From bb6c0ddbf99319145668f4c54a0a2457ff767bf8 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Wed, 27 Nov 2024 15:02:28 -0300 Subject: [PATCH 1/4] cleaning release.yaml --- release.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/release.yaml b/release.yaml index 7bc2f750e2..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,8 +1 @@ -fleet: - - 104.1.2+up0.10.6 -fleet-agent: - - 104.1.2+up0.10.6 -fleet-crd: - - 104.1.2+up0.10.6 -harvester-csi-driver: - - 104.0.3+up0.1.21 + From 051e309f2af427400b99a9202e73b3ce8e56c5d0 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Wed, 27 Nov 2024 15:02:48 -0300 Subject: [PATCH 2/4] release chart: neuvector - version: 104.0.3+up2.8.3 --- .../neuvector/neuvector-104.0.3+up2.8.3.tgz | Bin 0 -> 26612 bytes charts/neuvector/104.0.3+up2.8.3/.helmignore | 21 + charts/neuvector/104.0.3+up2.8.3/Chart.yaml | 27 + charts/neuvector/104.0.3+up2.8.3/README.md | 306 +++++++++ .../neuvector/104.0.3+up2.8.3/app-readme.md | 35 + .../104.0.3+up2.8.3/crds/_helpers.tpl | 32 + .../neuvector/104.0.3+up2.8.3/questions.yaml | 283 +++++++++ .../104.0.3+up2.8.3/templates/NOTES.txt | 25 + .../104.0.3+up2.8.3/templates/_helpers.tpl | 61 ++ .../templates/admission-webhook-service.yaml | 17 + .../templates/bootstrap-secret.yaml | 16 + .../templates/cert-manager-secret.yaml | 33 + .../templates/clusterrole.yaml | 117 ++++ .../templates/clusterrolebinding-least.yaml | 145 +++++ .../templates/clusterrolebinding.yaml | 142 +++++ .../templates/controller-deployment.yaml | 334 ++++++++++ .../templates/controller-ingress.yaml | 213 +++++++ .../templates/controller-lease.yaml | 8 + .../templates/controller-route.yaml | 95 +++ .../templates/controller-secret.yaml | 33 + .../templates/controller-service.yaml | 126 ++++ .../templates/crd-role-least.yaml | 403 ++++++++++++ .../104.0.3+up2.8.3/templates/crd-role.yaml | 403 ++++++++++++ .../templates/crd-webhook-service.yaml | 19 + .../templates/enforcer-daemonset.yaml | 195 ++++++ .../templates/init-configmap.yaml | 12 + .../templates/init-secret.yaml | 14 + .../templates/manager-deployment.yaml | 164 +++++ .../templates/manager-ingress.yaml | 69 ++ .../templates/manager-route.yaml | 32 + .../templates/manager-secret.yaml | 24 + .../templates/manager-service.yaml | 32 + .../104.0.3+up2.8.3/templates/psp.yaml | 154 +++++ .../104.0.3+up2.8.3/templates/pvc.yaml | 26 + .../templates/registry-adapter-ingress.yaml | 106 +++ .../templates/registry-adapter-secret.yaml | 21 + .../templates/registry-adapter.yaml | 204 ++++++ .../104.0.3+up2.8.3/templates/role-least.yaml | 28 + .../104.0.3+up2.8.3/templates/role.yaml | 132 ++++ .../templates/rolebinding-least.yaml | 269 ++++++++ .../templates/rolebinding.yaml | 173 +++++ .../templates/scanner-deployment.yaml | 121 ++++ .../templates/serviceaccount-least.yaml | 76 +++ .../templates/serviceaccount.yaml | 12 + .../templates/updater-cronjob.yaml | 80 +++ .../templates/upgrader-cronjob.yaml | 84 +++ .../templates/upgrader-lease.yaml | 8 + .../templates/validate-psp-install.yaml | 7 + charts/neuvector/104.0.3+up2.8.3/values.yaml | 601 ++++++++++++++++++ index.yaml | 31 + release.yaml | 3 +- 51 files changed, 5571 insertions(+), 1 deletion(-) create mode 100644 assets/neuvector/neuvector-104.0.3+up2.8.3.tgz create mode 100644 charts/neuvector/104.0.3+up2.8.3/.helmignore create mode 100644 charts/neuvector/104.0.3+up2.8.3/Chart.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/README.md create mode 100644 charts/neuvector/104.0.3+up2.8.3/app-readme.md create mode 100644 charts/neuvector/104.0.3+up2.8.3/crds/_helpers.tpl create mode 100644 charts/neuvector/104.0.3+up2.8.3/questions.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/NOTES.txt create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/_helpers.tpl create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/admission-webhook-service.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/bootstrap-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/cert-manager-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/clusterrole.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding-least.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-deployment.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-ingress.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-lease.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-route.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/controller-service.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/crd-role-least.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/crd-role.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/crd-webhook-service.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/enforcer-daemonset.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/init-configmap.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/init-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/manager-deployment.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/manager-ingress.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/manager-route.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/manager-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/manager-service.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/psp.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/pvc.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-ingress.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-secret.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/role-least.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/role.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/rolebinding-least.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/rolebinding.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/scanner-deployment.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount-least.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/updater-cronjob.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/upgrader-cronjob.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/upgrader-lease.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/templates/validate-psp-install.yaml create mode 100644 charts/neuvector/104.0.3+up2.8.3/values.yaml diff --git a/assets/neuvector/neuvector-104.0.3+up2.8.3.tgz b/assets/neuvector/neuvector-104.0.3+up2.8.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..5619f06d7608fca8583c36b251a5bce6e2b44dab GIT binary patch literal 26612 zcmV*UKwG~biwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHd)qeBFpTft`V{yn-6wGx>fmEnzq|MQxQ^R;>miBK{_J}0z$Hi49P z=5QMRWy4Re*Xtc09?E}vy_SgAuTk==1nw+*mkg0NLzH0>4Zzd?{=VPo zf7j`GJ@8+k-#OS9Kc6~l3g|3`J{kb^(#yKR=8U7Mvl?Lo5aKBL==>TZI>nrM3rbNk z!vSL6ct)+!>-c2ao%Nkn^mygE3idmH(_P)~^n2A^r6@#@Aw8gJd(N_a9*YqP6UGts zI3c04SQ0Z%5u9cS?RUQG9JFAJe>HDr{T7Vl^v|QtVW-~;5c4UHxqS6A3a4O%AWtX) zzF;+AL})hUz$X!hI6@RKq_ssPP^mA9Kbhh@w_;1{g`Gk0dOEt3pxYm9gQhMmpa8-eITL zIruh-)yQvh{bvo&V3;6w9|EAB{~w(64vvfb|L}On|F`ly0WZ-ACLsrE{^hF7sJrz9 z+)gk9m;ng>dHU+o6AKb@jsh^kArb{%B0q!_ff=M24nxEMCt!#`3>iZKz!4{aPY~c} zDpoXNomPv)C}I;l;sY>(Aw#VeMPtl3oew}j{5wQDn6x+?8)ib#bkL$h=nnv=2?9?5 zMgK`K6?hP8gbaWQpP-0iUy8IALv)6Hbn5#giMYKS1)Jno6wh#o#wf*N9Fidn2hG5P zXJ#e;*R?9}?(OyEe|Ps3ALStuA{BsyhU$kBHhRFX(+;=W@@vduRSWTHpz| zy1CLXrzqlpO-K?3Akb6CiN^m4xIr91FeHRCPGKx3K`^%txEO&D!5IQ*8uR&!v@#5) zI7-WbgrT6*N&#Hy_Y%vNPzHWN5u%WzGeo(Xj8;p-`W1#az%G92_6DS~%i} zMq*IKupr8(FoI)5#UQILfe#ZD$xojCCg@G;9C`)>0U1a@YZtyCrdD~p)L0{*B3|Ia zo&nJUprSA8!?jR~^lMETLX1!nhKPz;dLqVCet7}1FW>_XLl6-z=s)d1%Ruh| z0YG9wzJw0IMdbLbSb7!y@NbEUh~klN)iXi>)7x|K%lSX6 zVLJ+Gw#gW2s4V2=lokWAp*|0aEv5}RpopbLtpbj_h2{>;MGFH# z%AGr;(2CJCdl}2EcYcl<%+G?kaW9t!G_`=9GEL?Q;94sd>XMxGOgSObX%gvK?|>`0 zAs6MO4s&z*>KvS%$|^7n{9#V-K!VHAlUFn}=^6cq&kMI%CeMEBH` z7N?*z2^G^&mtq;XZ@B~Z~Ce;~%DT7mFV{ba$X#p@oftCOYlPP2z(UeQu zd>Vj|z~BcM!pKMT;>x_$wutP7kP%lzC}B^)D~$&fQUC|wb^7fdG&Vm}rC25INVC*a4lAK;bj0=S6ALO!R}a2F$2Eb1`H8scVUd%FTgP2U@BA;5Fr$R zHboxT#yI-e(HM2|f`178I}`<8ObI7G2?wApg=O2S{{*<} z<}n(8ZdykOyuuh3*^gVqHxu%k6Y~W@Ur7NAgneGz7X*H_$Zsqi8_LHz!G8~JH4*>! z&}=~oXsiY_5H@Ph8hqiLPWEBP>UOMd$Le;h&dus_?7%??OR|AV7H}WS-?8-9S@z2< z`NDF~FLjF2qak1$K|(ymT)%uGL`Iwpz+ta9P2Wt>RGRSiPyV+53hUQmD~edDV&7SD z|GS>7s94Ap#+7p$Kn^p>VXVb5B_kXn9AWN{#`5eaBfTd8bUK~%4@w#q3z)ECn`H9ak_-`t)L@!0UF^51z>_G0uwkxsm(I- z5g;?94B{lR%Hl|GCiPSb@MXipDl^(}J{!(vRtyA~O7q`*AcflH%hN0CYwc89=Dtla{oTQTR9M8AYu39|Tk! z1-NX;z}A#Xc4UVo8HhnSWp9}}k+Ni$v~uW!JurbZKw_C`&0U>gOpBH?ZP&}4wk&bp zGL1tlb_$+a#b!GJ#{(cwPK}X9oxK=SQ1Lv;BqIJxGhTvh zpzq&$*)nI+g_UHEqwjAa=@#nNk#ltj!dHx#g%;aE(afB$Ju%WpNuIN}H@9zIy}LU7 z>HOW#=cg~vuiu@$xqNe-mDJ~j1JHi*qkP)+P=0*#=C&b}{8?RU&=8__VibG9aXA4V zI5V~pS;J*NaVYZ^*Ox~dnJiZ>Ae|xNu&_*JK~FT`4Rs4%woKY$P}}Rm@mMm9Bt^qG zX8JERu#5KbPrxg9hX6|`N(m7~Gcn_0@haC4LCeK`d@HwWFUzLd&3d*`w>IhS4SJ)U zYlB^D)uw!7@E32yH`Y{c^WA9UyJ%IOw%n z{!Fqptt3`9w90nMc$9h?xV@X|b^4uy+-3??Z$}F>mQyxtI&)E4o@9>thSbW$<|4Oz z?S60nP**RI)Dl}}+j>wYvIpK$1MuVtxV^lQ%%FRR<{cokaX4fs;xBSvq?_gxa_qw} zoP)9UYV@1a>F-0UZ+1TC_7hC?^PQXESK}sFIzxA!pDulVUUPb$*J~?Q*Lo-3 z%W1cp(r;JQaM#vx??=mZI04jax{uO?=MZ+c&G}^*lpvFqB?v1V6I!+2e z{=}vSdf>VEUwgx9Z-wHze{{Tt+MCt>GR}qcvZ=DZvW!+sxd4nv7?KY-8Uy`RG7UM5OfVP@LZWZ2LW)3uVv2mZUxp(w z-bbB-POsCF!cz8GRTA2yn0p~7A(vmwy-@@2g`99WBr^n_TBto0dq5T=ACKm;qN&hn zDV8VCwj|q2g{Z#zD;jUL?hf?jzJkVVcOS@VcL%JS#t#UrpBmDTa2_HmyVMY*!h}um zRKv)CIw2G~QiqLCF=+&YVj};e>%m}(ZJ_das@rK-Ty2 z$1=EwzMZ~%?)%B&Kcv_5yRYBep5Ju%N4}vp7R3MAKR!7s#D6$EIq2=;KWyXq^vMHw zB;`csR}}$7pEY+hb11zx+i3Isk3U*JQZfZ3;S2{#WNKaFh5RE6^78ij5@0rHO*oGS z-R`GPmB1&2aRFK2heC$dMY8HU57~GZB$f@t!pE^RgcjV22fA#*|F*jKLXdA04v#yxySKbFS zOz@sT{s zI|LvYp$}k+qlD`iGJ>3KnBd|{$AwAvpq*6x{s-j#MCqM!_H5FBY7Zfs`3;BhL)8F1 zZM6WnIlun(;>St>c>X}Raznh>i zMwE4Uypd2)3*`U7;bAfU-_ddZa3}w_@qGH!eGX=LI#6~293rvIzZctI=ugl9Jnu@X z>ppLte~g6$7OPaO4?xsTQ3iACv~)R7-$wxLEQpkh5dysIyWBr^RKQ8Gs8V(#O1_yP zN`)N$EOsT44~`GyPdvRzMkD+Yw7m?NSPJ5|!tjhD$OSVpZH$sIoP+-)FqFXv0gPjb zd#Cjeq@c_4T(lwj!N3stQ0!+JnIiB@YRgqU9$^#)Om3j%CLaYr#wpbH~;IGQm-kFx1%A4DLwZEy%_MkJ9lpAJZ{4 zWhx6a8gwB%%pc##4h+6;KCc#@=~yTzIZm75ntQu6f-%JrAA$B?nfF)LE!m9F5^^ZMJX4iGd)9A*_Kp132Axa}Yv_BO zK-92lNDQzI?b!sfU(h`Fu5*Xxd$JM$7E0d(90llOsc4>%#CpmCoF&KwCtu(*;N*r= z!2~{o;qf7gd?)STk%3U2+jjAjljy1_CN-^gq=DZ>Jl(&tfutY3Mvd`5eNhC`$<6}O zG8~RUnQStYRK&Y?dUW2IHk`~##ojZKN1d_qT-|7|1R%#E+V#u)p=I=aJ}&()H8gtK zRA^M(6@!B=(EobJ`@OvWx8L92KiTPj+jt65eD81+48V<=?$#7>Xs(GCBPp_(@0AEe zm(#(PtM*PU9Td-mr4lkrmNq2l5Plt14;Wpl3|$luDwn!DMtOP-ES8}HTLPSP>r zDxk)GFMFRkyxg7{kG1U9X0e~jRBjo7ispH1zszz6c`%L#mBIJ6J^!xtp9cTb&L``} z1YQ*Xz1J`9|4t4Mk9O;S8;{)oz11hS<*>0}M9CCbp`n2aa2J@jsXq8kDP*kB>&)UP zfAsXWQu_D0TK)hT7?C7OZ?@|I#e{;>f81C;aUjJ(=u_pE{`jL9tK4uo=~-1~avAsW zic6vW&>T*&oi{Q3Pl8$oZAY};PoG>vk!qu#|C11o3I?Tzrp4W}{l~@s?MTd<5CMz$ z|KWbW$p24HcKY8|p28k1b#1W%b=wDhHY2skq=QK}WvnV7hl8o>PR{B_Zp4SXn%e8#V7zg@FzyS15j`n*K@C59GIf9gl?j*zCkgvV`2_3@- z|DN~a_Hy}BFgrU<-8g(Qos#HvUSscAvCo4@y531xp1VjMyzQF2?3g4Bj!jbm9%Bwe z!0i7-g_xU89+kWASP_ZxZpYH_ zwa8QJ`?zJQZ}7H{V?tj zEfb?eidpgJ4AG&kHq$Tx*9SKyDfN1#MX`sN1avoA8`cOv_ z_C%EFMV3+7%bHPyHBO}lE62Xvu8^F1g(>oVzcqsAHP&+7iupoi7ikZMG*>augy52RvMACRdvypKO0})YvUx z9C|gH^g4Az?DoxiXtl2Kvq1khGbPidt-2Xlp#Pur`Ul1Hzy8tjPXFJ=t6~ z?ex2iz0L#j;Iwx;O8(j@d4|!4uYibUH@+fjUDFt_3XTiI`2EfJ0(e$9 z{-*Tv1=}ok&*q+H_Mi2Rffw0-`iF)4|NFh(&i=EVr^^2G%)YChHv;YLtUx>MZD$3l zlEs$e5zCcm?jg28{jL_9-Tq`}DO$-=w4?E_n8tV3q#d>Yd8qwQX>s~GD0*j=+N@P- zLsYS|EPX+b)Bcm)NDfdOlKB)x>)ZgVxBndM@ApoM_MfBv&i=ENN19Y(ijEF?VDP<8 zDrmXGQ#3{&U&-)n?f?6)p7*zZfBQfG(<%IDyW)WusNa{=hyOb2?05P-p+H#m_HuDI zY#@hu)WDL@T3vC$GDtalc2Lo?3cOTbZ8RO>SIh-GYhE^L-6|@Eam?zpFZ7Y4NcQ&209X>&YRY_9?M!iWjbJcO)2bc!T6T&6tLZW*Q>=hgF(k!Qtcpu(P!~k0Xn}OF zH2`al#S`XWErzC^+Q~76>Lw`-zhA6iO-`f-;=5v*RHFu!NvSGVsJJjby0GSL$4%&7lDS+F1vJY$m_m7TQGOg`H z9m2{DdJ5ykIHyIIL_2F@b<7C`&(ME#J|6Ha4Xc#~T}e3kNvD20LzM6BfoJx~fZby& zwf!A(hPkqfSikq2V`I_qva?#My4ktSr<|x-3JdEsTPlXB)uUt*WmpT$q|T^kU}?pa zfmz6uMx`17E5}AwJeM=R77e@l+L%;i6|wQEN<6X%%PP=o;%sLl$;#(*l+NIjsBpE^ph~Idg7KW0>>aGYU}Y#f2_)5=BBr_a9C-Xtfo3?+*Gq%TeCr@Z1^8Lv?&&~92P#fHpV^hzc57BRy^ zN3|b-f3>>_qur4BFzgO-)J@_sg#n`N7oe>!uX*N`_Zu0u!M}^$5sT}JgxH@~k-ivn z1Ef=^lgA51vw`(zHjZz8J-@!bczOQr?C0~dUvA#M%9R2tP?c;yz&;0U9fI?j(G6+? zb$0eZ+stvhH0z*kU3_bP&7098HYCA-!FqLu@M(vsbEi2 z|C<>B0@~<6*+) zR7D%@a^Gb3OQ9{0h@+1@&lF>$3gj~wR}*qAG%I6WZxQ8{QU-$Bg`XBzT&zY}%}S=4 zs*}Cxu9aam1yJr03~+=PyP{->@*{&jX8SDj7|B_9EpISG?s(hf)3_^Indd$V#Q?+b zB?@6?W;)7Gb3V2IQ4=|75|8}-&Bg0?r!QY#yX9m)rmQs&H3q=y#!g@UdVYO-adZB% zvdJGQnU=>)2KP?`PC33QhM^OB#3V@5n!6GC;o|jnQK%t(mFkf(;u5Mh^4F)Y&wf6? zes^>8#ywf>e!I5f`BgR zb$)$wadZ3b?9J;RFMet=7Ij!VEryW#6CIZvBUX#e&H3r|+0XB;&wskOxxKzPzgaxU z^-ZlX-1oA}0fn8;vlX^Fdle&h`u6tCyNlPi=hv@KFW;S=U*E1Zja5qWntCy)(NwlV z^tLiIgS4Bn6r%a4%n7j zveS}osY#hmbh)PTSx6n=8-cMiyDlJ(jM#KqRyv35Vi@_T zTQLWvUDgt#1PV{19xW0{_1zM+S(mZU6Tfl^rq#oep{iJIg0fDc1dpy-0SQA?6knA- zYY~spbaljaD(y`nZZoULcj&h{il`~0*X{$%c1@Y(k#ft02T?M?l4E6{byr*0PGlA= za8t+I^t|W$vh-4S_GQ7E-$Gwt#{qkluBe3n8|_J>6Ps(o7oOKFIVg*J;03s79M7#q z%cS}fg+98<8+#6V#ui5rQTCC1iZ;EwbV+k(&FY8fz!LkiqVKF&In6eI~N(4*7AEquWtWV3x>^Ecf^W& z!WulQHfu2@zagKaf_dL@=Aob|IIm#rvK|-DqYAD7<{`0=0Wfq(X%%c+`nf#<_^M>n z7FO8WdH_vhK7Wa6;ncFh$)Jr-9)riXv+>*-zH26IdEz|T%uUJ?9!>STaj$wuxd_X} zyI7~!jRWiZw}X2NRL|A=x;a;)CW@=G4+Z5jT~_&?;NQ_Do?<=#N4;0LJR5o*#vDAu z5qEVpz>Fqx^$(L^jQAdq8iMC}b$2HA`y0A65lfx8?%G6JqT28&8W|i;O)yCIV_3|lh znrjz~uA>svTkE6L_v+Cfp+H|(>r5fzh_ac#O<7&czPhHoPW!OIwOl(yU-AO4?bv#< zeL2ue3jA8&D{-q@h>KZRZS__7+7bZQWOj{uz6J-Zg}-feV}t_DA)0F){i4=U(03*ENRgy=OJT&YlF6XA^ANfBXTkcXB;ohH{*R7N4vOplsCTei z|J!&9>p#n+<<)9`FvdcmQRLCgaR!$xx#L`B4cB15?22v(s>%9p3aZ&^uY>%FZ10{&|;fErj!bAUQnE3kkfxYc+-Vf}B^Vz*%bXN9L8)xNp5Rv);sEoxiuxcq5-%lVD#~mlROF4%hPTwx`=JjiskuC9eG|j~B&cPuw!`w| z@_1OSDD+t;B;+oM+lC0z&a_=UX{%aoI|f8)NZO!%CrGJnqtOQKY=Xpklat)}1AA7P=y9B4d3Y>l;IB#E8!ASxOPX5;R;w##< z=4QbWT`oaukj4_m_6FwG$M5R{fD$XU_HHxIZu*pt9Zl#eH^}Ymmi|>*>*w3stDB{% zWL1OoeUQ)6X5gjGcwahA)lNnI#>rVVBrx~^hA{F4Ctb?EDqC$|S^(Nwr_BRhsw)M2 z*19T}3J8UjB`=mhCT`71(sX-A(c7DvZ{#HJTKw7xWm61$8?M<-`wtB~N_6LhKGkM- zHI(=b@eje^`<&#-Tm_x?B==YKCa~H(sA*HiASC|b-e!FnMC(t$nUV+BBt&3DD0q#M zUsdj6P5_Cel^L8}zckE7;##ni!Guo;#lI_7QRxm*;f(R!rkpW`(C_3?$-K3f@yW1; zq*m!0;wZq;*z*&{$<$=R3y@6XjY)KW`jx)>;{h1spD0OUEmL5Ov%6}#_pL(uKo3;m z%US@;5FP4bNgP0qX(PC;0@vn(0@hI}qbJ+~Rt8LeAZ8ldG2?*#%(n97qbTT)3$ z2l_w=>b%-jpaxdkMNig6{8edH=5oA@%Z(TlD@0xI`*W_7MhhgGne3`+q_)m$?abEG zGLtRiC*JAZSMig@b;r_ezyl#>>PLV=#L-fmc1Kq0vfu4d*TZq$Vjuq`%r*$)Kl@5( zxCDYQe(XHff#Pbsw31w4FvU!asv-Lw@iZcyblmi?J$6c3gzx=`=pA*fC8W2=p&n9B zm%90NiR#@Vxz|PVP@MQ7S4@4Mzpmv|xo$qd(Vu;#G+ZJd;OMdICk_ZtoNdD^R z=%0kc&XO=fR1xQVw?LXQ+1#)_Vm@1i=l!tS9WkxLZMRKR56N)def^So?x$T0$(pCm z|8srMPxUPF|2!%Ae;ys59Pa!-xA9m!X6FOC^8wxYfbM)iAGbQT^8sDT2h_U5!g3|D zhPSAq)nc>r6W#fV?)*d_DOv6OL^tFo`t>v9oiFLmmvrY#y7ML7`I0_H>e~5|Zq%3b zs}bkBg|zcGeVqQLU(FKRc^B?{Qg=S7JD=1?>y!HRbK0HH;m&V$=eN4^TYb!at6x7C z-nk?0d|P+Et&f5u?|fUocD`Ki|61k$`2h_lgxqZ;0nDQO|HsD%rTj0u{BPTNJ{6+n z(m>C=3^=^86fhY@J(e6Wj*J>vJ`Fq5<$*KLh6zBNI=<(6SPt=>j;oc_W7(W6_u<9v zTK^~-5$YrA1rSY1#MVs!S-<}K$Bz7uCkH3H^}mfrdRfO59Ub(*;CnEFLgBD722eCc zA74T4PeA+s{;TKx?cd-2&;N7^KeE(@9FC3rF;KrRX;A-l)YXlLsra%t! zsDUM)wYuVhWsq|A?4Y7&6?mz>W}s;jaXdv=kWXZ;$F?hdgI&lBl>P2|XGyP+L(g`q zzdK+lw|^F)+vw*4mM$}4I{i<`D^bp>p6^LR<~=*t{-$~{UPGev5R{t2Hzt9?zgXPLMPr8GyJDGiTf4B0(_-oy**!b`P1BYO z?V34OAME6-Q#eLfNf@e}s#debFWGo|<;`>zm;xGA>ztEN=i{&tuwLfU{?t`YGXi~A zfdK#$!uZw2%K_jtLA6-L6cdX1{49iwS-$6H4$m&%-rSyFzx(@}i`VZ?U%tG~l>%TU+O1AB)~OML)s3CL z{Pq0$_TuLJWo45;QZgMBJ^(PnC=8@cv-m}S6ROMrFb;Xb1f#yVszv07i`Uyl;ZvI2 zzfmUcGLhS*O)`6xB)o!*geqq1r`1`!)fHd0-`d-&n8MSyw{PBEyuLlZetmlR?(F>f z)=e<&etQv3R!dkE&5X9`ke-bQen!G%ie3rc=32pK!(0MX$Yxd8X_N+KDjHBT-e99q zF+Z-2VQoumwc_06-EYTod!lAd~S#|YuB@gU_feK)Vm_DPzy+*0E0JCI4?3tbJ23c~s*ehFBLaj`4cKSusQT)%gPPwZ|e-SprdH^E}(^Nd9IIH1JaWA5CWjs6~z5+W`Gv8S=RuQe|GNB zywDAn3{`EXzU9K?4$XhWVQF=m;WBkRQD@ajS=^HtP1o*8jHVCV6WDRUUcMtf+;~5# zY+pIu;#zEm9h$`&WV*NqUVv#GAK{2jaU?gPKT+tTD?~8~Zjeu+fDJ%@zt?M-&NB`v zH<>t3!w+z7_>596a=U!DPT|$_K)J;g{a!~2iHqb=v{qK?g-yhB8G34iTnM*DpDBSY z+Nl=;Z=%MOTB)=+S8l;-!P%D5MJlORE&E+$U|P#75ni2uuLZ;AtUF?PrJ;$?Ux9+H zfpSBw86CIGuI-si4e+YPb1f`~yx)?*_7?DCRU?nIdRJ}LYSi?`c)7C&1%8aCF`vK0 zw9pUyJG#VE%m?78_X?M(9{RXS;Z`yD5<_^tYfNy3n1cUEux-Xf4 zY(S`vcSs)ffX^V~Ari)CFg!j)kzYK`e)I~1YyE5e(F;%aO8(cfWWhu;)sK9I=6bZIzK>WycYBIBJ=hM}E%xMyxvbPLTyR{1UskE$f@Ewp=bS-nq$@M(T42}yN%ksraer493 zrXuna&Wq>rX(%M&)1S_--`(6?x)E!W(WqT&%yHyjsqF|1P&8vpI0~)iDpaSKta|Xym@TvKMnIdu61I+X!3L=}h0 z@|Zq}uSAhNrxbknr{bYmde&EbTg8|wckNCN2mtdZNQ}kLx3^a}4p^>}<$Ntyr7~ya zc#25EQ{M%r3M7Y3mjs`ImW`laI@-?rK~%%a6|^DtiXd6y`-rjI2}Nu|!a(h~vu6Zx zm{4SWuWnV(@sEWnR{KR?&JfQ~gc#eA#TQQ&_Q(rvf_L-!)y=E3(@m~mq#KU<8yMwc zTfBg=yervqI;ZEBzDu}_G->Ct>Rc=KzP!U!U(37IjU6V{o&VryOc7&ip8+p8|2;T5 zF8P1#AMWD6Y~|65+qDpi?qjL(L6b$pGot>c4vBO|9vqFWAX)0{=R%=Wd+_rC4HIl= zdWm>V&Yiv)16VYu=Z+~XR-Lit;<@lWA1_sKZ_@$&Z^0m0eCuS)l^{NY|0IMPVdcK2 zUj)L<5fKk{h`0%1S%99J=0&*%4P<;aJ*B9ZJMM~Z9t?mEmS+&Jg=jDaT0t}dL1=}k z)b+})y+t@hA7AnJt&BW$MbQXo1+^6;jm9s@8;lZ`slv{q_F%>?9zv?k$~dhJLZn^`2({uxwvjIE zN8lP%JN_9ftmK;cf;pzkiNZM_$FYeLkcoafN}_HulR~+BZ8g|gr7Tj?oB736+7zM4 zr}LP%_nKBg!5C$6t(?k%t`!zdHzO`$y&bABQ{t z@2xz|{XZXreNCY9jd%$L--BlX_W7R0G&a~;zA@bvX#axd?S)OWMepm2*)63#$PB!q z-AIOiOqXZ7h|w5DHz*w4;BkZkc?(X|iEs#>g_y~|_Q13BR;aR({|ZAKU_Mt@j3qPU zrMR1`y7`xEmJcdHRS4cUG5k-0S_WnN1Uu)EX|8(X;|#x!wiFp65OOI}f`jd+O!? z`mx{t(qR90+&i}9|B1B!@9*UQR-Oj(fAz@kg`LA%<~la>zW`I6BlNr70TcVZMqv@f zLIQ&yUf#!>FY=Hre!p z&&DN{fwqV4nAp)RUvYeAZSI7|f!=EG3i+cW^(8+%67Nz2VY zZ{D50e0A|!{`LC&*7{3)ySlwTJv*0wUR<5MyL@x@i^S(Y38pA`Nl9FWd3t%-%6SiY zdf+C6@z?6~KE+JNyfFgC15+FgfQoZ9g&zmt_~_{1NEf@fI?GqHA~0uHKGZ-bAsT?E z*W&GIG=D1j@gh+jt!JsjVy7f)db2%s7t5Qs&wR!o>_|x=zt;ya;ZQ zW%+86uc>mD6(&$}K-Z*+i0_2R-Q5X!XbirhuT>%f!0A$))QHd=8WSmeqM$#8s znt6&~!2gd*=YRYCet+lxxs|85cxR}iXFbQMON-npSG*7OWn2fUBJx$w zDP1G-_|GdFOzR3agc^Zqa!bessQGmVSM7=`53Zt(uRScTyvo&wI_#Id{@{YOwcA6* zmDczo(ckXvBGGQ~H(dO?#dbf7ZNvAC{#J3{NJwta^IEPgTXxmMh4|Nf$HT#r9>MOh zW|=I!@=;xQ&1)Zyp>p2vSn?tD|WPfBez4UaP7lra!1UbFq@6veU_cs@>-<`gEd0jZB-bg+h z)7a0a*FU_uHo0@IuHW3gaW_{n3=>F)M21M0ca)3G)Xh$L3A8)Q- zKEj^Fkg*Sh2BrC|$V{Y^|5U56^X*qfcFvzzH%QQLA)%wMKda2sZ|^elnfmuC2<`Ok z?VEQOuWto$UA{XzzrJ-Zg?4|nbWQn9{|wY*YdUoHdC6=|Tbho=`E(4h?h<*P79z7C z>65ABZ8|wnzBA2IKrQUdf_zY0=nU*QV6W5{A8x!W_KL4u@YiDF>san<(CgwJcmbwO z#D9ele1HUMH5QgfoJ6e(>qnYM?LN#{o1=z5X+pIoIdpP+-ugT`?xJ5rE}iBqX#IRT zP1}0x%Wv)6I#q4~6|=iNCC*zQnpd3cMy+p5vO7Cbkk00Af1xY*cXWxTm=C~F?-ef3 zhxBA!I~v`JzMr+bh%YucU9l520qTlHYl74{p)MP!Zb5ss!RjKnec7DqR-jt6p|mHQ z$E?Ki>I&Y~yh(bUK87)p?HbjrfN6hhXr1#f1Xry}$i+0>$Yz4{F+!0*UyC zdzBO!e{rHJS`3V1M{t-R zb(bjwg&9lr&jTMI_a`lVt4IGz;sA2=wR$I3@&8Q*09kbZd%xE!@c*NJf0zGpE64EbrzFyF zvp>2c9KjI(j%YFTpdzhIz1$I*lgOmSFp0+$29I}#v9wgOX1^ey8o`c9P$%xnFvJ$f z0Vlr)@<0I5ltiqlFkN9~lvlu4x|jMApQ`*Z=#C?0>JKY)9}73I1`JY94^%^8?VF1mxO7FQTc#^otu!(%v-X>; zYK?5ly9Uhn2U)hXN3*z>TghiC8ecB;(xRR=Ud&4_KJBL+hUCM~gz=Y{szfeVVKT;P zGP(4-m4hvPS4h^DzPHk|W$&cpul=?rg-;9vjFf*aZaBF;#}IE6Uk^|G^1fU$ zyaN6@4W1RwqFBJ02d_{_us}5k>7^MvNnk!jpp_u7Dm|c`9MDb;m?j1+Unpq6UF?Z|GZEn+QY-dkzNS77Kh*nidRy|Uk1Nwc>**Ztz2 z1?RsTaRXj({@Xh~J}KV+I6U6@|8C`}I{$rUX9Ub20`Kikfp>-xC1hYQ#b1%3+ZMA9 zvxw?#V@bN9?B&}yTdLWC??`=T16<7p_;t|#&I0uaEKnOFCD#=1E`;nnRkq-%vRMk= z9nt$Dk)-wYxu>bY@ z$EEupCp-J!cAihW{6Cu9zvBEqWQ?3v+&CVNCh#6*TngXi$ zvWbQAL$+2vp*$${d~!vTGnj8KL(rmToat>GX@wRy{%NUXHU@>|li8GNu9`r`09rMf zjjR6pxWptR`Lil1+@TBW%ofJF`fGomgnG`&k zCuF%q@$08Yo^U5+{2NKQQvU!PyUd->+JRY^kd}(<+YCH3V(1Q4{`^Wu4{O|qVL2qaO-O96Y z?^u^_!5pNNZI469u>a7u#>ELEsypy_t_-ZxizRPvJ<2{jk_bcVbYZzbJ&&>rE8cQ_ zlzn+r=j0Ep8!eXq>t6v`Apd&-P$#e0hbQ~R^WXl-{!adH+uBsw zURhz-fDgttmgrZvlX0zoEv`Hr!*y*2u;~8RN$;q*{`Zd#cI$r|kHf64r@yH`#D0H6 z4iPev@HQRwOoNtlg~Ja+m)eJ6JaPG8oKX_}oeXOoFwBa2Ob!_S1O-W0wmzBZHwD0F z@SlWmjn!{tc$;&EuuuB)ZW6%ZDghks5}@odksq(@sqL9v(0S@$dgk=60M%{|#bbhH zPCBeMoz51(?QpRKHV$0uIa%VY9MqndgJsXmov79D8@C?;Xy{Aegi>+Rvm9PENAaN1 znSLWci*c$t*9R3R@!77^U8-E7e8OJ^yTOsYtHDOq>P}T%!|FJp2X$xup!VE<0aPb) zuJeE3^Z}@1Z0q|07`z+!0pyF8`~W~BUjWeL>@^)s$Jy&~+3^!JJMTA&NeOG8Os6mk z28Gui=niqzWs}l-&o8m{d+_?qw^~EVl4KnxeKl2l=<7Rbr9LN&%6|I^4S_cUo~H{} zkV6Uzc>f1no!*}P47{H~`_%T$AN+tIMHGDV%!eFwXOMPj5_NUri|$=AL^MJi$?Fbz zJ3^O}I~47;B~ZC2BktYKV>E!V^wbpayV~Cq``#4MG4f=hly84yBx(aM08c-)g>Y*R zKDEs<5xlpjj=-m?fwCZa3dw`h4$Z`~GLUe92;a6JM$4x_sPh zrT*O?3e8ShxTzr6}^}hQaXzQY1TZXM{x~&+At(kGF+uxaV9oC78;abDI+XUk3rrxUQUCZpd z3ee4)fQz0k?y^qnwjH=Zp9^)W&9tEKKHb=c#D}5W-a2U4luY~o8yULorA^%7OUOyHu%{GXk7_2~ z)Id|ZAh(1#S#THXu)-X)re8|!{!a<%d-wm^KRPV#|9U(BkL^4~O`1o#Aj5)^QHb&(!xcfgh8NFcyWpbV~Vt{A`(;1kT0{R9lrh)@J# zN_>Q5#Qb(T3T4^+_?TI?{yP&CPVqP*6m7VTh3mgx^#45A*?+h6JONjb3z^RVCqPX< z_%J~c7$!Ir1Px;7-@!3roz@d@D=42OaZD&@fK5;s0L5L&NX?0%Syu0CqqSg~| zMy68|fnU#VK!7Q0b;g)?<$o3WtcLM&7y7wXb645@o+VS;^R6=)K1JVmW5iU}3$=BRUE?7}akJWd#* zU;-sC5}N`%n#=b-p%nSN3`^z^lN)_3_!05%5SNUn11=%~zthXNU~WVL%z%{XoB*-c znL>_z7>08YATF9x%@&)3TsEZ7kWGUjQ77RYAhZsKILFbL0WtzAa!fY`6m)%xN%!tM z)*TX|5m5zUhsX?Z3OH`n= zR!a=ih=d{eATZ)`B0|hKGwrIv;&luuoFa~>98dAtqD4ucV)pq2VVVxYOsSr&)|IIY zK7*Ht`4q=e_=vw$(a+#D;fS?7^MKF5^BjMfU#<6PT;ccNvzR623?Mp!Bk(3h(T(`{ zLePQI6giQ{PT(_mFXL;z2cKK-jWeeJ;#ytiyQrn8sDp{D$>CU3l4dr*;aDzEYpzlf z*AXrR1i7)}vN}OiQT@&NE3-1>?p&0La43ru4*;^};v@`p=nA`n*e&Eca{a^U8F&RF zJVIhxAw@v%B!$Em`h_fk88F*{&)~fnB?0DI=OUCnyM~cJK@^-Oe1am5%~Jc^dLOem z-|7_!(%gwaYxJ_Qn8iTtAPP-p6Oy+;3%L5y8qm%#YM6@La2k^csW5u)HT_9&c~iXr z_m&}P;ou-kfnbTijSOiQC!r-6b;Af||+JU}s& z0hwmC$J)RXNNec_28K8cB_XF{)OugE1PMT=IgV+-04q)jAXM^;Y*t(E>%y-HsM088 zh!!)8U_>{?(l-$7mRNqwoQ)`o74s+QMa-jSCYqKN?@CycwlXW0DUxq^i2-x9Q9E*Z z>vb8jG*~Z$n~j#H*k56Y1F;E46cafYx0Xzq>90Z`$0W#xNk;c6h|i3so&|8u_C$LJ z$49cYye%N1p`m9n-e#SPRfi~edwmH$H{}KIji1+l=@ReWUSIxq*KQPkU^cA@=}Hsy z!Vnoa{l`s8{yvL=zUQ7>KhK{FVe$O=ARQWO?O|r@1e(E#1vQ0KY9t}_Q3_t8@j}$I z2vCOXM+&4zNvPE!PBbI8*p3yMJJ&(I{$D54A)=Bx{&54$nVNc=v2F09l)$nKONN0(50o8or)Z}Y3~S~ zFW0^a<6me!jqWeh%OcLk3zQmdC3F8zJw$0~*J}YV(d7$`ra|XresusogHA_a%w$Y; ztEAlX2Y56>RCGHcf!I3any8G&F50}rOpc?KOI`AHRb6aznQ0XIlrU{K(dS(5K3Re4 z?Ir|nfTvC9QdI+!UgVTIU=U-vPEt_5!|*A?4) zP+)Q{SD(b**vxVchROpr#XJWqz>Fr6KMa##jCg@=u1N4QE%Ada(E&Y0BT~|Lz%}y8 zbc&(?1tz%iz96mlJqNGIyAT!{D}C>PR|(?)eZzNCMtRmO3ah19J`XB%2g`#s#s9?YSpKu8uD81WX3C<h5aPUjPUq^g;IL0}ewlOxuuR1OmpXwok>B z%y1xdUl;)cQ`h7ZWq6ew-T+FNfKnwr1!j6UUj(jXlp9h)0pqE8M-IDa7zJ88lEJAZ_{za8V3CDBHkPKSY?0HJaCts3LAtGx zXp70V4DIGNBZ8>!(7f4TNH|qkl-lD&Zn7#M$C%Chj#yoC>aqoTeSUK*ol1cFKb3~`wYtZKW zx0g4-`Xoubh>3Vt(|!kB5yr4OGGdHRC`rbX7XSrg^a4W)^noZ)7`6Ve3Gp)R0C8icMu5&&t)4ENH88KJ3pc64H(?X1X~oGBVC8)Me$@Vt+NdHNYBK3b?}cPA?eJ^DzIwT zG!#YUI#1^lJUi(1dOh!8|K#{&Z*lABqdJVcrEoODerA;t9d&-(NTIS*GZ>l;n>JtA z@>z0nRY|fDse$B7LFw)uGodS*(zYGna;3?k`BW+)5g z1aYO7@Q``3XHqC(W#=Z5bh1>2p2iqU9^7f(L&LMB8j$+(S;K4%XWpl5S(4EI<_x;G znJ5;sgJ57R6Q-6gtx}n6RX1M2g#|3NlWBv^XYjt=UJA9msb;a`)a~Vsr&)h)R|eF1 zuA<${ss|W~A%z@;bMWjE@uy-OW$hP2+fHB@&Kqc02HP0&Nv7ebsgbu3KELnUl!ZB% z;_*ac5+NTkCKfkW3km{?EGlk0z?7}_TiuR~X(gN&ZPVNp?q#1=YU&Yf)JnKL?wwi* z-3Q&Om9Y79?$ws$cN7Vp7US)4x7GNV!SjB&R}G)K7moBec+aEdG7rU1{@k2H-O!%G z*v&ii{cZc6iE`b~?#3%82BtU1%+Pjoet?ABDx|D-S}O)4J}3R`DH2vzEU| z-Hxw$!xbJR&c-cQk|uk)<&f}c$(PfKgb!^T3j3L??W|FaMpfHBbTwTJ4B5=txx%~I z8AAKLzHgm|(M&H!bU=kGxPV>@+wGa2Yh*jl>FzMmOM9xFGs^g!&G2-jlgLu=ot#UlVz~?ydZu?~ikFq!90MU1S(6w-D@lt5Lp1Rm)u0 zFx7JWEQPiFH6{}`KwYXH9UfgQrS9OSN+JA?gHhbzRBfOkA;oeibs9JtEnB05HOOz z9)V^mN7`U>g~JhorO5QH5JD->H`QD$KaJi}%kgz72QuKvRa=cMXVX6GFc#`*mz$XvX}{$GdnhlD0TKbR=>+OZm~Cp1dr>EG2;eB1Nxa@j z{#l{2=0kyHk^oY9w+F>sU)$1xzyv=(dwX;H=GD8)H$Ppx7XN+oz7WR!Gr0NnC$&CM z?6dWHa%TGwgM8{i*LpT=@K32{g(!JxOL!8s!5s@cztpreMlqmh(ZuBW-E$Ly`pMo}(B*miQAvq4I9p z3vfDxzmw<%_=%8li1Ixyd!yiyyX%z1IjcNn;Nr@~(3&|I6tQ_I zO~+upwp)S%B>9_9B1S@F_pQVsm-aZQf?OQ_jkp+8H@SviK>@?n-3L}0kj=RUtlazq z9{aC~^R{oyZ3h4P8+L~Eyj}ldovT5|t-6X9t1i>IpgL~SRY0w}K$oi8jnDn=`KYgm z(E0~wMTie@YF0#H3nx?HOeQeoGJJYC&jPf+@4hc1^d~y9Dt5iWL2|nD+}PoMdj!@i(+N9{lR>W>#HqM3-cD$ythH6+G8qVKpCqJnzWm8SW<()F zloKgtQOQJoN&EtYc!nax6xoOY!tyUw6MP1J2RxnaRKPQdPe&>s$?7mw6kDBhRY1q?dD4R@xv6@Apzh7K)S0bIowbyhUyzlxgo6l~5y!)XgFVRN6Sm^Ly?o?Pau zu6SCRBf4ddZA>lu5ZVG(w8NAJ_3Jap6ua*<%G8g;2CXwiY!<75m8d;f^ggQ#6G(?d zvRtWU3T%FsuQIf?o&ro6@GpVUXNlIoMJMF1(%@*wd3CG^TNi%Hzz{O*1DFf&mZeB2 zz}}XTsodrU4NYa>kI~rV!1BHgPVOeRYILeV;n5qO+<1Rk#wWWE^#-UCXI(qKQ$^Db zQ&er+mC>Cl;5&>`weWq)bMRB&H(M2aEaoW}QXBB?c0hdy=WYiY4{oY*A@wIRSGl_1 zz+_e4Ep6`NL)8-KxUqd4Hmsa5S=x?O8qP;x(6W1E8?{QfR$I4h5NpH&x1g-=!D`Rb z^0ucu0j}w$=2%1veB~FlzMRKe@&=vPmcqp?!dLcVE2|I99q4CByYAMfW0)cB z!CSVKnd&mPCCb${x~1Io*+^iPYL)>ggdMOz`q0-Yy9^Ibm{vx7sQPc~sFlr$7P>P? zyEKWq`Zh{8FVi&N*P)TS6+>j~fmV_eYh(&ZPB_VoY362(l>wy!bS@W#1GwADs7qBK z>`s4}pHnN{VHrT0%Ob6_1p}i&!F@-sxo6Ij;<5ai zw5qPYCNm0N=G4N}Dx6xF*LL6lILTVz04&5cQw@kS4JwzzhB5t)F!R+G)M_ zDJH9pCB+_DIE=ahyW6r}RgdMzW}T&&$p0+ppfxjv{-sk&sF>0H2AvVW3M=JeBw?&M zg`!7y2W+J&91_k$L?!sDuBM(0GTF6Np+To}@XNi=LEFGEC_ca@c)Fn9&}72;fQA!7 z?oua{^aIde($q_~$A=)zKo?;7G;CVX`ZRDKv8VOyN@v=}L~SLjqME@}6t2awWh6C% z{shF3!YSfu_BXLO-+P{9KxqEG)SmwJBK`UA_W;syB6T=Uzr<}x9q=QeMw@%l zYQ2B|ULSC_z5#YgFr9l8g$ObPJWoh?7DFF_RHFl(qIL%qPKE1+-;>cuG}CIGhEg7J zJVW991%Ntyi!_8yAWsiEm9C`&_?pyna7bn-8;bN^wn+;IK1^_k4EAQ2q?UQVeI5Zz zeU%;k%VT~r-5kcTCluT%>P&-;w$bbLddG){^50&sSN!+*uz&KG{^3dgR2wOV%8@DR_$s)N8MVj0QP-pErrBJvX|wquNhi3BFk5;OfFro=~#byaq~Ipb(5 zeYAAbLbsYFVT33g;!pw-imdd&Bh#VW(CZwJNF5?e;dTkVmm`^%lzg2*sy7n1jH20q*X;X5F(*SB@s;cgi!pu5Y{T^ zcWOy6k+iH4f+f&KB)7hmBv_!Z9R3mF9|*mBVdzTbHnoXsN+QgO%p58{Wwh4%R^C6y zQILqGH@?a?PH3h4KXzn$*^USZgdzD|1RwzlXX;F&+XSjP76?tuxMAuvQJN=aOHLrkTG$LZBY zr`0-T($|V5A%6j$Ki4MWq^@hvpMz(Fis6G`L=`(xs;=Ps<&iK0yC><6s;C_3W2`7! zuzy6QvptLejy&Z6r~{EH#~*A~z49kgM>`!Kirr!-W>x@6?Rszap~|&?0+||)So585 zo)(l_s!j_$e=fMw;Q8|wxQOf~weJ2x(v<-KMi_;GlB^#f1CTM|W630xIuOkz`DDAd z@|@rZjNnWRq|8aJ@`CGAD+zv3*V9fbkMju3Ns^A*TyRWdSawmTISY`;$eh1`u@vqNrMp>(E^Kmf(iTy^ z`^jUElh|<*FWF_UY#tEWwX?tZjqUNDnQ>lB{^93p5#_jcNXikjMI9SE89ZX(rxYCeVf<)q!FhsNbmUr-%gftML(`InsL7l}IR&T1cvkj# z!K+6uMA%2wCLkofB*s=>4h+y6VcE}0uvVfDU2;bEl(9?B-A3Dl-X=vnEpJ;t>(B(u zrV^Oj=0OzKR3kI8mO7Wpk!x|7TticmD+0JczEMg(F-z0Z6$~pR$24W3cy(wReI-=Yz;b-o|l`YF-rCqXHeh7xaRb@! ze~wvMh~P-W$+qX5%xc3HE-G=7!oxb0%cda>83QlSwvfw8)d`Mfl280na*Ab)1$vPl z)ACKPKmh+^f4x?4N-p?YymL+zuPm|FKD7pzX3;#K5%)FSeNA2EZLj9N-zi#}>Hk^_ ztf&@tv-o6E)W@%d-6{T>4uNw}pU^yu<~I)EgQO1|aH7r$)Hw_CTZfRF zEGbf-xa9^Nd`;bU_<3+s!>wUdoXlnY{s1rFC;H(tCDt`?D~fBNO*wdtpv8XOB9tna zEeXZiJ(1aPX-rISAQQ`Lh>c0?ji8UP#sYjQur2w-+I^wf5ZdN{ZQxWC*Fc-xw2iQF zA9;~J-{jzJ!>Op;6Pqogrhpj(qoTMzmbS#!n8&KiBe^TTAhTLzjt#S-vJqb$TNkri zG*7br_A4!YeX5vY|4xN110lreLdvGsG>0%_<+c}ovUzrS=&?VzA0~pF$$1z|ud*l) zPlNgW+w-fxx25o(lOzsL|8~WU1$R7VymZ|) zxB6NIw)SX8xm5|aH)+R^p0dAsY?A|+$(MFV)X@}yUnpV{rtz=WwD^qks_SUx13dO! z`7!k!LfV99C>=snttq10Wg&q2iaw1Z|A7EHMQ#%#8_SnOq%;{bqc<+?rXROa-}`ELGZ;ovEh2fq5E+I-o?6d z`?ZWeYHx0!Z^D+`(4ae3= zlRQgduFR>_&6#b+rQ!G(*HJEoiI-*7yE$Kiz1ObBUw4BKfY-?4YXmOSCr`evciUY*QX&H(_2zkBBfsZ1)i*S;50TD;~}eT(rYO zh1gUZ<0)@>e$yh9@hzTPs>l^tG8(YC%?zk3lTw2U&CSkHGJ{peiMBDfm4pz@bKUyL z*YlD+!8NAX8Wte>nJf-a%Mdv%Ky=sW5AeBtA2-kD**u%)B|rZK00960dc`wM0EzH literal 0 HcmV?d00001 diff --git a/charts/neuvector/104.0.3+up2.8.3/.helmignore b/charts/neuvector/104.0.3+up2.8.3/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/neuvector/104.0.3+up2.8.3/Chart.yaml b/charts/neuvector/104.0.3+up2.8.3/Chart.yaml new file mode 100644 index 0000000000..57d9366b1f --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.8.3 +apiVersion: v1 +appVersion: 5.4.1 +description: Helm feature chart for NeuVector container security platform. +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector +sources: +- https://github.com/neuvector/neuvector +version: 104.0.3+up2.8.3 diff --git a/charts/neuvector/104.0.3+up2.8.3/README.md b/charts/neuvector/104.0.3+up2.8.3/README.md new file mode 100644 index 0000000000..e114adc89a --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/README.md @@ -0,0 +1,306 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's core services. + +## Choosing container runtime +Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`registry` | NeuVector container registry | `docker.io` | +`tag` | image tag for controller enforcer manager | `latest` | +`oem` | OEM release name | `nil` | +`imagePullSecrets` | image pull secret | `nil` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | +`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | +`internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` | +`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction +`controller.enabled` | If true, create controller | `true` | +`controller.prime.enabled` | NeuVector prime deployment | `false` | +`controller.image.repository` | controller image repository | `neuvector/controller` | +`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`controller.replicas` | controller replicas | `3` | +`controller.schedulerName` | kubernetes scheduler name | `nil` | +`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | +`controller.tolerations` | List of node taints to tolerate | `nil` | +`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | +`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.podLabels` | Specify the pod labels. | `{}` | +`controller.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.env` | User-defined environment variables for controller. | `[]` | +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | +`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | +`controller.pvc.storageClass` | Storage Class to be used | `default` | +`controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.searchRegistries` | Custom search registries for Admission control | `nil` | +`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | +`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | +`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | +`controller.apisvc.type` | Controller REST API service type | `nil` | +`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | +`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | +`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | +`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | +`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | +`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | +`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | +`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | +`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | +`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.mastersvc.clusterIP` | Set clusterIP to be used for mastersvc | `nil` | +`controller.federation.mastersvc.nodePort` | Define a nodePort for mastersvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.mastersvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | +`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | +`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | +`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. +`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.managedsvc.clusterIP` | Set clusterIP to be used for managedsvc | `nil` | +`controller.federation.managedsvc.nodePort` | Define a nodePort for managedsvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.managedsvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | +`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | +`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | +`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. +`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. +`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` +`controller.configmap.data` | NeuVector configuration in YAML format | `{}` +`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` +`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`controller.internal.certificate.secret` | Secret name to be used for custom controller internal certificate | `nil` | +`controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | +`controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | +`controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`controller.certupgrader.env` | User-defined environment variables. | `[]` | +`controller.certupgrader.schedule` | cert upgrader schedule. Leave empty to disable | `` | +`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` | +`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | +`enforcer.enabled` | If true, create enforcer | `true` | +`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | +`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | +`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`enforcer.podLabels` | Specify the pod labels. | `{}` | +`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | +`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default +`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`enforcer.internal.certificate.secret` | Secret name to be used for custom enforcer internal certificate | `nil` | +`enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` | +`enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` | +`enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` | +`manager.enabled` | If true, create manager | `true` | +`manager.image.repository` | manager image repository | `neuvector/manager` | +`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`manager.podLabels` | Specify the pod labels. | `{}` | +`manager.podAnnotations` | Specify the pod annotations. | `{}` | +`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | +`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`manager.route.host` | Set OpenShift route host for management console service | `nil` | +`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | +`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | +`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | +`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. +`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`manager.affinity` | manager affinity rules | `{}` | +`manager.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | +`manager.tolerations` | List of node taints to tolerate | `nil` | +`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`manager.runAsUser` | Specify the run as User ID | `nil` | +`manager.probes.enabled` | enabled startup, liveness and readiness probes | 1 | +`manager.probes.timeout` | timeout for startup, liveness and readiness probes | 1 | +`manager.probes.periodSeconds` | periodSeconds for startup, liveness and readiness probes | 10 | +`manager.probes.startupFailureThreshold` | failure threshold for startup probe | 30 | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate crt file | `tls.crt` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.internal.certificate.secret` | Secret name to be used for custom registry adapter internal certificate | `nil` | +`cve.adapter.internal.certificate.keyFile` | Set PEM format key file for custom registry adapter internal certificate | `tls.key` | +`cve.adapter.internal.certificate.pemFile` | Set PEM format certificate file for custom registry adapter internal certificate | `tls.crt` | +`cve.adapter.internal.certificate.caFile` | Set CA certificate file for registry adapter custom internal certificate | `ca.crt` | +`cve.updater.enabled` | If true, create cve updater | `true` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | +`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | +`cve.updater.image.tag` | image tag for cve updater | `latest` | +`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.resources` | Add resources requests and limits to updater cronjob | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) +`cve.updater.podLabels` | Specify the pod labels. | `{}` | +`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | +`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.updater.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | +`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | +`cve.scanner.image.tag` | cve scanner image tag | `latest` | +`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.scanner.podLabels` | Specify the pod labels. | `{}` | +`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | +`cve.scanner.replicas` | external scanner replicas | `3` | +`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | +`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.8.3/charts/core/values.yaml) | +`cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.topologySpreadConstraints` | List of constraints to control Pods spread across the cluster | `nil` | +`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | +`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.internal.certificate.secret` | Secret name to be used for custom scanner internal certificate | `nil` | +`cve.scanner.internal.certificate.keyFile` | Set PEM format key file for custom scanner internal certificate | `tls.key` | +`cve.scanner.internal.certificate.pemFile` | Set PEM format certificate file for custom scanner internal certificate | `tls.crt` | +`cve.scanner.internal.certificate.caFile` | Set CA certificate file for scanner custom internal certificate | `ca.crt` | +`runtimePath` | container runtime socket path, if it's not at the default location. | `` | +`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0 +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0. +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0. +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0. +`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0. +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0. +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0. +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0. +`admissionwebhook.type` | admission webhook type | `ClusterIP` | +`crdwebhooksvc.enabled` | Enable crd service | `true` | +`crdwebhook.enabled` | Create crd resources | `true` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml +``` diff --git a/charts/neuvector/104.0.3+up2.8.3/app-readme.md b/charts/neuvector/104.0.3+up2.8.3/app-readme.md new file mode 100644 index 0000000000..caddee8a85 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/app-readme.md @@ -0,0 +1,35 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: + ++ Build phase vulnerability scanning with Jenkins plug-in and registry scanning ++ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks ++ Complete run-time scanning with network, process, and file system monitoring and protection ++ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation ++ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures ++ Run-time vulnerability scanning and CIS benchmarks + +Additional Notes: ++ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. ++ Container runtime and runtime path are auto detected in NeuVector 5.3.0 version. If the socket path is not at the default location, use runtimePath in values.yaml to specify the location. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/neuvector/104.0.3+up2.8.3/crds/_helpers.tpl b/charts/neuvector/104.0.3+up2.8.3/crds/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/crds/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/questions.yaml b/charts/neuvector/104.0.3+up2.8.3/questions.yaml new file mode 100644 index 0000000000..29668b2bf1 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/questions.yaml @@ -0,0 +1,283 @@ +questions: +#image configurations +- variable: controller.image.repository + default: "neuvector/controller" + description: controller image repository + type: string + label: Controller Image Path + group: "Container Images" +- variable: controller.image.tag + default: "" + description: image tag for controller + type: string + label: Controller Image Tag + group: "Container Images" +- variable: manager.image.repository + default: "neuvector/manager" + description: manager image repository + type: string + label: Manager Image Path + group: "Container Images" +- variable: manager.image.tag + default: "" + description: image tag for manager + type: string + label: Manager Image Tag + group: "Container Images" +- variable: enforcer.image.repository + default: "neuvector/enforcer" + description: enforcer image repository + type: string + label: Enforcer Image Path + group: "Container Images" +- variable: enforcer.image.tag + default: "" + description: image tag for enforcer + type: string + label: Enforcer Image Tag + group: "Container Images" +- variable: cve.scanner.image.repository + default: "neuvector/scanner" + description: scanner image repository + type: string + label: Scanner Image Path + group: "Container Images" +- variable: cve.scanner.image.tag + default: "" + description: image tag for scanner + type: string + label: Scanner Image Tag + group: "Container Images" +- variable: cve.updater.image.repository + default: "neuvector/updater" + description: cve updater image repository + type: string + label: CVE Updater Image Path + group: "Container Images" +- variable: cve.updater.image.tag + default: "" + description: image tag for updater + type: string + label: Updater Image Tag + group: "Container Images" +#storage configurations +- variable: controller.pvc.enabled + default: false + description: If true, enable persistence for controller using PVC. PVC should support ReadWriteMany(RWX) + type: boolean + label: PVC Status + group: "PVC Configuration" +- variable: controller.pvc.storageClass + default: "" + description: Storage Class to be used + type: string + label: Storage Class Name + group: "PVC Configuration" +#ingress configurations +- variable: manager.ingress.enabled + default: false + description: If true, create ingress, must also set ingress host value + type: boolean + label: Manager Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" +- variable: controller.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" +#service configurations +- variable: manager.svc.type + default: "NodePort" + description: Set manager service type for native Kubernetes + type: enum + label: Manager Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.mastersvc.type + default: "" + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Master Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.managedsvc.type + default: "" + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Managed Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.apisvc.type + default: "NodePort" + description: Controller REST API service type + type: enum + label: Controller REST API Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + default: "false" + type: boolean + group: "Security Settings" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Security Settings" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Security Settings" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Security Settings" diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/NOTES.txt b/charts/neuvector/104.0.3+up2.8.3/templates/NOTES.txt new file mode 100644 index 0000000000..72068f7071 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/NOTES.txt @@ -0,0 +1,25 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} +From outside the cluster, the NeuVector URL is: +http://{{ .Values.manager.ingress.host }} +{{- else if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.tls}} +From outside the cluster, the NeuVector URL is: +https://{{ .Values.manager.ingress.host }} +{{- else if not .Values.openshift }} +Get the NeuVector URL by running these commands: +{{- if contains "NodePort" .Values.manager.svc.type }} + NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) + NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if contains "ClusterIP" .Values.manager.svc.type }} + CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) + echo https://$CLUSTER_IP:8443 +{{- else if contains "LoadBalancer" .Values.manager.svc.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' + + SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + echo https://$SERVICE_IP:8443 +{{- end }} +{{- end }} + + diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/_helpers.tpl b/charts/neuvector/104.0.3+up2.8.3/templates/_helpers.tpl new file mode 100644 index 0000000000..4a5e4f17ae --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Lookup secret. +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + + +{{- define "neuvector.controller.image" -}} +{{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/admission-webhook-service.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/admission-webhook-service.yaml new file mode 100644 index 0000000000..6a1bfa63f0 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/admission-webhook-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-admission-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + ports: + - port: 443 + targetPort: 20443 + protocol: TCP + name: admission-webhook + type: {{ .Values.admissionwebhook.type }} + selector: + app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/bootstrap-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/bootstrap-secret.yaml new file mode 100644 index 0000000000..7e275eaa6b --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/bootstrap-secret.yaml @@ -0,0 +1,16 @@ +{{/* Use the bootstrap password from values.yaml or random value*/}} +{{- $bootstrapPassword := .Values.bootstrapPassword -}} +{{/* If a bootstrap password was found in the values or AWS is enabled */}} +{{- if $bootstrapPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: "neuvector-bootstrap-secret" + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/cert-manager-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/cert-manager-secret.yaml new file mode 100644 index 0000000000..3692886b4c --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/cert-manager-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.internal.certmanager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + duration: 17520h # 2 years + subject: + organizations: + - NeuVector + isCA: true + commonName: neuvector.internal + dnsNames: + - neuvector.internal + - NeuVector + secretName: {{ .Values.internal.certmanager.secretname }} + usages: + - digital signature + - key encipherment + issuerRef: + group: cert-manager.io + kind: Issuer + name: {{ .Values.internal.certmanager.secretname }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/clusterrole.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrole.yaml new file mode 100644 index 0000000000..49228b70c3 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrole.yaml @@ -0,0 +1,117 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - namespaces + verbs: + - get + - list + - watch + - update + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +{{- if .Values.openshift }} +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - get + - list + - watch + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - delete + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + verbs: + - get + - list +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding-least.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding-least.yaml new file mode 100644 index 0000000000..edb1007fd5 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding-least.yaml @@ -0,0 +1,145 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..4ea258c099 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/clusterrolebinding.yaml @@ -0,0 +1,142 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-deployment.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-deployment.yaml new file mode 100644 index 0000000000..e5782d1a8e --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-deployment.yaml @@ -0,0 +1,334 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- if .Values.controller.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-controller-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +{{- with .Values.controller.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + minReadySeconds: 60 + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} + selector: + matchLabels: + app: neuvector-controller-pod + template: + metadata: + labels: + app: neuvector-controller-pod + release: {{ .Release.Name }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if .Values.controller.secret.enabled }} + checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.configmap.enabled }} + checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} + checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.controller.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: controller + serviceAccount: controller + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + initContainers: + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoGenerateCert (not $pre540) }} + - name: init + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + command: ["/usr/local/bin/upgrader", "create-upgrader-job" ] + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + env: + - name: OVERRIDE_CHECKSUM + value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }} + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.controller.prime.enabled }} + - name: prime-config-container + {{- if .Values.controller.prime.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}@{{ .Values.controller.prime.image.hash }}" + {{- else }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}:{{ .Values.controller.prime.image.tag }}" + {{- end }} + imagePullPolicy: Always + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/share + name: prime-config + {{- end }} + containers: + - name: neuvector-controller-pod + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + {{- if $pre530 }} + securityContext: + privileged: true + {{- else }} + securityContext: + runAsUser: 0 + {{- end }} + resources: + {{- if .Values.controller.resources }} +{{ toYaml .Values.controller.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.ranchersso.enabled }} + - name: RANCHER_SSO + value: "1" + - name: RANCHER_EP + value: "{{ .Values.global.cattle.url }}" + {{- end }} + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: CTRL_PERSIST_CONFIG + value: "1" + {{- end }} + {{- if .Values.controller.searchRegistries }} + - name: CTRL_SEARCH_REGISTRIES + value: "{{ .Values.controller.searchRegistries }}" + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.controller.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - mountPath: /var/neuvector + name: nv-share + readOnly: false + {{- end }} + {{- if $pre530 }} + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + {{- end }} + - mountPath: /etc/config + name: config-volume + readOnly: true + {{- if .Values.controller.prime.enabled }} + - mountPath: /etc/neuvector/prime/compliance/ + name: prime-config + readOnly: true + {{- end }} + {{- if .Values.controller.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.controller.certificate.keyFile }} + name: usercert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.controller.certificate.pemFile }} + name: usercert + readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- else }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.controller.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.controller.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.controller.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir + {{- end }} + terminationGracePeriodSeconds: 300 + restartPolicy: Always + volumes: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: nv-share + {{- if .Values.controller.pvc.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} + {{- else if .Values.controller.azureFileShare.enabled }} + azureFile: + secretName: {{ .Values.controller.azureFileShare.secretName }} + shareName: {{ .Values.controller.azureFileShare.shareName }} + readOnly: false + {{- end }} + {{- end }} + {{- if $pre530 }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + {{- end }} + - name: config-volume + projected: + sources: + - configMap: + name: neuvector-init + optional: true + - secret: + name: neuvector-init + optional: true + - secret: + name: neuvector-secret + optional: true + {{- if .Values.controller.prime.enabled }} + - emptyDir: {} + name: prime-config + {{- end }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} + - name: cert + secret: + secretName: neuvector-controller-secret + {{- end }} + {{- if .Values.controller.certificate.secret }} + - name: usercert + secret: + secretName: {{ .Values.controller.certificate.secret }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi + {{- end }} +{{- if gt (int .Values.controller.disruptionbudget) 0 }} +--- +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: neuvector-controller-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.controller.disruptionbudget }} + selector: + matchLabels: + app: neuvector-controller-pod +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-ingress.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-ingress.yaml new file mode 100644 index 0000000000..d8bcb32a14 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-ingress.yaml @@ -0,0 +1,213 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-api + port: + number: 10443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + backend: + serviceName: neuvector-svc-controller-api + servicePort: 10443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-master + port: + number: 11443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-master + servicePort: 11443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-managed + port: + number: 10443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-managed + servicePort: 10443 +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-lease.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-lease.yaml new file mode 100644 index 0000000000..cccde54795 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-controller +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-route.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-route.yaml new file mode 100644 index 0000000000..b80816f139 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-route.yaml @@ -0,0 +1,95 @@ +{{- if .Values.openshift -}} +{{- if .Values.controller.apisvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-api + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.apisvc.route.host }} + host: {{ .Values.controller.apisvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-api + port: + targetPort: controller-api + tls: + termination: {{ .Values.controller.apisvc.route.termination }} +{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} +{{- with .Values.controller.apisvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + +--- +{{ end -}} +{{- if .Values.controller.federation.mastersvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-master + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.mastersvc.route.host }} + host: {{ .Values.controller.federation.mastersvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-master + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.mastersvc.route.termination }} +{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} +{{- with .Values.controller.federation.mastersvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +--- +{{ end -}} +{{- if .Values.controller.federation.managedsvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-managed + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.federation.managedsvc.route.host }} + host: {{ .Values.controller.federation.managedsvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-managed + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.managedsvc.route.termination }} +{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} +{{- with .Values.controller.federation.managedsvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-secret.yaml new file mode 100644 index 0000000000..fb743c249c --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.controller.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.controller.certificate.key .Values.controller.certificate.certificate }} +{{- $cert = (dict "Key" .Values.controller.certificate.key "Cert" .Values.controller.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-controller-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +{{- end}} +--- +{{- if .Values.internal.certmanager.enabled }} +{{- else if .Values.internal.autoGenerateCert }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-internal-certs +type: Opaque +{{- end}} +{{- end}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/controller-service.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/controller-service.yaml new file mode 100644 index 0000000000..4705d491b9 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/controller-service.yaml @@ -0,0 +1,126 @@ +{{- if .Values.controller.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + clusterIP: None + ports: + - port: 18300 + protocol: "TCP" + name: "cluster-tcp-18300" + - port: 18301 + protocol: "TCP" + name: "cluster-tcp-18301" + - port: 18301 + protocol: "UDP" + name: "cluster-udp-18301" + selector: + app: neuvector-controller-pod +{{- if .Values.controller.apisvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-api + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.apisvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.controller.apisvc.type }} + ports: + - port: 10443 + protocol: "TCP" + name: "controller-api" + appProtocol: HTTPS + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.mastersvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-master + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.controller.federation.mastersvc.type }} +{{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.mastersvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.mastersvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.mastersvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.mastersvc.internalTrafficPolicy }} +{{- end }} + ports: + - port: 11443 + name: fed + protocol: TCP + appProtocol: HTTPS +{{- if .Values.controller.federation.mastersvc.nodePort }} + nodePort: {{ .Values.controller.federation.mastersvc.nodePort }} +{{- end }} + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.managedsvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-managed + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.controller.federation.managedsvc.type }} +{{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.managedsvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.managedsvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.managedsvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.managedsvc.internalTrafficPolicy }} +{{- end }} + ports: + - port: 10443 + name: fed + protocol: TCP + appProtocol: HTTPS +{{- if .Values.controller.federation.managedsvc.nodePort }} + nodePort: {{ .Values.controller.federation.managedsvc.nodePort }} +{{- end }} + selector: + app: neuvector-controller-pod +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/crd-role-least.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/crd-role-least.yaml new file mode 100644 index 0000000000..45222a48ea --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/crd-role-least.yaml @@ -0,0 +1,403 @@ +{{- if .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/crd-role.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/crd-role.yaml new file mode 100644 index 0000000000..ffa029c469 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/crd-role.yaml @@ -0,0 +1,403 @@ +{{- if not .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/crd-webhook-service.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/crd-webhook-service.yaml new file mode 100644 index 0000000000..bcfcecdb8a --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/crd-webhook-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.crdwebhooksvc.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/enforcer-daemonset.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/enforcer-daemonset.yaml new file mode 100644 index 0000000000..b5fae3c62a --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/enforcer-daemonset.yaml @@ -0,0 +1,195 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- $runtimePath := "" -}} +{{- if .Values.runtimePath }} +{{- $runtimePath = .Values.runtimePath -}} +{{- else if and .Values.k3s.enabled (ne .Values.k3s.runtimePath "/run/k3s/containerd/containerd.sock") }} +{{- $runtimePath = .Values.k3s.runtimePath -}} +{{- else if and .Values.bottlerocket.enabled (ne .Values.bottlerocket.runtimePath "/run/dockershim.sock") }} +{{- $runtimePath = .Values.bottlerocket.runtimePath -}} +{{- else if and .Values.containerd.enabled (ne .Values.containerd.path "/var/run/containerd/containerd.sock") }} +{{- $runtimePath = .Values.containerd.path -}} +{{- else if and .Values.crio.enabled (ne .Values.crio.path "/var/run/crio/crio.sock") }} +{{- $runtimePath = .Values.crio.path -}} +{{- else if ne .Values.docker.path "/var/run/docker.sock" }} +{{- $runtimePath = .Values.docker.path -}} +{{- end }} +{{- if .Values.enforcer.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: neuvector-enforcer-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: neuvector-enforcer-pod + template: + metadata: + labels: + app: neuvector-enforcer-pod + release: {{ .Release.Name }} + {{- with .Values.enforcer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.enforcer.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.enforcer.tolerations }} + tolerations: +{{ toYaml .Values.enforcer.tolerations | indent 8 }} + {{- end }} + hostPID: true + {{- if .Values.enforcer.priorityClassName }} + priorityClassName: {{ .Values.enforcer.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: enforcer + serviceAccount: enforcer + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-enforcer-pod + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.enforcer.resources }} +{{ toYaml .Values.enforcer.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.enforcer.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if $pre530 }} + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + {{- else if $runtimePath }} + - mountPath: /run/runtime.sock + name: runtime-sock + readOnly: true + {{- end }} + - mountPath: /lib/modules + name: modules-vol + readOnly: true + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.enforcer.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.enforcer.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.enforcer.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir + {{- end }} + terminationGracePeriodSeconds: 1200 + restartPolicy: Always + volumes: + {{- if $pre530 }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + {{- else if $runtimePath }} + - name: runtime-sock + hostPath: + path: {{ $runtimePath }} + {{- end }} + - name: modules-vol + hostPath: + path: /lib/modules + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi + {{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/init-configmap.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/init-configmap.yaml new file mode 100644 index 0000000000..5c29ca2570 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/init-configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.controller.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +data: +{{ toYaml .Values.controller.configmap.data | indent 2 }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/init-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/init-secret.yaml new file mode 100644 index 0000000000..d9b4676c5c --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/init-secret.yaml @@ -0,0 +1,14 @@ +{{- if .Values.controller.secret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +data: +{{- range $key, $val := .Values.controller.secret.data }} + {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/manager-deployment.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/manager-deployment.yaml new file mode 100644 index 0000000000..09d88fa1f0 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/manager-deployment.yaml @@ -0,0 +1,164 @@ +{{- if .Values.manager.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-manager-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-manager-pod + template: + metadata: + labels: + app: neuvector-manager-pod + release: {{ .Release.Name }} + {{- with .Values.manager.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.manager.podAnnotations }} + {{- toYaml .Values.manager.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.manager.affinity }} + affinity: +{{ toYaml .Values.manager.affinity | indent 8 }} + {{- end }} + {{- if .Values.manager.tolerations }} + tolerations: +{{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.manager.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if .Values.manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.manager.priorityClassName }} + priorityClassName: {{ .Values.manager.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.manager.runAsUser }} + securityContext: + runAsUser: {{ .Values.manager.runAsUser }} + {{- end }} + containers: + - name: neuvector-manager-pod + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + ports: + - name: http + containerPort: 8443 + protocol: TCP + env: + - name: CTRL_SERVER_IP + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if not .Values.manager.env.ssl }} + - name: MANAGER_SSL + value: "off" + {{- end }} + {{- with .Values.manager.env.envs }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.manager.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.manager.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.manager.certificate.pemFile }} + name: cert + readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + {{- if .Values.manager.probes.enabled }} + startupProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: {{ .Values.manager.probes.startupFailureThreshold | default 30 }} + livenessProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: 8443 + {{- if .Values.manager.env.ssl }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }} + periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }} + successThreshold: 1 + failureThreshold: 3 + {{- end }} + resources: + {{- if .Values.manager.resources }} +{{ toYaml .Values.manager.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.manager.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.manager.certificate.secret }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} + - name: cert + secret: + secretName: neuvector-manager-secret + {{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/manager-ingress.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/manager-ingress.yaml new file mode 100644 index 0000000000..9dc4bb539f --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/manager-ingress.yaml @@ -0,0 +1,69 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.manager.ingress.ingressClassName }} + ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-webui + port: + number: 8443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 8443 +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/manager-route.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/manager-route.yaml new file mode 100644 index 0000000000..f79a7332e5 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/manager-route.yaml @@ -0,0 +1,32 @@ +{{- if .Values.openshift -}} +{{- if .Values.manager.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-webui + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.manager.route.host }} + host: {{ .Values.manager.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-webui + port: + targetPort: manager + tls: + termination: {{ .Values.manager.route.termination }} +{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} +{{- with .Values.manager.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/manager-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/manager-secret.yaml new file mode 100644 index 0000000000..46563bcbd5 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/manager-secret.yaml @@ -0,0 +1,24 @@ +{{- if .Values.manager.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.manager.certificate.key .Values.manager.certificate.certificate }} +{{- $cert = (dict "Key" .Values.manager.certificate.key "Cert" .Values.manager.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-manager-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/manager-service.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/manager-service.yaml new file mode 100644 index 0000000000..b310f63d7a --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/manager-service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.manager.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-webui + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.manager.svc.type }} +{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} +{{- end }} + ports: + - port: 8443 + name: manager + protocol: TCP +{{- if or (.Capabilities.KubeVersion.GitVersion | contains "-eks") (.Capabilities.KubeVersion.GitVersion | contains "-gke") }} +{{- if .Values.manager.env.ssl }} + appProtocol: HTTPS +{{- else }} + appProtocol: HTTP +{{- end }} +{{- end }} + selector: + app: neuvector-manager-pod +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/psp.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/psp.yaml new file mode 100644 index 0000000000..6c72e2bf1e --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/psp.yaml @@ -0,0 +1,154 @@ +{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + allowedCapabilities: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - IPC_LOCK + requiredDropCapabilities: + - ALL + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp +subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- else }} +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- if .Values.leastPrivilege }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp-controller + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + allowedCapabilities: null + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - azureFile + - projected + - secret + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/pvc.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/pvc.yaml new file mode 100644 index 0000000000..d0c5196270 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/pvc.yaml @@ -0,0 +1,26 @@ +{{- if not .Values.controller.pvc.existingClaim -}} +{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuvector-data + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + accessModes: +{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} + volumeMode: Filesystem +{{- if .Values.controller.pvc.storageClass }} + storageClassName: {{ .Values.controller.pvc.storageClass }} +{{- end }} + resources: + requests: +{{- if .Values.controller.pvc.capacity }} + storage: {{ .Values.controller.pvc.capacity }} +{{- else }} + storage: 1Gi +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-ingress.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-ingress.yaml new file mode 100644 index 0000000000..ab05054fe9 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-ingress.yaml @@ -0,0 +1,106 @@ +{{- if .Values.cve.adapter.enabled -}} + +{{- if .Values.cve.adapter.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.ingress.ingressClassName }} + ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-registry-adapter + port: + number: 9443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 9443 +{{- end }} +{{- end }} + +--- + +{{- if and .Values.openshift .Values.cve.adapter.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.cve.adapter.route.host }} + host: {{ .Values.cve.adapter.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-registry-adapter + port: + targetPort: registry-adapter + tls: + termination: {{ .Values.cve.adapter.route.termination }} +{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }} +{{- with .Values.cve.adapter.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-secret.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-secret.yaml new file mode 100644 index 0000000000..66f0d80e23 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter-secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate }} +{{- $cert = (dict "Key" .Values.cve.adapter.certificate.key "Cert" .Values.cve.adapter.certificate.certificate ) }} +{{- else }} +{{- $cn := "neuvector" }} +{{- $cert = genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-registry-adapter-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter.yaml new file mode 100644 index 0000000000..4009a3d2c7 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/registry-adapter.yaml @@ -0,0 +1,204 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- if .Values.cve.adapter.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-registry-adapter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-registry-adapter-pod + template: + metadata: + labels: + app: neuvector-registry-adapter-pod + release: {{ .Release.Name }} + {{- with .Values.cve.adapter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.cve.adapter.podAnnotations }} + {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.adapter.affinity }} + affinity: +{{ toYaml .Values.cve.adapter.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.tolerations }} + tolerations: +{{ toYaml .Values.cve.adapter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.adapter.priorityClassName }} + priorityClassName: {{ .Values.cve.adapter.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: registry-adapter + serviceAccount: registry-adapter + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.adapter.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.adapter.runAsUser }} + {{- end }} + containers: + - name: neuvector-registry-adapter-pod + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- else }} + {{- if .Values.cve.adapter.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }} + {{- end }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: HARBOR_SERVER_PROTO + value: {{ .Values.cve.adapter.harbor.protocol }} + {{- if .Values.cve.adapter.harbor.secretName }} + - name: HARBOR_BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: username + - name: HARBOR_BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: password + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.cve.adapter.env }} +{{- toYaml . | nindent 14 }} + {{- end }} + volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir + {{- end }} + {{- if .Values.cve.adapter.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.cve.adapter.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.cve.adapter.certificate.pemFile }} + name: cert + readOnly: true + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.cve.adapter.resources }} +{{ toYaml .Values.cve.adapter.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.cve.adapter.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.cve.adapter.certificate.secret }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} + - name: cert + secret: + secretName: neuvector-registry-adapter-secret + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi + {{- end }} +--- + +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-registry-adapter + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.cve.adapter.svc.type }} +{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }} +{{- end }} + ports: + - name: registry-adapter +{{- if (eq .Values.cve.adapter.harbor.protocol "https") }} + port: 9443 + appProtocol: HTTPS +{{- else }} + port: 8090 + appProtocol: HTTP +{{- end }} + protocol: TCP + selector: + app: neuvector-registry-adapter-pod + +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/role-least.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/role-least.yaml new file mode 100644 index 0000000000..7520d7c942 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/role-least.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - patch + - update +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/role.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/role.yaml new file mode 100644 index 0000000000..19aac0a613 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/role.yaml @@ -0,0 +1,132 @@ +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - delete +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/finalizers + verbs: + - update + - patch +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - update + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "apps" + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - update +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding-least.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding-least.yaml new file mode 100644 index 0000000000..a3effd3f88 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding-least.yaml @@ -0,0 +1,269 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-scanner +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: updater + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- if .Values.internal.autoGenerateCert }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: registry-adapter + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:enforcer +- system:serviceaccount:{{ .Release.Namespace }}:scanner +- system:serviceaccount:{{ .Release.Namespace }}:registry-adapter +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} + +--- + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + name: neuvector-scc-controller +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- azureFile +- projected +- secret + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:neuvector-scc-controller + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - neuvector-scc-controller + resources: + - securitycontextconstraints + verbs: + - use + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:neuvector-scc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:neuvector-scc-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding.yaml new file mode 100644 index 0000000000..8a721dc74c --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/rolebinding.yaml @@ -0,0 +1,173 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-admin + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: admin +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +{{- end }} + diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/scanner-deployment.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/scanner-deployment.yaml new file mode 100644 index 0000000000..714fee88bc --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/scanner-deployment.yaml @@ -0,0 +1,121 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} +{{- if .Values.cve.scanner.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-scanner-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + strategy: +{{ toYaml .Values.cve.scanner.strategy | indent 4 }} + replicas: {{ .Values.cve.scanner.replicas }} + selector: + matchLabels: + app: neuvector-scanner-pod + template: + metadata: + labels: + app: neuvector-scanner-pod + {{- with .Values.cve.scanner.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cve.scanner.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.scanner.affinity }} + affinity: +{{ toYaml .Values.cve.scanner.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.tolerations }} + tolerations: +{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.cve.scanner.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.scanner.priorityClassName }} + priorityClassName: {{ .Values.cve.scanner.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: scanner + serviceAccount: scanner + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.scanner.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.scanner.runAsUser }} + {{- end }} + containers: + - name: neuvector-scanner-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} + imagePullPolicy: Always + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if .Values.cve.scanner.dockerPath }} + - name: SCANNER_DOCKER_URL + value: {{ .Values.cve.scanner.dockerPath }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + {{- else if (and .Values.internal.autoGenerateCert (not $pre540))}} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} + {{- with .Values.cve.scanner.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.cve.scanner.resources | indent 12 }} + volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir + {{- end }} + restartPolicy: Always + volumes: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi + {{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount-least.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount-least.yaml new file mode 100644 index 0000000000..f018447a48 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount-least.yaml @@ -0,0 +1,76 @@ +{{- if .Values.leastPrivilege }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: basic + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enforcer + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updater + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount.yaml new file mode 100644 index 0000000000..dc625cde57 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if not .Values.leastPrivilege }} +{{- if ne .Values.serviceAccount "default"}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/updater-cronjob.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/updater-cronjob.yaml new file mode 100644 index 0000000000..0ce1abe359 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/updater-cronjob.yaml @@ -0,0 +1,80 @@ +{{- if .Values.cve.updater.enabled -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-updater-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + schedule: {{ .Values.cve.updater.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + app: neuvector-updater-pod + release: {{ .Release.Name }} + {{- with .Values.cve.updater.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cve.updater.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.updater.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.cve.updater.priorityClassName }} + priorityClassName: {{ .Values.cve.updater.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: updater + serviceAccount: updater + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.updater.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.updater.runAsUser }} + {{- end }} + containers: + - name: neuvector-updater-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} + imagePullPolicy: Always + resources: +{{ toYaml .Values.cve.updater.resources | indent 16 }} + {{- if .Values.cve.scanner.enabled }} + command: + - /bin/sh + - -c + {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + {{- if .Values.cve.updater.secure }} + {{- if .Values.cve.updater.cacert }} + - /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- else }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' 2>&1 | grep -v Bearer + {{- end }} + {{- end }} + restartPolicy: Never +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-cronjob.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-cronjob.yaml new file mode 100644 index 0000000000..aecdd1ffce --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-cronjob.yaml @@ -0,0 +1,84 @@ +{{- if and .Values.controller.enabled .Values.internal.autoGenerateCert -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-cert-upgrader-pod + namespace: {{ .Release.Namespace }} + annotations: + cert-upgrader-uid: "" + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.certupgrader.schedule }} + schedule: {{ .Values.controller.certupgrader.schedule | quote }} +{{- else }} + schedule: "0 0 1 1 *" + suspend: true +{{- end }} + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{ .Values.controller.certupgrader.timeout }} + parallelism: 1 + completions: 1 + backoffLimit: 6 + template: + metadata: + labels: + app: neuvector-cert-upgrader-pod + release: {{ .Release.Name }} + {{- with .Values.controller.certupgrader.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.controller.certupgrader.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.certupgrader.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.certupgrader.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.controller.certupgrader.priorityClassName }} + priorityClassName: {{ .Values.controller.certupgrader.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: cert-upgrader + serviceAccount: cert-upgrader + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + restartPolicy: Never + {{- if .Values.controller.certupgrader.runAsUser }} + securityContext: + runAsUser: {{ .Values.controller.certupgrader.runAsUser }} + {{- end }} + containers: + - name: neuvector-cert-upgrader-pod + image: {{ include "neuvector.controller.image" . | quote }} + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + command: + - /usr/local/bin/upgrader + - upgrader-job + {{- if and .Values.internal.autoRotateCert }} + - --enable-rotation + {{- end }} + env: + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 14 }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-lease.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-lease.yaml new file mode 100644 index 0000000000..2afa935de3 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/upgrader-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-cert-upgrader +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/templates/validate-psp-install.yaml b/charts/neuvector/104.0.3+up2.8.3/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..da62c4d183 --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/104.0.3+up2.8.3/values.yaml b/charts/neuvector/104.0.3+up2.8.3/values.yaml new file mode 100644 index 0000000000..36119a9b2a --- /dev/null +++ b/charts/neuvector/104.0.3+up2.8.3/values.yaml @@ -0,0 +1,601 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +registry: docker.io +tag: 5.4.1 +oem: +rbac: true # required for rancher authentication +serviceAccount: neuvector +leastPrivilege: false + +global: # required for rancher authentication (https:///) + cattle: + url: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false +# Set a bootstrap password. If leave empty, default admin password used. +bootstrapPassword: "" + +autoGenerateCert: true + +defaultValidityPeriod: 365 + +internal: + certmanager: # enable when cert-manager is installed for the internal certificates + enabled: false + secretname: neuvector-internal + autoGenerateCert: true + autoRotateCert: false + +controller: + # If false, controller will not be installed + enabled: true + annotations: {} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-controller + tag: 5.4.1 + hash: + replicas: 3 + disruptionbudget: 0 + schedulerName: + priorityClassName: + podLabels: {} + podAnnotations: {} + searchRegistries: + env: [] + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" + tolerations: [] + topologySpreadConstraints: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + apisvc: + type: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ranchersso: # required for rancher authentication + enabled: true + pvc: + enabled: false + existingClaim: false + accessModes: + - ReadWriteMany + storageClass: + capacity: + azureFileShare: + enabled: false + secretName: + shareName: + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + federation: + mastersvc: + type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: + # Federation Master Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + managedsvc: + type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: + # Federation Managed Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + configmap: + enabled: false + data: + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + # fedinitcfg.yaml: | + # ... + secret: + # NOTE: files defined here have preferrence over the ones defined in the configmap section + enabled: false + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + certupgrader: + env: [] + # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. + # default: "" (off) + schedule: "" + imagePullPolicy: IfNotPresent + timeout: 3600 + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + prime: + enabled: true + image: + repository: rancher/mirrored-neuvector-compliance-config + tag: latest + hash: +enforcer: + # If false, enforcer will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-enforcer + tag: 5.4.1 + hash: + updateStrategy: + type: RollingUpdate + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +manager: + # If false, manager will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-manager + tag: 5.4.1 + hash: + priorityClassName: + env: + ssl: true + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + # Make sure manager env ssl is false for edge termination + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + topologySpreadConstraints: [] + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + probes: + enabled: false + timeout: 1 + periodSeconds: 10 + startupFailureThreshold: 30 + +cve: + adapter: + enabled: false + image: + repository: rancher/mirrored-neuvector-registry-adapter + tag: 0.1.3 + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + updater: + # If false, cve updater will not be installed + enabled: true + secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + image: + registry: "" + repository: rancher/mirrored-neuvector-updater + tag: latest + hash: + schedule: "0 0 * * *" + priorityClassName: + resources: + {} + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 256Mi + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + scanner: + enabled: true + replicas: 3 + dockerPath: "" + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + registry: "" + repository: rancher/mirrored-neuvector-scanner + tag: latest + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + topologySpreadConstraints: [] + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + +runtimePath: + +# The following runtime type and socket location are deprecated after 5.3.0. +# If the socket path is not at the default location, use above 'runtimePath' to specify the location. +docker: + path: /var/run/docker.sock + +k3s: + enabled: false + runtimePath: /run/k3s/containerd/containerd.sock + +bottlerocket: + enabled: false + runtimePath: /run/dockershim.sock + +containerd: + enabled: false + path: /var/run/containerd/containerd.sock + +crio: + enabled: false + path: /var/run/crio/crio.sock + +admissionwebhook: + type: ClusterIP + +crdwebhooksvc: + enabled: true + +crdwebhook: + enabled: true + type: ClusterIP diff --git a/index.yaml b/index.yaml index 868b43d7d3..db0406cca8 100755 --- a/index.yaml +++ b/index.yaml @@ -5323,6 +5323,37 @@ entries: - assets/longhorn-crd/longhorn-crd-101.0.0+up1.2.6.tgz version: 101.0.0+up1.2.6 neuvector: + - annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.8.3 + apiVersion: v1 + appVersion: 5.4.1 + created: "2024-11-27T15:02:44.872438713-03:00" + description: Helm feature chart for NeuVector container security platform. + digest: d883db700b6831aeb8dd649630ab436de33a38021c1060d33a9b222a952059a4 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector/neuvector-104.0.3+up2.8.3.tgz + version: 104.0.3+up2.8.3 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 8b13789179..d86d50aaaf 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,2 @@ - +neuvector: + - 104.0.3+up2.8.3 From 095bacc2a054a44d96a757b2e6103a1232d91a37 Mon Sep 17 00:00:00 2001 From: nicholasSSUSE Date: Wed, 27 Nov 2024 15:02:57 -0300 Subject: [PATCH 3/4] release chart: neuvector-crd - version: 104.0.3+up2.8.3 --- .../neuvector-crd-104.0.3+up2.8.3.tgz | Bin 0 -> 3395 bytes .../neuvector-crd/104.0.3+up2.8.3/Chart.yaml | 16 + .../neuvector-crd/104.0.3+up2.8.3/README.md | 14 + .../104.0.3+up2.8.3/templates/_helpers.tpl | 32 + .../104.0.3+up2.8.3/templates/crd.yaml | 977 ++++++++++++++++++ .../neuvector-crd/104.0.3+up2.8.3/values.yaml | 9 + index.yaml | 20 + release.yaml | 2 + 8 files changed, 1070 insertions(+) create mode 100644 assets/neuvector-crd/neuvector-crd-104.0.3+up2.8.3.tgz create mode 100644 charts/neuvector-crd/104.0.3+up2.8.3/Chart.yaml create mode 100644 charts/neuvector-crd/104.0.3+up2.8.3/README.md create mode 100644 charts/neuvector-crd/104.0.3+up2.8.3/templates/_helpers.tpl create mode 100644 charts/neuvector-crd/104.0.3+up2.8.3/templates/crd.yaml create mode 100644 charts/neuvector-crd/104.0.3+up2.8.3/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-104.0.3+up2.8.3.tgz b/assets/neuvector-crd/neuvector-crd-104.0.3+up2.8.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..eaeb192743154ff472f44c5705205e3e851839c5 GIT binary patch literal 3395 zcmV-J4ZQLniwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PJ0FbK5qP&ue~)J>_~y+K`rP$8I&3yUW?VYo@K6NjmA=D+MB# z5-uRY0-zi}vA_E>0I0tvK}uHQq{Y55O)M9S#RB^Sup)CTXBaCk!dN5+XHz0nbVV}u zV2{-A_xmTu$L4Rp-{1V(KRp>d7#yDtPEQX9gQL?2{lU@c$>{^=?^B5;Dy1UgLI2Km zZ8q*JA(H1@5k+|}hXFuL6k&W4#Y8EF5#a=J18j}H$|{P_PI^bpQ5B_&f}``(O# z_Tc6w&|JZf9}1EuW+>|z1Uxm@CZI+^#TP^Z*KhR1y{7ToM+aYzNC8b1=JVW@o9HYolp|mYdDY8U@p6nRSsGbDP+(sol9$y)2 zoL{`ryfmMHEHHi&1us*mAdD5F0Ro}9tdNMgM-^OB#`LUN>N%6>=~gRWY3neq=2|x} zO&9i@7cOi%=V@fNJgw<^%>!4uRu7p9jOlJQ-COyJD!{#* z=y`ms=XpJ$&Dj?)9v(}~W+={hR_O59`;X^?XmA+zd+=D6W2poTARIt+MhY^fj4FyU z(($#LtD^sd|g}MGuM(@9u z5#5!a}&I$c`}5vQYxOkM#)PN{{c}-366faANkJZ<9o3=8Yx^ZH}QS=2?chYG&wUW`I~wg@O{7pqB3Js-WQWx}U0c*pWw@9EY6_jYGGR*Z4uy zbjOEx^rXA_#HbLw9v-`0U`!-3nl~7#*#Q=3#to%%N|7ZEg<~RV+)(xp6g*4>P3tAM z*goUQ4ox|yGUl^}NFKtk7Hl_^z7kwD&9zQ#9UZQSm|#udclTw%8I7;LFcXAuaqwc7 zu5=@)b}-V4o;n1acI4EGo4TT=4w$JkAZf=-okexRN*$$j!AWf>sRbjoBcx9Fs2v@- z(M$(}bi_p+BxO7wWvB#=+r+q{CBQ@!BdJ44TsAISx-5NGBnd|V?=EUg@?>;Lljexr zMV8z99MI9}G0jpP0MH>ZVKrmdJ%>nCisqAs`NcUwb(x&p5D{8nBD6w9XoHK;b%wd` z6@~-cL6@1wJ?ltCRN2r^?&0mI_>!dF-ENb2w@=}2^{ovnv>UX_Si8A$EFXs9-z_&J zwpsXJNs37In*nF0NDWU-!bn}a4a;iYNDb36eWa?#=Z^T?k;YPgcH+-Y=5qYm$r|~y z6MuHHmFzF&?8N7eSn|0e%NF|Fk@`}Pe?0z~%klVUjXeJG_-8BGUkd*5xg(oGeC~+P z9a*I>EOEl;j`-XWpF1)qpF6TbK6k|Dj`-Y>1&2S(_qij6yt}O_`d4x{pF6U*+>wM8 zUrFA`IV+qwBOB#4`68QbHN~sBA{z`oPvqY7L?q_2Zsq0<0L~R#%WT>_8Mp1$XqWm# zv1~6Js0C39Me{*StES!cwPfD3{K0wbV5uz-TMD5RtOM5+Nz%9sSY;gZ#J!Jh*$NWB zN7oj(r7g}4Ivs0tHA>a3`_!+?F-ceT1Wxcn2fj!DVmKe|vmJlw^O?GZ4E4K81le!3t&l-j7lw6d#T{;D?ynr=4zi=wVjaD#ax3wohG>j zMqS((rx|Gwqojx`r5E?M=`E6fUN|{ zay;siht+8PDN zG_((IHEjD3)S*weku=(qV(o6x;t)<(Xmf%N-QU*n36=J^m$x|TUPg1P z#kT1rQL&$k0kC$GAmh*!ZzXR%MT`RSJiEbCv{9UA*HtI zx1vfNmk%uW9$0q#8SSSH3Hy2xL_)5dk)z8GvH%jE5qjqxi9Nu`Vnxj#7RA8&mB`RHhH z;=lj=Ip`r=VENW~0Q`h31M>y>ATZbV1NA8vD@=<6KA4|oJd$ws`h1=~CZi>DRr1&( zGMGa$SYom#5R*cc!hR<|!I!hL}_-~9!DbXX{m%*AW@h^@IPFbs>URKe@R55qiI1Dwa5zu63O$YF#j;S zem3U{1ZI4O$=n`~bj^>f_y}I6aK%fot)LPf#UiN+pF&~4C`eTB?)G=T-+|(g5{<^| zL_1y?BbipCOLLm1ZlH@^zrExs%M4z9J~ zZ1?Jh&>Vg%Fn^;9pBj4^V=8X&BwWKgW2bj;9jqEs#{?}a770}MOq|dURJi%&EB(-Y Z&jFr1dHQ?OKLY>&|Nprx+0y`&000;Pe1`x4 literal 0 HcmV?d00001 diff --git a/charts/neuvector-crd/104.0.3+up2.8.3/Chart.yaml b/charts/neuvector-crd/104.0.3+up2.8.3/Chart.yaml new file mode 100644 index 0000000000..51f7059f72 --- /dev/null +++ b/charts/neuvector-crd/104.0.3+up2.8.3/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd +apiVersion: v1 +appVersion: 5.4.1 +description: Helm chart for NeuVector's CRD services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-crd +type: application +version: 104.0.3+up2.8.3 diff --git a/charts/neuvector-crd/104.0.3+up2.8.3/README.md b/charts/neuvector-crd/104.0.3+up2.8.3/README.md new file mode 100644 index 0000000000..a5379e6ba6 --- /dev/null +++ b/charts/neuvector-crd/104.0.3+up2.8.3/README.md @@ -0,0 +1,14 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. + +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | diff --git a/charts/neuvector-crd/104.0.3+up2.8.3/templates/_helpers.tpl b/charts/neuvector-crd/104.0.3+up2.8.3/templates/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector-crd/104.0.3+up2.8.3/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector-crd/104.0.3+up2.8.3/templates/crd.yaml b/charts/neuvector-crd/104.0.3+up2.8.3/templates/crd.yaml new file mode 100644 index 0000000000..15834c9dfe --- /dev/null +++ b/charts/neuvector-crd/104.0.3+up2.8.3/templates/crd.yaml @@ -0,0 +1,977 @@ +{{- if .Values.crdwebhook.enabled -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvSecurityRule + listKind: NvSecurityRuleList + plural: nvsecurityrules + singular: nvsecurityrule + scope: Namespaced +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + mode: + enum: + - Discover + - Monitor + - Protect + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + mon_metric: + type: boolean + grp_sess_cur: + type: integer + grp_sess_rate: + type: integer + grp_band_width: + type: integer + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvclustersecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvClusterSecurityRule + listKind: NvClusterSecurityRuleList + plural: nvclustersecurityrules + singular: nvclustersecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + mode: + enum: + - Discover + - Monitor + - Protect + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + mon_metric: + type: boolean + grp_sess_cur: + type: integer + grp_sess_rate: + type: integer + grp_band_width: + type: integer + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvdlpsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvDlpSecurityRule + listKind: NvDlpSecurityRuleList + plural: nvdlpsecurityrules + singular: nvdlpsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvadmissioncontrolsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvAdmissionControlSecurityRule + listKind: NvAdmissionControlSecurityRuleList + plural: nvadmissioncontrolsecurityrules + singular: nvadmissioncontrolsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + config: + properties: + client_mode: + enum: + - service + - url + type: string + enable: + type: boolean + mode: + enum: + - monitor + - protect + type: string + required: + - enable + - mode + - client_mode + type: object + rules: + items: + properties: + action: + enum: + - allow + - deny + type: string + comment: + type: string + criteria: + items: + properties: + name: + type: string + op: + type: string + path: + type: string + sub_criteria: + items: + properties: + name: + type: string + op: + type: string + value: + type: string + required: + - name + - op + - value + type: object + type: array + template_kind: + type: string + type: + type: string + value: + type: string + value_type: + type: string + required: + - name + - op + - value + type: object + type: array + disabled: + type: boolean + id: + type: integer + rule_mode: + enum: + - "" + - monitor + - protect + type: string + containers: + items: + enum: + - containers + - init_containers + - ephemeral_containers + type: string + type: array + required: + - action + - criteria + type: object + type: array + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvwafsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvWafSecurityRule + listKind: NvWafSecurityRuleList + plural: nvwafsecurityrules + singular: nvwafsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvcomplianceprofiles.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvComplianceProfile + listKind: NvComplianceProfileList + plural: nvcomplianceprofiles + singular: nvcomplianceprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + templates: + properties: + disable_system: + type: boolean + entries: + items: + properties: + tags: + items: + type: string + type: array + test_number: + type: string + required: + - test_number + type: object + type: array + required: + - entries + type: object + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvvulnerabilityprofiles.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: + group: neuvector.com + names: + kind: NvVulnerabilityProfile + listKind: NvVulnerabilityProfileList + plural: nvvulnerabilityprofiles + singular: nvvulnerabilityprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + profile: + properties: + entries: + items: + properties: + comment: + type: string + days: + type: integer + domains: + items: + type: string + type: array + images: + items: + type: string + type: array + name: + type: string + required: + - name + type: object + type: array + required: + - entries + type: object + required: + - profile + type: object + type: object +{{- end }} +{{- end }} diff --git a/charts/neuvector-crd/104.0.3+up2.8.3/values.yaml b/charts/neuvector-crd/104.0.3+up2.8.3/values.yaml new file mode 100644 index 0000000000..e899decf01 --- /dev/null +++ b/charts/neuvector-crd/104.0.3+up2.8.3/values.yaml @@ -0,0 +1,9 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +crdwebhook: + type: ClusterIP + enabled: true diff --git a/index.yaml b/index.yaml index db0406cca8..fb7611ce38 100755 --- a/index.yaml +++ b/index.yaml @@ -6070,6 +6070,26 @@ entries: - assets/neuvector/neuvector-101.0.0+up2.2.3.tgz version: 101.0.0+up2.2.3 neuvector-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd + apiVersion: v1 + appVersion: 5.4.1 + created: "2024-11-27T15:02:54.132902843-03:00" + description: Helm chart for NeuVector's CRD services + digest: 82d456ca3e96c6d5157d9ea394ba180c03630552af193e69971b570ff2e82e32 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-crd + type: application + urls: + - assets/neuvector-crd/neuvector-crd-104.0.3+up2.8.3.tgz + version: 104.0.3+up2.8.3 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index d86d50aaaf..c13bf63677 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1,4 @@ neuvector: - 104.0.3+up2.8.3 +neuvector-crd: + - 104.0.3+up2.8.3 From 2d661463448c00e73922fa06dc117faa32918c62 Mon Sep 17 00:00:00 2001 From: rancherbot Date: Wed, 27 Nov 2024 19:22:17 +0000 Subject: [PATCH 4/4] Updating resync.yaml --- regsync.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/regsync.yaml b/regsync.yaml index c097536c6d..b337becd26 100644 --- a/regsync.yaml +++ b/regsync.yaml @@ -998,6 +998,7 @@ sync: tags: allow: - 1.0.0 + - latest - source: docker.io/rancher/mirrored-neuvector-controller target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-controller' type: repository @@ -1018,6 +1019,7 @@ sync: - 5.3.3 - 5.3.4 - 5.4.0 + - 5.4.1 - source: docker.io/rancher/mirrored-neuvector-enforcer target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-enforcer' type: repository @@ -1038,6 +1040,7 @@ sync: - 5.3.3 - 5.3.4 - 5.4.0 + - 5.4.1 - source: docker.io/rancher/mirrored-neuvector-manager target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-manager' type: repository @@ -1058,6 +1061,7 @@ sync: - 5.3.3 - 5.3.4 - 5.4.0 + - 5.4.1 - source: docker.io/rancher/mirrored-neuvector-prometheus-exporter target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-prometheus-exporter' type: repository @@ -1078,6 +1082,7 @@ sync: - 0.1.0 - 0.1.1-s1 - 0.1.2 + - 0.1.3 - source: docker.io/rancher/mirrored-neuvector-scanner target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-scanner' type: repository