helm: add support for cgidmap

This patch adds help support for using cgidmap, which was introduced in
PR 2776 (e.g., see 0227f5d).

cgidmap depends on cri, so this patch also adds helm support for CRI.

For example:

```
rthooks:
  enabled: true
  interface: "oci-hooks"
tetragon:
  cri:
   enabled: true
   socketHostPath: "/var/run/crio/crio.sock"
  cgidmap:
   enabled: true
```

Tested with the following zsh script

```
htt="helm template tetragon"
hr="./install/kubernetes/tetragon"

green='\033[0;32m'
clear='\033[0m'

printf '%.s─' $(seq 1 $(tput cols))
echo "${green}Enabling cgidmap:${clear}"
diff -u =(eval $htt $hr) =(eval $htt --set tetragon.cgidmap.enabled=true $hr)

printf '%.s─' $(seq 1 $(tput cols))
echo "${green}Enabling cri and cgidmap:${clear}"
diff -u =(eval $htt $hr) =(eval $htt --set tetragon.cgidmap.enabled=true --set tetragon.cri.enabled=true $hr)

printf '%.s─' $(seq 1 $(tput cols))
echo "${green}Enabling cri and cgidmap and adding a socket:${clear}"
diff -u =(eval $htt $hr) =(eval $htt --set tetragon.cgidmap.enabled=true --set tetragon.cri.enabled=true --set tetragon.cri.socketHostPath="/run/containerd/containerd.sock" $hr)

printf '%.s─' $(seq 1 $(tput cols))
echo "${green}Enabling cgidmap and adding a socket without cri:${clear} (diff should be empty)"
diff -u =(eval $htt --set tetragon.cgidmap.enabled=true $hr) =(eval $htt --set tetragon.cgidmap.enabled=true --set tetragon.cri.socketHostPath="/run/containerd/containerd.sock" $hr)

printf '%.s─' $(seq 1 $(tput cols))
echo Done
```

Signed-off-by: Kornilios Kourtis <[email protected]>

install/kubernetes/tetragon/templates/_container_tetragon.tpl

@@ -38,6 +38,10 @@
       name: export-logs
     - mountPath: "/procRoot"
       name: host-proc
+{{- if and (.Values.tetragon.cri.enabled) (.Values.tetragon.cri.socketHostPath) }}
+    - mountPath: {{ quote .Values.tetragon.cri.socketHostPath }}
+      name: cri-socket
+{{- end }}
 {{- range .Values.extraHostPathMounts }}
     - name: {{ .name }}
       mountPath: {{ .mountPath }}

install/kubernetes/tetragon/templates/daemonset.yaml

@@ -108,6 +108,12 @@ spec:
           path: {{ quote .Values.tetragon.ociHookSetup.installDir }}
           type: DirectoryOrCreate
 {{- end }}
+{{- if and (.Values.tetragon.cri.enabled) (.Values.tetragon.cri.socketHostPath) }}
+      - name: cri-socket
+        hostPath:
+          path: {{ quote .Values.tetragon.cri.socketHostPath }}
+          type: Socket
+{{- end }}
 {{- end }}
       {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 6 }}

install/kubernetes/tetragon/templates/tetragon_configmap.yaml

@@ -81,3 +81,8 @@ data:
   release-pinned-bpf: "false"
 {{- end }}
   process-cache-gc-interval: {{ .Values.tetragon.processCacheGCInterval | quote }}
+  enable-cri: {{ .Values.tetragon.cri.enabled | quote }}
+{{- if and (.Values.tetragon.cri.enable) (.Values.tetragon.cri.socketHostPath) }}
+  cri-endpoint: "unix://{{ .Values.tetragon.cri.socketHostPath }}"
+{{- end }}
+  enable-cgidmap: {{ .Values.tetragon.cgidmap.enabled | quote }}

install/kubernetes/tetragon/values.yaml

@@ -237,6 +237,16 @@ tetragon:
   enableKeepSensorsOnExit: false
   # -- Configure the interval (suffixed with s for seconds, m for minutes, etc) for the process cache garbage collector.
   processCacheGCInterval: 30s
+  # -- Configure tetragon pod so that it can contact the CRI running on the host
+  cri:
+    enabled: false
+    # -- path of the CRI socket on the host. This will typically be
+    # "/run/containerd/containerd.sock" for containerd or "/var/run/crio/crio.sock"  for crio.
+    socketHostPath: ""
+  # -- Enabling cgidmap instructs the Tetragon agent to use cgroup ids (instead of cgroup names) for
+  # pod association. This feature depends on cri being enabled.
+  cgidmap:
+    enabled: false
 # Tetragon Operator settings
 tetragonOperator:
   # -- Enables the Tetragon Operator.