cilium · lambdanis · Nov 30, 2023 · Nov 29, 2023 · Nov 29, 2023 · Nov 29, 2023
@@ -53,8 +53,10 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | imagePullSecrets | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
 | podLabelsOverride | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| priorityClassName | string | `""` |  |
 | selectorLabelsOverride | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
@@ -64,9 +66,9 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.btf | string | `""` |  |
 | tetragon.commandOverride | list | `[]` |  |
 | tetragon.enableK8sAPI | bool | `true` |  |
-| tetragon.enableMsgHandlingLatency | bool | `false` |  |
-| tetragon.enablePolicyFilter | bool | `true` |  |
-| tetragon.enablePolicyFilterDebug | bool | `false` |  |
+| tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling |
+| tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. |
+| tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. |
 | tetragon.enableProcessCred | bool | `false` |  |
 | tetragon.enableProcessNs | bool | `false` |  |
 | tetragon.enabled | bool | `true` |  |
@@ -95,12 +97,12 @@ To use [the values available](#values), with `helm install` or `helm upgrade`, u
 | tetragon.prometheus.enabled | bool | `true` | Whether to enable exposing Tetragon metrics. |
 | tetragon.prometheus.metricsLabelFilter | string | `"namespace,workload,pod,binary"` | The labels to include with supporting metrics. The possible values are "namespace", "workload", "pod" and "binary". |
 | tetragon.prometheus.port | int | `2112` | The port at which to expose metrics. |
-| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods. |
+| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the tetragon pods. |
 | tetragon.prometheus.serviceMonitor.labelsOverride | object | `{}` | The set of labels to place on the 'ServiceMonitor' resource. |
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v1.0.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"}` | tetragon-operator image. |
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.skipCRDCreation | bool | `false` |  |
 | tolerations[0].operator | string | `"Exists"` |  |

@@ -4,6 +4,7 @@
 .DS_Store
 # Common VCS dirs
 .git/
+.github/
 .gitignore
 .bzr/
 .bzrignore

@@ -1,18 +1,7 @@
 apiVersion: v2
 name: tetragon
 description: Helm chart for Tetragon
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
 version: 1.0.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

@@ -36,8 +36,10 @@ Helm chart for Tetragon
 | imagePullSecrets | list | `[]` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
+| podLabels | object | `{}` |  |
 | podLabelsOverride | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
+| priorityClassName | string | `""` |  |
 | selectorLabelsOverride | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` |  |
 | serviceAccount.create | bool | `true` |  |
@@ -47,9 +49,9 @@ Helm chart for Tetragon
 | tetragon.btf | string | `""` |  |
 | tetragon.commandOverride | list | `[]` |  |
 | tetragon.enableK8sAPI | bool | `true` |  |
-| tetragon.enableMsgHandlingLatency | bool | `false` |  |
-| tetragon.enablePolicyFilter | bool | `true` |  |
-| tetragon.enablePolicyFilterDebug | bool | `false` |  |
+| tetragon.enableMsgHandlingLatency | bool | `false` | Enable latency monitoring in message handling |
+| tetragon.enablePolicyFilter | bool | `true` | Enable policy filter. This is required for K8s namespace and pod-label filtering. |
+| tetragon.enablePolicyFilterDebug | bool | `false` | Enable policy filter debug messages. |
 | tetragon.enableProcessCred | bool | `false` |  |
 | tetragon.enableProcessNs | bool | `false` |  |
 | tetragon.enabled | bool | `true` |  |
@@ -78,12 +80,12 @@ Helm chart for Tetragon
 | tetragon.prometheus.enabled | bool | `true` | Whether to enable exposing Tetragon metrics. |
 | tetragon.prometheus.metricsLabelFilter | string | `"namespace,workload,pod,binary"` | The labels to include with supporting metrics. The possible values are "namespace", "workload", "pod" and "binary". |
 | tetragon.prometheus.port | int | `2112` | The port at which to expose metrics. |
-| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods. |
+| tetragon.prometheus.serviceMonitor.enabled | bool | `false` | Whether to create a 'ServiceMonitor' resource targeting the tetragon pods. |
 | tetragon.prometheus.serviceMonitor.labelsOverride | object | `{}` | The set of labels to place on the 'ServiceMonitor' resource. |
 | tetragon.prometheus.serviceMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped. If not specified, Prometheus' global scrape interval is used. |
 | tetragon.resources | object | `{}` |  |
 | tetragon.securityContext.privileged | bool | `true` |  |
-| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","suffix":"","tag":"v1.0.0"}` | tetragon-operator image. |
+| tetragonOperator.image | object | `{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"}` | tetragon-operator image. |
 | tetragonOperator.podInfo.enabled | bool | `false` | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
 | tetragonOperator.skipCRDCreation | bool | `false` |  |
 | tolerations[0].operator | string | `"Exists"` |  |

@@ -2,6 +2,7 @@
 - name: {{include "container.export.stdout.name" .}}
   image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
+  terminationMessagePolicy: FallbackToLogsOnError
   env: {{- toYaml .Values.export.stdout.extraEnv | nindent 4 }}
   securityContext:
     {{- toYaml .Values.export.securityContext | nindent 4 }}

@@ -4,6 +4,7 @@
     {{- toYaml .Values.tetragon.securityContext | nindent 4 }}
   image: "{{ if .Values.tetragon.image.override }}{{ .Values.tetragon.image.override }}{{ else }}{{ .Values.tetragon.image.repository }}:{{ .Values.tetragon.image.tag | default .Chart.AppVersion }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
+  terminationMessagePolicy: FallbackToLogsOnError
 {{- with .Values.tetragon.commandOverride }}
   command:
   {{- toYaml . | nindent 2 }}

@@ -14,11 +14,17 @@ Common labels
 {{- define "tetragon.labels" -}}
 helm.sh/chart: {{ include "tetragon.chart" . }}
 {{ include "tetragon.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{- define "tetragon-operator.labels" -}}
 helm.sh/chart: {{ include "tetragon-operator.chart" . }}
 {{ include "tetragon-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 

@@ -18,6 +18,7 @@ rules:
   - apiGroups:
       - cilium.io
     resources:
+      - podinfo
       - tracingpolicies
       - tracingpoliciesnamespaced
     verbs:

@@ -34,7 +34,13 @@ spec:
       {{- else }}
         {{- include "tetragon.labels" . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     spec:
+      {{- with .Values.priorityClassName }}
+      priorityClassName: "{{ . }}"
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

@@ -22,7 +22,7 @@ spec:
         args:
           - serve
           - --config-dir=/etc/tetragon/operator.conf.d/
-        image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}{{ .Values.tetragonOperator.image.suffix }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
+        image: "{{ if .Values.tetragonOperator.image.override }}{{ .Values.tetragonOperator.image.override }}{{ else }}{{ .Values.tetragonOperator.image.repository }}:{{ .Values.tetragonOperator.image.tag }}{{ end }}"
         imagePullPolicy: {{ .Values.tetragonOperator.image.pullPolicy }}
         volumeMounts:
           - mountPath: /etc/tetragon/operator.conf.d/

@@ -9,7 +9,7 @@ metadata:
     {{- else }}
     {{- include "tetragon.labels" . | nindent 4 }}
     {{- end }}
-  name: tetragon
+  name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
 spec:
   endpoints:

@@ -1,5 +1,6 @@
 enabled: true
 imagePullPolicy: IfNotPresent
+priorityClassName: ""
 imagePullSecrets: []
 serviceAccount:
   create: true
@@ -16,6 +17,7 @@ extraConfigmapMounts: []
 daemonSetAnnotations: {}
 extraVolumes: []
 updateStrategy: {}
+podLabels: {}
 daemonSetLabelsOverride: {}
 selectorLabelsOverride: {}
 podLabelsOverride: {}
@@ -33,7 +35,7 @@ serviceLabelsOverride: {}
 #
 # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
 dnsPolicy: Default
-# exportDirectory specifies directory to put Hubble and FGS JSON export files.
+# exportDirectory specifies directory to put Tetragon JSON export files.
 exportDirectory: "/var/run/cilium/tetragon"
 # exportFileRotationInterval specifies file creation interval for hubble-export-s3.
 exportFileCreationInterval: "120s"
@@ -59,12 +61,12 @@ tetragon:
   extraVolumeMounts: []
   securityContext:
     privileged: true
-  # Tetragon puts processes in an LRU cache. The cache is used to find ancestors for subsequently exec'ed
-  # processes.
+  # Tetragon puts processes in an LRU cache. The cache is used to find ancestors
+  # for subsequently exec'ed processes.
   processCacheSize: 65536
   # JSON export filename. Set it to an empty string to disable JSON export altogether.
   exportFilename: tetragon.log
-  # JSON export file permissions as a string
+  # JSON export file permissions as a string. Set it to "600" to restrict access to owner.
   exportFilePerm: "600"
   # Size in megabytes at which to rotate JSON export files.
   exportFileMaxSizeMB: 10
@@ -130,7 +132,7 @@ tetragon:
     # The possible values are "namespace", "workload", "pod" and "binary".
     metricsLabelFilter: "namespace,workload,pod,binary"
     serviceMonitor:
-      # -- Whether to create a 'ServiceMonitor' resource targeting the 'tetragon' pods.
+      # -- Whether to create a 'ServiceMonitor' resource targeting the tetragon pods.
       enabled: false
       # -- The set of labels to place on the 'ServiceMonitor' resource.
       labelsOverride: {}
@@ -146,11 +148,11 @@ tetragon:
     address: "localhost"
     # -- The port at which to expose gops.
     port: 8118
-  # Enable policy filter. This is required for K8s namespace filtering and pod label filters.
+  # -- Enable policy filter. This is required for K8s namespace and pod-label filtering.
   enablePolicyFilter: True
-  # Enable policy filter debug messages.
+  # -- Enable policy filter debug messages.
   enablePolicyFilterDebug: false
-  # Enable latency monitoring in message handling
+  # -- Enable latency monitoring in message handling
   enableMsgHandlingLatency: false
   # -- Location of the host proc filesystem in the runtime environment. If the runtime runs in the
   # host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself
@@ -162,8 +164,6 @@ tetragonOperator:
     override: ~
     repository: quay.io/cilium/tetragon-operator
     tag: v1.0.0
-    # tetragon-operator image-digest
-    suffix: ""
     pullPolicy: IfNotPresent
   # Skip CRD creation.
   skipCRDCreation: false