diff --git a/charts/core/README.md b/charts/core/README.md index c721f94a..2bbc155b 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -23,9 +23,12 @@ Parameter | Description | Default | Notes `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | `leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled `autoGenerateCert` | Automatically generate certificate or not | `true` | `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` | +`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` | `defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | `global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | `global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. @@ -65,6 +68,7 @@ Parameter | Description | Default | Notes `controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | `controller.pvc.storageClass` | Storage Class to be used | `default` | `controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.searchRegistries` | Custom search registries for Admission control | `nil` | `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | @@ -137,6 +141,13 @@ Parameter | Description | Default | Notes `controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | `controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | `controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`controller.certupgrader.env` | User-defined environment variables. | `[]` | +`controller.certupgrader.schedule` | cert upgrader schedule. Leave empty to disable | `` | +`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` | +`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | `enforcer.enabled` | If true, create enforcer | `true` | `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | diff --git a/charts/core/aws_mp_configuration_schema.json b/charts/core/aws_mp_configuration_schema.json new file mode 100644 index 00000000..570eef2b --- /dev/null +++ b/charts/core/aws_mp_configuration_schema.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "properties": { + "global" : { + "type": "object", + "properties": { + "aws": { + "type": "object", + "properties": { + "accountNumber": { + "type": ["integer", "string"], + "description": "AWS Account Number; Follow AWS subscription instruction" + }, + "roleName": { + "type": "string", + "description": "AWS Role name for billing; Follow AWS subscription instruction" + } + }, + "required": [ + "accountNumber", + "roleName" + ] + } + } + } + } +} diff --git a/charts/core/templates/NOTES.txt b/charts/core/templates/NOTES.txt index 2360cee8..f2492a0f 100644 --- a/charts/core/templates/NOTES.txt +++ b/charts/core/templates/NOTES.txt @@ -21,3 +21,14 @@ Get the NeuVector URL by running these commands: echo https://$SERVICE_IP:8443 {{- end }} {{- end }} + + +{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} + +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled. + +To get the bootstrap password: + +kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}' + +{{- end }} diff --git a/charts/core/templates/_helpers.tpl b/charts/core/templates/_helpers.tpl index e47c246b..f8f5388f 100644 --- a/charts/core/templates/_helpers.tpl +++ b/charts/core/templates/_helpers.tpl @@ -35,14 +35,26 @@ Create chart name and version as used by the chart label. Lookup secret. */}} {{- define "neuvector.secrets.lookup" -}} -{{- $value := "" -}} -{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} -{{- if and $secretData (hasKey $secretData .key) -}} - {{- $value = index $secretData .key -}} -{{- else if .defaultValue -}} - {{- $value = .defaultValue | toString | b64enc -}} -{{- end -}} -{{- if $value -}} +{{- $value := .defaultValue | toString | b64enc -}} {{- printf "%s" $value -}} {{- end -}} -{{- end -}} \ No newline at end of file + +{{- define "neuvector.controller.image" -}} +{{- if .Values.global.azure.enabled }} + {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }} +{{- else }} + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }} + {{- else }} + {{- printf "%s/controller:%s" .Values.registry .Values.tag }} + {{- end }} + {{- else }} + {{- if .Values.controller.image.hash }} + {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }} + {{- else }} + {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/charts/core/templates/admission-webhook-service.yaml b/charts/core/templates/admission-webhook-service.yaml index 0d92eec7..6a1bfa63 100644 --- a/charts/core/templates/admission-webhook-service.yaml +++ b/charts/core/templates/admission-webhook-service.yaml @@ -6,7 +6,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/bootstrap-secret.yaml b/charts/core/templates/bootstrap-secret.yaml new file mode 100644 index 00000000..b631d506 --- /dev/null +++ b/charts/core/templates/bootstrap-secret.yaml @@ -0,0 +1,19 @@ +{{/* Use the bootstrap password from values.yaml or random value*/}} +{{- $bootstrapPassword := .Values.bootstrapPassword -}} +{{- if .Values.global.aws.enabled -}} + {{- $bootstrapPassword = randAlphaNum 18 -}} +{{- end -}} +{{/* If a bootstrap password was found in the values or AWS is enabled */}} +{{- if $bootstrapPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: "neuvector-bootstrap-secret" + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +type: Opaque +data: + bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} +{{- end }} diff --git a/charts/core/templates/clusterrole.yaml b/charts/core/templates/clusterrole.yaml index 54f33a90..49228b70 100644 --- a/charts/core/templates/clusterrole.yaml +++ b/charts/core/templates/clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" @@ -44,7 +43,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: {{- if .Values.openshift }} - apiGroups: @@ -83,7 +81,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - admissionregistration.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - config.openshift.io diff --git a/charts/core/templates/clusterrolebinding-least.yaml b/charts/core/templates/clusterrolebinding-least.yaml index bcfca9a2..edb1007f 100644 --- a/charts/core/templates/clusterrolebinding-least.yaml +++ b/charts/core/templates/clusterrolebinding-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/clusterrolebinding.yaml b/charts/core/templates/clusterrolebinding.yaml index 7147a9ff..4ea258c0 100644 --- a/charts/core/templates/clusterrolebinding.yaml +++ b/charts/core/templates/clusterrolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 8c2a1d5f..816bfa17 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -2,6 +2,10 @@ {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} {{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.controller.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -15,7 +19,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.controller.annotations }} annotations: {{ toYaml . | indent 4 }} @@ -36,7 +39,6 @@ spec: {{- with .Values.controller.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: {{- if .Values.controller.secret.enabled }} checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} @@ -44,13 +46,12 @@ spec: {{- if .Values.controller.configmap.enabled }} checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- end }} - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.controller.podAnnotations }} {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.controller.affinity }} affinity: @@ -85,25 +86,23 @@ spec: serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoGenerateCert (not $pre540) }} + initContainers: + - name: init + image: {{ include "neuvector.controller.image" . | quote }} + command: ["/usr/local/bin/upgrader", "create-upgrader-job" ] + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + env: + - name: OVERRIDE_CHECKSUM + value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }} + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} containers: - name: neuvector-controller-pod - {{- if .Values.global.azure.enabled }} - image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}:{{ .Values.global.azure.images.controller.tag }}" - {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}" - {{- else }} - image: "{{ .Values.registry }}/controller:{{ .Values.tag }}" - {{- end }} - {{- else }} - {{- if .Values.controller.image.hash }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}" - {{- else }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}" - {{- end }} - {{- end }} - {{- end }} + image: {{ include "neuvector.controller.image" . | quote }} {{- if $pre530 }} securityContext: privileged: true @@ -153,10 +152,19 @@ spec: - name: CSP_ENV value: "azure" {{- end }} - {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} + {{- if .Values.global.azure.enabled }} - name: NO_DEFAULT_ADMIN value: "1" {{- end }} + {{- if .Values.controller.searchRegistries }} + - name: CTRL_SEARCH_REGISTRIES + value: "{{ .Values.controller.searchRegistries }}" + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.controller.env }} {{- toYaml . | nindent 12 }} {{- end }} @@ -199,7 +207,7 @@ spec: subPath: {{ .Values.controller.certificate.pemFile }} name: usercert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -223,6 +231,9 @@ spec: subPath: {{ .Values.controller.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 300 restartPolicy: Always @@ -272,7 +283,7 @@ spec: - secret: name: neuvector-secret optional: true - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - name: cert secret: secretName: neuvector-controller-secret @@ -286,6 +297,10 @@ spec: - name: internal-cert secret: secretName: {{ .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- if gt (int .Values.controller.disruptionbudget) 0 }} --- diff --git a/charts/core/templates/controller-ingress.yaml b/charts/core/templates/controller-ingress.yaml index 1ea0cdce..d8bcb32a 100644 --- a/charts/core/templates/controller-ingress.yaml +++ b/charts/core/templates/controller-ingress.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} @@ -50,7 +49,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.tls }} tls: @@ -85,7 +83,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} @@ -123,7 +120,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.tls }} tls: @@ -158,7 +154,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} @@ -196,7 +191,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.tls }} tls: diff --git a/charts/core/templates/controller-lease.yaml b/charts/core/templates/controller-lease.yaml new file mode 100644 index 00000000..cccde547 --- /dev/null +++ b/charts/core/templates/controller-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-controller +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/core/templates/controller-route.yaml b/charts/core/templates/controller-route.yaml index 377917af..b80816f1 100644 --- a/charts/core/templates/controller-route.yaml +++ b/charts/core/templates/controller-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.apisvc.route.host }} host: {{ .Values.controller.apisvc.route.host }} @@ -45,7 +44,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.route.host }} host: {{ .Values.controller.federation.mastersvc.route.host }} @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.route.host }} host: {{ .Values.controller.federation.managedsvc.route.host }} diff --git a/charts/core/templates/controller-secret.yaml b/charts/core/templates/controller-secret.yaml index e07504dc..fb743c24 100644 --- a/charts/core/templates/controller-secret.yaml +++ b/charts/core/templates/controller-secret.yaml @@ -1,7 +1,13 @@ {{- if .Values.controller.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.controller.certificate.key .Values.controller.certificate.certificate }} +{{- $cert = (dict "Key" .Values.controller.certificate.key "Cert" .Values.controller.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} + apiVersion: v1 kind: Secret metadata: @@ -10,11 +16,18 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +{{- end}} --- +{{- if .Values.internal.certmanager.enabled }} +{{- else if .Values.internal.autoGenerateCert }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-internal-certs +type: Opaque {{- end}} {{- end}} diff --git a/charts/core/templates/controller-service.yaml b/charts/core/templates/controller-service.yaml index 9fbd0655..4705d491 100644 --- a/charts/core/templates/controller-service.yaml +++ b/charts/core/templates/controller-service.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: clusterIP: None ports: @@ -36,7 +35,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.apisvc.type }} ports: @@ -61,7 +59,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.mastersvc.type }} {{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} @@ -101,7 +98,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.managedsvc.type }} {{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} diff --git a/charts/core/templates/crd-role-least.yaml b/charts/core/templates/crd-role-least.yaml index 64517f12..45222a48 100644 --- a/charts/core/templates/crd-role-least.yaml +++ b/charts/core/templates/crd-role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd-role.yaml b/charts/core/templates/crd-role.yaml index 46d99761..ffa029c4 100644 --- a/charts/core/templates/crd-role.yaml +++ b/charts/core/templates/crd-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd.yaml b/charts/core/templates/crd.yaml index 48c5b07f..72cd24a3 100644 --- a/charts/core/templates/crd.yaml +++ b/charts/core/templates/crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -286,7 +285,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -560,7 +558,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -646,7 +643,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -773,7 +769,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -859,7 +854,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -916,7 +910,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -978,7 +971,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/csp-clusterrole.yaml b/charts/core/templates/csp-clusterrole.yaml index 5e5dea5c..234f50db 100644 --- a/charts/core/templates/csp-clusterrole.yaml +++ b/charts/core/templates/csp-clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net @@ -41,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net diff --git a/charts/core/templates/csp-clusterrolebinding.yaml b/charts/core/templates/csp-clusterrolebinding.yaml index 244e7b43..bb0a331b 100644 --- a/charts/core/templates/csp-clusterrolebinding.yaml +++ b/charts/core/templates/csp-clusterrolebinding.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/csp-crd.yaml b/charts/core/templates/csp-crd.yaml index a0ddf655..b879776e 100644 --- a/charts/core/templates/csp-crd.yaml +++ b/charts/core/templates/csp-crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: susecloud.net names: diff --git a/charts/core/templates/csp-deployment.yaml b/charts/core/templates/csp-deployment.yaml index 6ea55792..82ef4739 100644 --- a/charts/core/templates/csp-deployment.yaml +++ b/charts/core/templates/csp-deployment.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.global.aws.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/core/templates/csp-role.yaml b/charts/core/templates/csp-role.yaml index 4c7df981..3bba9540 100644 --- a/charts/core/templates/csp-role.yaml +++ b/charts/core/templates/csp-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/csp-rolebinding.yaml b/charts/core/templates/csp-rolebinding.yaml index 946b2c52..0327fdc7 100644 --- a/charts/core/templates/csp-rolebinding.yaml +++ b/charts/core/templates/csp-rolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/core/templates/csp-serviceaccount.yaml b/charts/core/templates/csp-serviceaccount.yaml index 0f777c2b..32827502 100644 --- a/charts/core/templates/csp-serviceaccount.yaml +++ b/charts/core/templates/csp-serviceaccount.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm annotations: {{- if .Values.global.aws.enabled }} eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }} diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index 4177c4dd..2554ca73 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -2,6 +2,10 @@ {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} {{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- $runtimePath := "" -}} {{- if .Values.runtimePath }} {{- $runtimePath = .Values.runtimePath -}} @@ -28,7 +32,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} @@ -105,6 +108,11 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.enforcer.env }} {{- toYaml . | nindent 12 }} {{- end }} @@ -153,6 +161,9 @@ spec: subPath: {{ .Values.enforcer.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 1200 restartPolicy: Always @@ -192,5 +203,9 @@ spec: - name: internal-cert secret: secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/core/templates/init-configmap.yaml b/charts/core/templates/init-configmap.yaml index 1300794a..5c29ca25 100644 --- a/charts/core/templates/init-configmap.yaml +++ b/charts/core/templates/init-configmap.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{ toYaml .Values.controller.configmap.data | indent 2 }} {{- end }} diff --git a/charts/core/templates/init-secret.yaml b/charts/core/templates/init-secret.yaml index d4bfca59..d9b4676c 100644 --- a/charts/core/templates/init-secret.yaml +++ b/charts/core/templates/init-secret.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{- range $key, $val := .Values.controller.secret.data }} {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml index d9ea4b28..e744c86a 100644 --- a/charts/core/templates/manager-deployment.yaml +++ b/charts/core/templates/manager-deployment.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: @@ -25,15 +24,13 @@ spec: {{- with .Values.manager.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.manager.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.manager.podAnnotations }} {{- toYaml .Values.manager.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.manager.affinity }} affinity: @@ -112,7 +109,7 @@ spec: subPath: {{ .Values.manager.certificate.pemFile }} name: cert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -175,7 +172,7 @@ spec: - name: cert secret: secretName: {{ .Values.manager.certificate.secret }} - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} - name: cert secret: secretName: neuvector-manager-secret diff --git a/charts/core/templates/manager-ingress.yaml b/charts/core/templates/manager-ingress.yaml index 52826fc5..9dc4bb53 100644 --- a/charts/core/templates/manager-ingress.yaml +++ b/charts/core/templates/manager-ingress.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.ingressClassName }} ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} @@ -49,7 +48,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.tls }} tls: diff --git a/charts/core/templates/manager-route.yaml b/charts/core/templates/manager-route.yaml index 77262d5b..f79a7332 100644 --- a/charts/core/templates/manager-route.yaml +++ b/charts/core/templates/manager-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.route.host }} host: {{ .Values.manager.route.host }} diff --git a/charts/core/templates/manager-secret.yaml b/charts/core/templates/manager-secret.yaml index 601dae37..46563bcb 100644 --- a/charts/core/templates/manager-secret.yaml +++ b/charts/core/templates/manager-secret.yaml @@ -1,7 +1,12 @@ {{- if .Values.manager.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.manager.certificate.key .Values.manager.certificate.certificate }} +{{- $cert = (dict "Key" .Values.manager.certificate.key "Cert" .Values.manager.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} apiVersion: v1 kind: Secret metadata: @@ -10,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} diff --git a/charts/core/templates/manager-service.yaml b/charts/core/templates/manager-service.yaml index 0778d897..b310f63d 100644 --- a/charts/core/templates/manager-service.yaml +++ b/charts/core/templates/manager-service.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.manager.svc.type }} {{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml index 97bf757e..2d9d77e8 100644 --- a/charts/core/templates/psp.yaml +++ b/charts/core/templates/psp.yaml @@ -7,7 +7,6 @@ metadata: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: true @@ -44,7 +43,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -64,7 +62,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -89,7 +86,6 @@ metadata: name: neuvector-binding-psp-controller labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: false @@ -125,7 +121,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -145,7 +140,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/pvc.yaml b/charts/core/templates/pvc.yaml index b7e97e7d..d0c51962 100644 --- a/charts/core/templates/pvc.yaml +++ b/charts/core/templates/pvc.yaml @@ -8,7 +8,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: accessModes: {{ toYaml .Values.controller.pvc.accessModes | indent 4 }} diff --git a/charts/core/templates/registry-adapter-ingress.yaml b/charts/core/templates/registry-adapter-ingress.yaml index aec7161c..ab05054f 100644 --- a/charts/core/templates/registry-adapter-ingress.yaml +++ b/charts/core/templates/registry-adapter-ingress.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.ingressClassName }} ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} @@ -51,7 +50,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.tls }} tls: @@ -87,7 +85,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.route.host }} host: {{ .Values.cve.adapter.route.host }} diff --git a/charts/core/templates/registry-adapter-secret.yaml b/charts/core/templates/registry-adapter-secret.yaml index 64ee05f1..66f0d80e 100644 --- a/charts/core/templates/registry-adapter-secret.yaml +++ b/charts/core/templates/registry-adapter-secret.yaml @@ -1,7 +1,13 @@ {{- if .Values.cve.adapter.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate }} +{{- $cert = (dict "Key" .Values.cve.adapter.certificate.key "Cert" .Values.cve.adapter.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- end }} + apiVersion: v1 kind: Secret metadata: diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml index 6f636f16..d8c7092c 100644 --- a/charts/core/templates/registry-adapter.yaml +++ b/charts/core/templates/registry-adapter.yaml @@ -1,3 +1,7 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.cve.adapter.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -11,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: @@ -25,15 +28,13 @@ spec: {{- with .Values.cve.adapter.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.cve.adapter.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.cve.adapter.podAnnotations }} {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.cve.adapter.affinity }} affinity: @@ -97,6 +98,11 @@ spec: name: {{ .Values.cve.adapter.harbor.secretName }} key: password {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.cve.adapter.env }} {{- toYaml . | nindent 14 }} {{- end }} @@ -114,6 +120,9 @@ spec: subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} {{- if .Values.cve.adapter.certificate.secret }} - mountPath: /etc/neuvector/certs/ssl-cert.key @@ -124,7 +133,7 @@ spec: subPath: {{ .Values.cve.adapter.certificate.pemFile }} name: cert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -146,7 +155,7 @@ spec: - name: cert secret: secretName: {{ .Values.cve.adapter.certificate.secret }} - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} - name: cert secret: secretName: neuvector-registry-adapter-secret @@ -155,8 +164,11 @@ spec: - name: internal-cert secret: secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} - --- apiVersion: v1 @@ -171,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.cve.adapter.svc.type }} {{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/role-least.yaml b/charts/core/templates/role-least.yaml index 85202c9b..7520d7c9 100644 --- a/charts/core/templates/role-least.yaml +++ b/charts/core/templates/role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apps diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml index 01dc47c4..3ded8c97 100644 --- a/charts/core/templates/role.yaml +++ b/charts/core/templates/role.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" @@ -22,3 +21,111 @@ rules: - secrets verbs: - get + - list + - watch + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - update +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - delete +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/finalizers + verbs: + - update + - patch +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - update + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "apps" + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - update +{{- end }} diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index 19cdec08..a3effd3f 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -35,8 +34,101 @@ userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller {{- end }} +{{- if .Values.internal.autoGenerateCert }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} --- - {{- if $oc3 }} apiVersion: authorization.openshift.io/v1 {{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} @@ -51,7 +143,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -62,9 +153,21 @@ subjects: - kind: ServiceAccount name: controller namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: registry-adapter + namespace: {{ .Release.Namespace }} {{- if $oc3 }} userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:enforcer +- system:serviceaccount:{{ .Release.Namespace }}:scanner +- system:serviceaccount:{{ .Release.Namespace }}:registry-adapter {{- end }} --- @@ -78,7 +181,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -135,7 +237,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - security.openshift.io @@ -156,7 +257,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml index 23c07f4f..8a721dc7 100644 --- a/charts/core/templates/rolebinding.yaml +++ b/charts/core/templates/rolebinding.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -48,7 +47,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -85,4 +82,92 @@ subjects: name: {{ .Values.serviceAccount }} namespace: {{ .Release.Namespace }} {{- end }} + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role {{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +{{- end }} + diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml index 0e41c334..3f1c0dec 100644 --- a/charts/core/templates/scanner-deployment.yaml +++ b/charts/core/templates/scanner-deployment.yaml @@ -1,3 +1,7 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.cve.scanner.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -10,7 +14,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: strategy: @@ -94,13 +97,18 @@ spec: - name: SCANNER_DOCKER_URL value: {{ .Values.cve.scanner.dockerPath }} {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.cve.scanner.env }} {{- toYaml . | nindent 12 }} {{- end }} resources: {{ toYaml .Values.cve.scanner.resources | indent 12 }} - {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - mountPath: /etc/neuvector/certs/internal/cert.key subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} name: internal-cert @@ -113,12 +121,19 @@ spec: subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} restartPolicy: Always - {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} volumes: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - name: internal-cert secret: secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml index 8b925644..f018447a 100644 --- a/charts/core/templates/serviceaccount-least.yaml +++ b/charts/core/templates/serviceaccount-least.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -19,7 +18,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -31,7 +29,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -43,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -55,7 +51,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -67,6 +62,15 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} {{- end }} diff --git a/charts/core/templates/serviceaccount.yaml b/charts/core/templates/serviceaccount.yaml index 46a3027c..dc625cde 100644 --- a/charts/core/templates/serviceaccount.yaml +++ b/charts/core/templates/serviceaccount.yaml @@ -8,6 +8,5 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- end }} {{- end }} diff --git a/charts/core/templates/updater-cronjob.yaml b/charts/core/templates/updater-cronjob.yaml index e34422ad..936ec4b8 100644 --- a/charts/core/templates/updater-cronjob.yaml +++ b/charts/core/templates/updater-cronjob.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: schedule: {{ .Values.cve.updater.schedule | quote }} jobTemplate: diff --git a/charts/core/templates/upgrader-cronjob.yaml b/charts/core/templates/upgrader-cronjob.yaml new file mode 100644 index 00000000..62f2bc11 --- /dev/null +++ b/charts/core/templates/upgrader-cronjob.yaml @@ -0,0 +1,82 @@ +{{- if and .Values.controller.enabled .Values.internal.autoGenerateCert -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-cert-upgrader-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} +spec: +{{- if .Values.controller.certupgrader.schedule }} + schedule: {{ .Values.controller.certupgrader.schedule | quote }} +{{- else }} + schedule: "0 0 1 1 *" + suspend: true +{{- end }} + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{ .Values.controller.certupgrader.timeout }} + parallelism: 1 + completions: 1 + backoffLimit: 6 + template: + metadata: + labels: + app: neuvector-cert-upgrader-pod + release: {{ .Release.Name }} + {{- with .Values.controller.certupgrader.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.controller.certupgrader.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.certupgrader.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.certupgrader.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.controller.certupgrader.priorityClassName }} + priorityClassName: {{ .Values.controller.certupgrader.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: cert-upgrader + serviceAccount: cert-upgrader + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + restartPolicy: Never + {{- if .Values.controller.certupgrader.runAsUser }} + securityContext: + runAsUser: {{ .Values.controller.certupgrader.runAsUser }} + {{- end }} + containers: + - name: neuvector-cert-upgrader-pod + image: {{ include "neuvector.controller.image" . | quote }} + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + command: + - /usr/local/bin/upgrader + - upgrader-job + {{- if and .Values.internal.autoRotateCert }} + - --enable-rotation + {{- end }} + env: + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 14 }} + {{- end }} +{{- end }} diff --git a/charts/core/templates/upgrader-lease.yaml b/charts/core/templates/upgrader-lease.yaml new file mode 100644 index 00000000..2afa935d --- /dev/null +++ b/charts/core/templates/upgrader-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-cert-upgrader +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 549bdda8..a5610885 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -57,14 +57,19 @@ global: # required for rancher authentication (https:///) tag: latest imagePullPolicy: IfNotPresent +# Set a bootstrap password. If leave empty, default admin password used. +bootstrapPassword: "" + autoGenerateCert: true defaultValidityPeriod: 365 -internal: # enable when cert-manager is installed for the internal certificates - certmanager: +internal: + certmanager: # enable when cert-manager is installed for the internal certificates enabled: false secretname: neuvector-internal + autoGenerateCert: true + autoRotateCert: false controller: # If false, controller will not be installed @@ -84,6 +89,7 @@ controller: priorityClassName: podLabels: {} podAnnotations: {} + searchRegistries: env: [] affinity: podAntiAffinity: @@ -142,6 +148,12 @@ controller: secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" @@ -285,6 +297,21 @@ controller: - Fullname: admin Password: Role: admin + certupgrader: + env: [] + # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. + # default: "" (off) + schedule: "" + imagePullPolicy: IfNotPresent + timeout: 3600 + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster enforcer: # If false, enforcer will not be installed @@ -363,6 +390,12 @@ manager: secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -434,6 +467,12 @@ cve: secret: "" keyFile: tls.key pemFile: tls.crt + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- harbor: protocol: https secretName: diff --git a/test/role_test.go b/test/role_test.go index ecac3bcc..8f61aebd 100644 --- a/test/role_test.go +++ b/test/role_test.go @@ -18,7 +18,7 @@ func TestRoleBinding(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding.yaml"}) outs := splitYaml(out) - if len(outs) != 2 { + if len(outs) != 4 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } } @@ -98,7 +98,7 @@ func TestRoleBindingLeastPrivilege(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding-least.yaml"}) outs := splitYaml(out) - if len(outs) != 2 { + if len(outs) != 5 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } } diff --git a/test/sa_test.go b/test/sa_test.go index 548e66f0..89d0e740 100644 --- a/test/sa_test.go +++ b/test/sa_test.go @@ -19,7 +19,7 @@ func TestServiceAccountLeastPrivilege(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/serviceaccount-least.yaml"}) outs := splitYaml(out) - if len(outs) != 6 { + if len(outs) != 7 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } }