diff --git a/README.md b/README.md
index 8c149ae..49069ed 100644
--- a/README.md
+++ b/README.md
@@ -111,7 +111,7 @@ No modules.
| [access\_key](#input\_access\_key) | Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. | `string` | `null` | no |
| [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no |
| [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the agent image from. | `string` | `"agent-slim"` | no |
-| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no |
+| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no |
| [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no |
| [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no |
| [agent\_mode](#input\_agent\_mode) | The operational mode for the monitoring agent. [Learn more](https://docs.sysdig.com/en/docs/administration/configure-agent-modes/). | `string` | `null` | no |
@@ -134,9 +134,9 @@ No modules.
| [cluster\_shield\_requests\_memory](#input\_cluster\_shield\_requests\_memory) | Specify memory resource requests for the cluster shield pods. | `string` | `"512Mi"` | no |
| [container\_filter](#input\_container\_filter) | Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data | list(object({
type = string
parameter = string
name = string
})) | `[]` | no |
| [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no |
-| [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `true` | no |
+| [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `false` | no |
| [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
-| [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `true` | no |
+| [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `false` | no |
| [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no |
| [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no |
| [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no |
@@ -144,8 +144,8 @@ No modules.
| [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no |
| [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes |
| [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no |
+| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported. | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
| [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no |
-| [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no |
| [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no |
| [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no |
| [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | list(object({
include = optional(string)
exclude = optional(string)
})) | `[]` | no |
diff --git a/ibm_catalog.json b/ibm_catalog.json
index 01db672..86ce671 100644
--- a/ibm_catalog.json
+++ b/ibm_catalog.json
@@ -431,7 +431,14 @@
"key": "kernel_module_image_repository"
},
{
- "key": "kernel_module_image_tag_digest"
+ "key": "kernel_module_image_digest",
+ "value_constraints": [
+ {
+ "type": "regex",
+ "description": "The image digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported.",
+ "value": "^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$"
+ }
+ ]
},
{
"key": "existing_access_key_secret_name"
diff --git a/main.tf b/main.tf
index 4cde19b..d1641a5 100644
--- a/main.tf
+++ b/main.tf
@@ -36,6 +36,10 @@ locals {
base_endpoint = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint
ingestion_endpoint = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}"
api_host = replace(local.ingestion_endpoint, "ingest.", "")
+ # The Sysdig Helm chart automatically appends the '@' symbol to the digest,
+ # so we strip it from the input variable to avoid duplication.
+ # See: https://github.com/sysdiglabs/charts/blob/75862bc8939ee7431a38c04ecea36652a8d3035d/charts/agent/templates/_helpers.tpl#L163
+ kernel_module_digest = split("@", var.kernel_module_image_digest)[1]
dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{
name = "global.sysdig.accessKeySecret"
type = "string"
@@ -182,7 +186,7 @@ resource "helm_release" "cloud_monitoring_agent" {
"repository": ${var.agent_image_repository}
"kmoduleImage":
"repository": ${var.kernel_module_image_repository}
- "digest": ${var.kernel_module_image_tag_digest}
+ "digest": ${local.kernel_module_digest}
"image":
"registry": ${var.image_registry_base_url}
"tag": ${var.agent_image_tag_digest}
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 872b9ac..bc7e64c 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -55,7 +55,7 @@ module "monitoring_agent" {
image_registry_namespace = var.image_registry_namespace
agent_image_repository = var.agent_image_repository
agent_image_tag_digest = var.agent_image_tag_digest
- kernel_module_image_tag_digest = var.kernel_module_image_tag_digest
+ kernel_module_image_digest = var.kernel_module_image_digest
kernel_module_image_repository = var.kernel_module_image_repository
agent_limits_cpu = var.agent_limits_cpu
agent_limits_memory = var.agent_limits_memory
diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf
index 9339a67..a0d5999 100644
--- a/solutions/fully-configurable/variables.tf
+++ b/solutions/fully-configurable/variables.tf
@@ -212,19 +212,23 @@ variable "agent_image_repository" {
}
variable "agent_image_tag_digest" {
- description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+ description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`."
type = string
# This version is automatically managed by renovate automation - do not remove the datasource comment on next line
default = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim
nullable = false
}
-variable "kernel_module_image_tag_digest" {
- description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
+variable "kernel_module_image_digest" {
+ description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported."
type = string
# This version is automatically managed by renovate automation - do not remove the datasource comment on next line
default = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule
nullable = false
+ validation {
+ condition = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest))
+ error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported."
+ }
}
variable "kernel_module_image_repository" {
@@ -355,13 +359,13 @@ variable "enable_kspm_analyzer" {
variable "enable_app_checks" {
type = bool
description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored."
- default = true
+ default = false
}
variable "enable_jmx" {
type = bool
description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications."
- default = true
+ default = false
}
variable "agent_mode" {
diff --git a/variables.tf b/variables.tf
index 07e51ce..9d760f4 100644
--- a/variables.tf
+++ b/variables.tf
@@ -188,19 +188,23 @@ variable "agent_image_repository" {
}
variable "agent_image_tag_digest" {
- description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`."
+ description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`."
type = string
# This version is automatically managed by renovate automation - do not remove the datasource comment on next line
default = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim
nullable = false
}
-variable "kernel_module_image_tag_digest" {
- description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`"
+variable "kernel_module_image_digest" {
+ description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported."
type = string
# This version is automatically managed by renovate automation - do not remove the datasource comment on next line
default = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule
nullable = false
+ validation {
+ condition = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest))
+ error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported."
+ }
}
variable "kernel_module_image_repository" {
@@ -360,13 +364,13 @@ variable "enable_kspm_analyzer" {
variable "enable_app_checks" {
type = bool
description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored."
- default = true
+ default = false
}
variable "enable_jmx" {
type = bool
description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications."
- default = true
+ default = false
}
variable "agent_mode" {