 2023-12-14
 
 ### Added