feat: add Wiz setup and configuration for Linode Kubernetes Integration (#2465)

Co-authored-by: svcAPLBot <[email protected]>

Author: CasLubbers

.github/templates/wiz-admission-control.yaml

@@ -0,0 +1,14 @@
+wizApiToken:
+  clientId: "__WIZ_CLIENT_ID__"
+  clientToken: "__WIZ_CLIENT_TOKEN__"
+  clientEndpoint: ""
+wiz-kubernetes-connector:
+  enabled: true
+autoCreateConnector:
+  connectorName: "<connectorName>"
+webhook:
+  clusterExternalId: "<clusterExternalId>"
+wiz-admission-controller:
+  enabled: true
+kubernetesAuditLogsWebhook:
+  enabled: true

.github/templates/wiz-kubernetes-integration.yaml

@@ -0,0 +1,30 @@
+global:
+  wizApiToken:
+    clientId: "__WIZ_CLIENT_ID__"
+    clientToken: "__WIZ_CLIENT_TOKEN__"
+    clientEndpoint: ""
+
+wiz-kubernetes-connector:
+  enabled: true
+  autoCreateConnector:
+    connectorName: "<connectorName>"
+    clusterExternalId: "<clusterExternalId>"
+  wiz-broker:
+    enabled: true
+
+wiz-sensor:
+  enabled: true
+  imagePullSecret:
+    create: false
+    name: "sensor-image-pull"
+
+wiz-admission-controller:
+  enabled: true
+  kubernetesAuditLogsWebhook:
+    enabled: true
+  opaWebhook:
+    enabled: true
+  imageIntegrityWebhook:
+    enabled: false
+    policies:
+      - my-image-trust-policy

.github/workflows/integration.yml

@@ -253,6 +253,48 @@ jobs:
             sleep 10
           done
           echo LINODE_CLUSTER_CONTEXT=`kubectl config current-context` >> $GITHUB_ENV
+      - name: Set up Wiz
+        if: ${{ inputs.install_profile != 'no-apl' }}
+        run: |
+
+          # Use cluster information from environment variables
+          CLUSTER_NAME="${{ env.LINODE_CLUSTER_NAME }}"
+          CLUSTER_ID="${{ env.LINODE_CLUSTER_ID }}"
+
+          echo "Setting up Wiz for cluster: $CLUSTER_NAME (ID: $CLUSTER_ID)"
+
+          # Create YAML configuration files from templates
+          KUB_INTEGRATION_PATH="./${CLUSTER_NAME}_kub_integration.yaml"
+          ADMISSION_PATH="./${CLUSTER_NAME}_admission_control.yaml"
+
+          sed "s/__WIZ_CLIENT_ID__/${{ secrets.WIZ_CLIENT_ID }}/g; s/__WIZ_CLIENT_TOKEN__/${{ secrets.WIZ_CLIENT_TOKEN }}/g; s/<connectorName>/${CLUSTER_NAME}/g; s/<clusterExternalId>/${CLUSTER_ID}/g" .github/templates/wiz-kubernetes-integration.yaml > "$KUB_INTEGRATION_PATH"
+          sed "s/__WIZ_CLIENT_ID__/${{ secrets.WIZ_CLIENT_ID }}/g; s/__WIZ_CLIENT_TOKEN__/${{ secrets.WIZ_CLIENT_TOKEN }}/g; s/<connectorName>/${CLUSTER_NAME}/g; s/<clusterExternalId>/${CLUSTER_ID}/g" .github/templates/wiz-admission-control.yaml > "$ADMISSION_PATH"
+
+          # Verify cluster connectivity
+          echo "Verifying cluster connectivity..."
+          kubectl get nodes
+
+          # Add Helm repo for Wiz
+          helm repo add wiz-sec https://charts.wiz.io/
+          helm repo update
+
+          # Create namespace if not exists
+          kubectl create namespace wiz --dry-run=client -o yaml | kubectl apply -f -
+
+          # Set release name
+          RELEASE_NAME="wiz-${CLUSTER_NAME//_/-}"
+          RELEASE_NAME="${RELEASE_NAME,,}"  # Convert to lowercase
+          NAMESPACE="wiz"
+
+          # Install Wiz components
+          echo "🚀 Installing Wiz Kubernetes Integration..."
+          helm install "$RELEASE_NAME" wiz-sec/wiz-kubernetes-integration --values "$KUB_INTEGRATION_PATH" -n "$NAMESPACE"
+
+          echo "🚀 Installing Wiz Admission Controller..."
+          helm install wiz-lke-ac wiz-sec/wiz-admission-controller --values "$ADMISSION_PATH" -n "$NAMESPACE" --wait
+
+          echo "✅ Wiz deployment for cluster $CLUSTER_NAME completed."
+
       - name: Create image pull secret on test cluster
         if: ${{ inputs.install_profile != 'no-apl' }}
         run: |