From 2aa6ef9edb7fee40bb5e9f489ecd75f2f0bc1b26 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Tue, 2 Dec 2025 11:14:17 +0000 Subject: [PATCH 1/5] bug: strip tag from kmodule digest when passing to chart --- README.md | 2 +- common-dev-assets | 2 +- ibm_catalog.json | 2 +- main.tf | 3 ++- solutions/fully-configurable/main.tf | 2 +- solutions/fully-configurable/variables.tf | 2 +- variables.tf | 2 +- 7 files changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 8c149ae..74adac3 100644 --- a/README.md +++ b/README.md @@ -144,8 +144,8 @@ No modules. | [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no | | [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes | | [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no | +| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | | [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no | -| [kernel\_module\_image\_tag\_digest](#input\_kernel\_module\_image\_tag\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | | [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no | | [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no | | [metrics\_filter](#input\_metrics\_filter) | To filter custom metrics you can specify which metrics to include and exclude. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_inc_exc_metrics | 
list(object({
    include = optional(string)
    exclude = optional(string)
  }))
| `[]` | no | diff --git a/common-dev-assets b/common-dev-assets index 238892d..5f83074 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 238892dddce116998ab6b6ebdb998708401174d1 +Subproject commit 5f830744586a45ffc2b2b75550ee23f4f343677f diff --git a/ibm_catalog.json b/ibm_catalog.json index 2a5db81..fd386b7 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -431,7 +431,7 @@ "key": "kernel_module_image_repository" }, { - "key": "kernel_module_image_tag_digest" + "key": "kernel_module_image_digest" }, { "key": "existing_access_key_secret_name" diff --git a/main.tf b/main.tf index 4cde19b..2c42040 100644 --- a/main.tf +++ b/main.tf @@ -36,6 +36,7 @@ locals { base_endpoint = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint ingestion_endpoint = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}" api_host = replace(local.ingestion_endpoint, "ingest.", "") + kernel_module_digest = split("@", var.kernel_module_image_digest)[1] dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{ name = "global.sysdig.accessKeySecret" type = "string" @@ -182,7 +183,7 @@ resource "helm_release" "cloud_monitoring_agent" { "repository": ${var.agent_image_repository} "kmoduleImage": "repository": ${var.kernel_module_image_repository} - "digest": ${var.kernel_module_image_tag_digest} + "digest": ${local.kernel_module_digest} "image": "registry": ${var.image_registry_base_url} "tag": ${var.agent_image_tag_digest} diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf index 872b9ac..bc7e64c 100644 --- a/solutions/fully-configurable/main.tf +++ b/solutions/fully-configurable/main.tf @@ -55,7 +55,7 @@ module "monitoring_agent" { image_registry_namespace = var.image_registry_namespace agent_image_repository = var.agent_image_repository agent_image_tag_digest = var.agent_image_tag_digest - kernel_module_image_tag_digest = var.kernel_module_image_tag_digest + kernel_module_image_digest = var.kernel_module_image_digest kernel_module_image_repository = var.kernel_module_image_repository agent_limits_cpu = var.agent_limits_cpu agent_limits_memory = var.agent_limits_memory diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 9339a67..5344fa6 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -219,7 +219,7 @@ variable "agent_image_tag_digest" { nullable = false } -variable "kernel_module_image_tag_digest" { +variable "kernel_module_image_digest" { description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`" type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line diff --git a/variables.tf b/variables.tf index 07e51ce..0c0b2dc 100644 --- a/variables.tf +++ b/variables.tf @@ -195,7 +195,7 @@ variable "agent_image_tag_digest" { nullable = false } -variable "kernel_module_image_tag_digest" { +variable "kernel_module_image_digest" { description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`" type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line From ccb2c43536226b9fba57894c1c63706588804917 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Tue, 2 Dec 2025 11:15:13 +0000 Subject: [PATCH 2/5] chore: update common dev assets --- common-dev-assets | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-dev-assets b/common-dev-assets index 5f83074..238892d 160000 --- a/common-dev-assets +++ b/common-dev-assets @@ -1 +1 @@ -Subproject commit 5f830744586a45ffc2b2b75550ee23f4f343677f +Subproject commit 238892dddce116998ab6b6ebdb998708401174d1 From 66ac9d0cecafc29e64423d0d427ac995f5b45a8d Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Tue, 2 Dec 2025 14:47:11 +0000 Subject: [PATCH 3/5] fix: default values for jmx updated & variable validation --- README.md | 6 +++--- ibm_catalog.json | 9 ++++++++- solutions/fully-configurable/variables.tf | 4 ++-- variables.tf | 10 +++++++--- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 74adac3..e5fda13 100644 --- a/README.md +++ b/README.md @@ -134,9 +134,9 @@ No modules. | [cluster\_shield\_requests\_memory](#input\_cluster\_shield\_requests\_memory) | Specify memory resource requests for the cluster shield pods. | `string` | `"512Mi"` | no | | [container\_filter](#input\_container\_filter) | Customize the agent to exclude containers from metrics collection. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-change_kube_agent#change_kube_agent_filter_data | 
list(object({
    type      = string
    parameter = string
    name      = string
  }))
| `[]` | no | | [deployment\_tag](#input\_deployment\_tag) | Sets a global tag that will be included in the components. It represents the mechanism from where the components have been installed (terraform, local...). | `string` | `"terraform"` | no | -| [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `true` | no | +| [enable\_app\_checks](#input\_enable\_app\_checks) | Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored. | `bool` | `false` | no | | [enable\_host\_scanner](#input\_enable\_host\_scanner) | Enable host scanning to detect vulnerabilities and identify the resolution priority based on available fixed versions and severity. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no | -| [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `true` | no | +| [enable\_jmx](#input\_enable\_jmx) | Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications. | `bool` | `false` | no | | [enable\_kspm\_analyzer](#input\_enable\_kspm\_analyzer) | Enable Kubernetes Security Posture Management (KSPM) analyzer. Requires a Security and Compliance Center Workload Protection instance to view results. | `bool` | `true` | no | | [enable\_universal\_ebpf](#input\_enable\_universal\_ebpf) | Deploy monitoring agent with universal extended Berkeley Packet Filter (eBPF) enabled. It requires kernel version 5.8+. [Learn more](https://github.com/terraform-ibm-modules/terraform-ibm-monitoring-agent/blob/main/solutions/fully-configurable/DA-docs.md#when-to-enable-enable_universal_ebpf) | `bool` | `true` | no | | [existing\_access\_key\_secret\_name](#input\_existing\_access\_key\_secret\_name) | An alternative to using `access_key`. Specify the name of an existing Kubernetes secret containing the access key in the same namespace that is defined in the `namespace` input. Either `access_key` or `existing_access_key_secret_name` is required. | `string` | `null` | no | @@ -144,7 +144,7 @@ No modules. | [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no | | [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes | | [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no | -| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx` | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | +| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. Note: Only digest format is supported; image tag is not supported. | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | | [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no | | [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no | | [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no | diff --git a/ibm_catalog.json b/ibm_catalog.json index fd386b7..9b41a8c 100644 --- a/ibm_catalog.json +++ b/ibm_catalog.json @@ -431,7 +431,14 @@ "key": "kernel_module_image_repository" }, { - "key": "kernel_module_image_digest" + "key": "kernel_module_image_digest", + "value_constraints": [ + { + "type": "regex", + "description": "The image digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported.", + "value": "^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$" + } + ] }, { "key": "existing_access_key_secret_name" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 5344fa6..271aff5 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -355,13 +355,13 @@ variable "enable_kspm_analyzer" { variable "enable_app_checks" { type = bool description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored." - default = true + default = false } variable "enable_jmx" { type = bool description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications." - default = true + default = false } variable "agent_mode" { diff --git a/variables.tf b/variables.tf index 0c0b2dc..9fd552d 100644 --- a/variables.tf +++ b/variables.tf @@ -196,11 +196,15 @@ variable "agent_image_tag_digest" { } variable "kernel_module_image_digest" { - description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`" + description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. Note: Only digest format is supported; image tag is not supported." type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line default = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule nullable = false + validation { + condition = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest)) + error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported." + } } variable "kernel_module_image_repository" { @@ -360,13 +364,13 @@ variable "enable_kspm_analyzer" { variable "enable_app_checks" { type = bool description = "Enable application checks to collect metrics from specific applications like MongoDB, Redis, etc. Set to false to reduce error logs in environments where these applications are not present or monitored." - default = true + default = false } variable "enable_jmx" { type = bool description = "Enable JMX metrics collection from Java Virtual Machines. Set to false to reduce resource usage and error logs in environments without Java applications." - default = true + default = false } variable "agent_mode" { From db7591da344871507fb70cbd5410bb28081ef8fc Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Wed, 3 Dec 2025 13:13:16 +0000 Subject: [PATCH 4/5] fix: address pr comments --- README.md | 4 ++-- main.tf | 4 +++- solutions/fully-configurable/variables.tf | 8 ++++++-- variables.tf | 4 ++-- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e5fda13..49069ed 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ No modules. | [access\_key](#input\_access\_key) | Access key used by the agent to communicate with the instance. Either `access_key` or `existing_access_key_secret_name` is required. This value will be stored in a new secret on the cluster if passed. If you want to use this agent for only metrics or metrics with security and compliance, use a manager key scoped to the IBM Cloud Monitoring instance. If you only want to use the agent for security and compliance use a manager key scoped to the Security and Compliance Center Workload Protection instance. | `string` | `null` | no | | [add\_cluster\_name](#input\_add\_cluster\_name) | If true, configure the agent to associate a tag containing the cluster name. This tag is added in the format `ibm-containers-kubernetes-cluster-name: cluster_name`. | `bool` | `true` | no | | [agent\_image\_repository](#input\_agent\_image\_repository) | The image repository to pull the agent image from. | `string` | `"agent-slim"` | no | -| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no | +| [agent\_image\_tag\_digest](#input\_agent\_image\_tag\_digest) | The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`. | `string` | `"14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035"` | no | | [agent\_limits\_cpu](#input\_agent\_limits\_cpu) | Specify CPU resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1"` | no | | [agent\_limits\_memory](#input\_agent\_limits\_memory) | Specify memory resource limits for the agent. For more info, see https://cloud.ibm.com/docs/monitoring?topic=monitoring-resource_requirements | `string` | `"1024Mi"` | no | | [agent\_mode](#input\_agent\_mode) | The operational mode for the monitoring agent. [Learn more](https://docs.sysdig.com/en/docs/administration/configure-agent-modes/). | `string` | `null` | no | @@ -144,7 +144,7 @@ No modules. | [image\_registry\_namespace](#input\_image\_registry\_namespace) | The namespace within the image registry to pull all images from. | `string` | `"ext/sysdig"` | no | | [instance\_region](#input\_instance\_region) | The region of the IBM Cloud Monitoring instance that you want to send metrics to. The region value is used to construct the ingestion and api endpoints. If you are only using the agent for security and compliance monitoring, set this to the region of your IBM Cloud Security and Compliance Center Workload Protection instance. If you have both Cloud Monitoring and Security and Compliance Center Workload Protection instances, the instances must be connected and must be in the same region to use the same agent. | `string` | n/a | yes | | [is\_vpc\_cluster](#input\_is\_vpc\_cluster) | Specify true if the target cluster is a VPC cluster, false if it is a classic cluster. | `bool` | `true` | no | -| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. Note: Only digest format is supported; image tag is not supported. | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | +| [kernel\_module\_image\_digest](#input\_kernel\_module\_image\_digest) | The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported. | `string` | `"14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a"` | no | | [kernel\_module\_image\_repository](#input\_kernel\_module\_image\_repository) | The image repository to pull the agent kernel module initContainer image from. | `string` | `"agent-kmodule"` | no | | [max\_surge](#input\_max\_surge) | The number of pods that can be created above the desired amount of daemonset pods during an update. If `max_surge` is set to null, the `max_surge` setting is ignored. The variable accepts absolute number or percentage value(e.g., '1' or '10%'). | `string` | `null` | no | | [max\_unavailable](#input\_max\_unavailable) | The maximum number of pods that can be unavailable during a DaemonSet rolling update. Accepts absolute number or percentage (e.g., '1' or '10%'). | `string` | `"1"` | no | diff --git a/main.tf b/main.tf index 2c42040..3328717 100644 --- a/main.tf +++ b/main.tf @@ -36,7 +36,9 @@ locals { base_endpoint = var.use_scc_wp_endpoint ? local.scc_wp_api_endpoint : local.monitoring_api_endpoint ingestion_endpoint = var.use_private_endpoint ? "ingest.private.${local.base_endpoint}" : "ingest.${local.base_endpoint}" api_host = replace(local.ingestion_endpoint, "ingest.", "") - kernel_module_digest = split("@", var.kernel_module_image_digest)[1] + # The Sysdig Helm chart automatically appends the '@' symbol to the digest, + # so we strip it from the input variable to avoid duplication. + kernel_module_digest = split("@", var.kernel_module_image_digest)[1] dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{ name = "global.sysdig.accessKeySecret" type = "string" diff --git a/solutions/fully-configurable/variables.tf b/solutions/fully-configurable/variables.tf index 271aff5..a0d5999 100644 --- a/solutions/fully-configurable/variables.tf +++ b/solutions/fully-configurable/variables.tf @@ -212,7 +212,7 @@ variable "agent_image_repository" { } variable "agent_image_tag_digest" { - description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`." + description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`." type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line default = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim @@ -220,11 +220,15 @@ variable "agent_image_tag_digest" { } variable "kernel_module_image_digest" { - description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`" + description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported." type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line default = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule nullable = false + validation { + condition = can(regex("^\\d+\\.\\d+\\.\\d+@sha256:[a-f0-9]{64}$", var.kernel_module_image_digest)) + error_message = "kernel_module_image_digest must be in the format 'X.Y.Z@sha256:xxxxx' (64 hex characters). Only digest format is supported; image tag is not supported." + } } variable "kernel_module_image_repository" { diff --git a/variables.tf b/variables.tf index 9fd552d..9d760f4 100644 --- a/variables.tf +++ b/variables.tf @@ -188,7 +188,7 @@ variable "agent_image_repository" { } variable "agent_image_tag_digest" { - description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`." + description = "The image tag or digest of agent image to use. If using digest, it must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `kernel_module_image_digest`." type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line default = "14.2.5@sha256:64b9d77bbd1bb22f97a74198144dcfea62bb5cee7629091252694e9040058035" # datasource: icr.io/ext/sysdig/agent-slim @@ -196,7 +196,7 @@ variable "agent_image_tag_digest" { } variable "kernel_module_image_digest" { - description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. Note: Only digest format is supported; image tag is not supported." + description = "The image digest to use for the agent kernel module used by the initContainer. Must be in the format of `X.Y.Z@sha256:xxxxx`. This version must match the version being used in the `agent_image_tag_digest`. Note: Only digest format is supported; image tag is not supported." type = string # This version is automatically managed by renovate automation - do not remove the datasource comment on next line default = "14.2.5@sha256:0345968a77f8eb64a00f2b06af3c40bf3df78d34125b46c9788a9e73f8ddbb1a" # datasource: icr.io/ext/sysdig/agent-kmodule From acff533a39a9070b4924cdaa91762cbb4ad31001 Mon Sep 17 00:00:00 2001 From: Jordan-Williams2 Date: Wed, 3 Dec 2025 13:14:35 +0000 Subject: [PATCH 5/5] fix: address pr comments --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 3328717..d1641a5 100644 --- a/main.tf +++ b/main.tf @@ -38,6 +38,7 @@ locals { api_host = replace(local.ingestion_endpoint, "ingest.", "") # The Sysdig Helm chart automatically appends the '@' symbol to the digest, # so we strip it from the input variable to avoid duplication. + # See: https://github.com/sysdiglabs/charts/blob/75862bc8939ee7431a38c04ecea36652a8d3035d/charts/agent/templates/_helpers.tpl#L163 kernel_module_digest = split("@", var.kernel_module_image_digest)[1] dynamic_set_access_key_secret = var.existing_access_key_secret_name != null && var.existing_access_key_secret_name != "" ? [{ name = "global.sysdig.accessKeySecret"