wiz-sec · ofirc-wiz · Nov 17, 2024
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -401,11 +401,3 @@ Clean the list of deployments for the auto-update flag, removing quotes and brac
 - name: WIZ_CHART_VERSION
   value: "{{ .Chart.Version}}"
 {{- end -}}
-
-{{- define "wiz-admission-controller.image" -}}
-{{- if .Values.global.isFedRamp -}}
-publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-admission-controller-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
-{{- else -}}
-{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
-{{- end -}}
-{{- end -}}
diff --git a/wiz-admission-controller/templates/deploymentauditlogs.yaml b/wiz-admission-controller/templates/deploymentauditlogs.yaml
@@ -58,7 +58,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
             {{- end }}
-          image: {{ include "wiz-admission-controller.image" . }}
+          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
           - containerPort: {{ .Values.service.targetPort }}

diff --git a/wiz-admission-controller/templates/deploymentenforcement.yaml b/wiz-admission-controller/templates/deploymentenforcement.yaml
@@ -58,7 +58,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.securityContext | nindent 12 }}
             {{- end }}
-          image: {{ include "wiz-admission-controller.image" . }}
+          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
           - containerPort: {{ .Values.service.targetPort }}

diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -10,8 +10,7 @@ commonLabels: {} # Labels applied on all the resources (not used for selection)
 wizApiToken:
   clientId: "" # Client ID of the Wiz Service Account.
   clientToken: "" # Client secret of the Wiz Service Account.
-  clientEndpoint: "" # Defaults to commercial.
-                     # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+  clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
 
   secret:
     # Should a Secret be created by the chart or not.
@@ -54,11 +53,12 @@ podDisruptionBudget:
 
 image:
   registry: wiziopublic.azurecr.io/wiz-app
+  # Use this if you are deploying on federal environments with FIPS endpoints.
+  # repository: wiz-admission-controller-fips
   repository: wiz-admission-controller
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: ""
-
 imagePullSecrets: [] # Secrets for container image registry keys as described in https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod
 
 priorityClassName: ""
@@ -487,8 +487,7 @@ global:
   wizApiToken:
     clientId: "" 
     clientToken: ""
-    clientEndpoint: "" # Defaults to commercial.
-                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
 
     secret:
       # The name of the Wiz Service Account Secret.
@@ -555,6 +554,3 @@ global:
   #
   # lowPrivilegePodSecurityPolicy: {}
   # lowPrivilegeSecurityPolicy: {}
-
-  # Set to true to use FedRamp endpoints and FIPS-compliant images.
-  isFedRamp: false
diff --git a/wiz-broker/templates/_helpers.tpl b/wiz-broker/templates/_helpers.tpl
@@ -103,11 +103,3 @@ Secrets names
 {{- define "wiz-broker.connectorSecretName" -}}
 {{ coalesce (.Values.wizConnector.secretName) (printf "%s-connector" .Release.Name) }}
 {{- end }}
-
-{{- define "wiz-broker.image" -}}
-{{- if .Values.global.isFedRamp -}}
-publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-broker-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
-{{- else -}}
-{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}
-{{- end -}}
-{{- end -}}
diff --git a/wiz-broker/templates/wiz-broker-deployment.yaml b/wiz-broker/templates/wiz-broker-deployment.yaml
@@ -77,7 +77,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.global.securityContext | nindent 12 }}
             {{- end }}
-          image: {{ include "wiz-broker.image" . }}
+          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
           volumeMounts:
           - name: connector-data

diff --git a/wiz-broker/values.yaml b/wiz-broker/values.yaml
@@ -9,6 +9,8 @@ commonLabels: {} # Labels applied on all the resources (not used for selection)
 
 image:
   registry: wiziopublic.azurecr.io/wiz-app
+  # Use this if you are deploying on federal environments with FIPS endpoints.
+  # repository: wiz-broker-fips
   repository: wiz-broker
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
@@ -69,8 +71,7 @@ wizConnector:
 wizApiToken:
   clientId: "" # Client ID of the Wiz Service Account.
   clientToken: "" # Client secret of the Wiz Service Account.
-  clientEndpoint: "" # Defaults to commercial.
-                     # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+  clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
 
   secret:
     # Should a Secret be created by the chart or not.
@@ -115,6 +116,8 @@ global:
 
   image:
     registry: wiziopublic.azurecr.io/wiz-app
+    # Use this if you are deploying on federal environments with FIPS endpoints.
+    # repository: wiz-broker-fips
     repository: wiz-broker
     pullPolicy: Always  # Always pull the image on every deployment
     # Overrides the image tag whose default is the chart appVersion.
@@ -148,15 +151,11 @@ global:
     runAsUser: 1000
 
   wizApiToken:
-    clientEndpoint: "" # Defaults to commercial.
-                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
     secret:
       name: "" # Override with parent secret name
 
   httpProxyConfiguration:
     enabled: false # Should the components use a proxy.
     create: false # Secret created by wiz-broker.
     secretName: "" # The name of the proxy Secret.
-
-  # Set to true to use FedRamp endpoints and FIPS-compliant images.
-  isFedRamp: false
diff --git a/wiz-kubernetes-connector/templates/_helpers.tpl b/wiz-kubernetes-connector/templates/_helpers.tpl
@@ -227,9 +227,5 @@ delete-kubernetes-connector
 {{- end }}
 
 {{- define "wiz-broker.image" -}}
-{{- if .Values.global.isFedRamp -}}
-publicregistryfedrampwizio.azurecr.us/wiz-app/wiz-broker-fips:{{ .Values.image.tag | default .Chart.AppVersion }}
-{{- else -}}
-{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ coalesce .Values.global.image.tag .Values.image.tag | default .Chart.AppVersion }}
-{{- end -}}
+{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
 {{- end -}}
diff --git a/wiz-kubernetes-connector/templates/job-create-connector.yaml b/wiz-kubernetes-connector/templates/job-create-connector.yaml
@@ -78,7 +78,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.global.securityContext | nindent 12 }}
             {{- end }}
-          image: {{ include "wiz-broker.image" . }}
+          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
           command:
             {{- include "wiz-kubernetes-connector.entrypoint" . | nindent 12 }}

diff --git a/wiz-kubernetes-connector/templates/job-delete-connector.yaml b/wiz-kubernetes-connector/templates/job-delete-connector.yaml
@@ -64,7 +64,7 @@ spec:
             {{- else }}
             {{- toYaml .Values.global.securityContext | nindent 12 }}
             {{- end }}
-          image: {{ include "wiz-broker.image" . }}
+          image: "{{ coalesce .Values.global.image.registry .Values.image.registry }}/{{ coalesce .Values.global.image.repository .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ coalesce .Values.global.image.pullPolicy .Values.image.pullPolicy }}
           command: ["/bin/sh", "-c"]
           args: {{- include "wiz-kubernetes-connector.argsListDeleteConnector" . | nindent 12 }}

diff --git a/wiz-kubernetes-connector/values.yaml b/wiz-kubernetes-connector/values.yaml
@@ -7,6 +7,8 @@ commonLabels: {} # Labels applied on all the resources (not used for selection)
 
 image:
   registry: wiziopublic.azurecr.io/wiz-app
+  # Use this if you are deploying on federal environments with FIPS endpoints.
+  # repository: wiz-broker-fips
   repository: wiz-broker
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
@@ -76,8 +78,7 @@ autoCreateConnector:
 wizApiToken:
   clientId: "" # Client ID of the Wiz Service Account.
   clientToken: "" # Client secret of the Wiz Service Account.
-  clientEndpoint: "" # Defaults to commercial.
-                     # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+  clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
 
   secret:
     # Should a Secret be created by the chart or not.
@@ -130,8 +131,7 @@ wiz-broker:
   customVolumeMounts: [] # Additional volume mounts to add to the components Pods
 
   wizApiToken:
-    clientEndpoint: "" # Defaults to commercial.
-                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
     secret:
       create: false # Secret created by wiz-kubernetes-connector.
     secretName: ""
@@ -181,6 +181,8 @@ httpProxyConfiguration:
 global:
   image:
     registry: wiziopublic.azurecr.io/wiz-app
+    # Use this if you are deploying on federal environments with FIPS endpoints.
+    # repository: wiz-broker-fips
     repository: wiz-broker
     pullPolicy: Always
     # Overrides the image tag whose default is the chart appVersion.
@@ -234,15 +236,11 @@ global:
     allowPrivilegeEscalation: false
 
   wizApiToken:
-    clientEndpoint: "" # Defaults to commercial.
-                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+    clientEndpoint: "" # Wiz endpoint to connect to (required for gov tenants).
     secret:
       name: "" # Override with parent secret name
 
   httpProxyConfiguration:
     enabled: false # Should the components use a proxy.
     create: false # Secret created by wiz-kubernetes-connector.
     secretName: "" # The name of the proxy Secret.
-
-  # Set to true to use FedRamp endpoints and FIPS-compliant images.
-  isFedRamp: false
diff --git a/wiz-kubernetes-integration/values.yaml b/wiz-kubernetes-integration/values.yaml
@@ -10,8 +10,7 @@ global:
   wizApiToken:
     clientId: "" # Client ID of the Wiz Service Account.
     clientToken: "" # Client secret of the Wiz Service Account.
-    clientEndpoint: "" # Defaults to commercial.
-                       # If `global.isFedRamp` is `true`, this field gets automatically set to `fedramp`.
+    clientEndpoint: "" # Set to 'gov' or 'fedramp' for gov/fedramp tenants only, otherwise leave blank.
 
     secret:
       # Should a Secret be created by the chart or not.
@@ -77,9 +76,6 @@ global:
   # lowPrivilegePodSecurityPolicy: {}
   # lowPrivilegeSecurityPolicy: {}
 
-  # Set to true to use FedRamp endpoints and FIPS-compliant images.
-  isFedRamp: false
-
 # Wiz Kubernetes Connector
 # Configuration values for the wiz-kubernetes-connector dependency
 # ref: https://github.com/wiz-sec/charts/blob/master/wiz-kubernetes-connector/values.yaml