From 2cd1dc1418f76f2949a6d6a60fe8463517e189e0 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 21:08:11 +0000 Subject: [PATCH 01/16] Add bootstrap password support --- charts/core/README.md | 1 + charts/core/templates/NOTES.txt | 11 +++++++++++ charts/core/templates/bootstrap-secret.yaml | 20 ++++++++++++++++++++ charts/core/values.yaml | 3 +++ 4 files changed, 35 insertions(+) create mode 100644 charts/core/templates/bootstrap-secret.yaml diff --git a/charts/core/README.md b/charts/core/README.md index af89e395..d92a4e20 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -23,6 +23,7 @@ Parameter | Description | Default | Notes `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | `leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled `autoGenerateCert` | Automatically generate certificate or not | `true` | `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | diff --git a/charts/core/templates/NOTES.txt b/charts/core/templates/NOTES.txt index 2360cee8..30d892fc 100644 --- a/charts/core/templates/NOTES.txt +++ b/charts/core/templates/NOTES.txt @@ -21,3 +21,14 @@ Get the NeuVector URL by running these commands: echo https://$SERVICE_IP:8443 {{- end }} {{- end }} + + +{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} + +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. This password is randomly generated if the bootstrap password is not specified during the deployment or AWS cloud billing is enabled. + +To get the bootstrap password: + +kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}' + +{{- end }} diff --git a/charts/core/templates/bootstrap-secret.yaml b/charts/core/templates/bootstrap-secret.yaml new file mode 100644 index 00000000..304aed9d --- /dev/null +++ b/charts/core/templates/bootstrap-secret.yaml @@ -0,0 +1,20 @@ +{{/* Use the bootstrap password from values.yaml or random value*/}} +{{- $bootstrapPassword := .Values.bootstrapPassword -}} +{{- if .Values.global.aws.enabled -}} + {{- $bootstrapPassword = randAlphaNum 18 -}} +{{- end -}} +{{/* If a bootstrap password was found in the values or AWS is enabled */}} +{{- if $bootstrapPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: "neuvector-bootstrap-secret" + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +type: Opaque +data: + bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} +{{- end }} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 6da79bb3..a2c0bf25 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -57,6 +57,9 @@ global: # required for rancher authentication (https:///) tag: latest imagePullPolicy: IfNotPresent +# Set a bootstrap password. If leave empty, default admin password used. +bootstrapPassword: "" + autoGenerateCert: true defaultValidityPeriod: 365 From 661c876b1a7a919399566a942160e98259d04599 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 22:58:01 +0000 Subject: [PATCH 02/16] disable admin only for azure --- charts/core/templates/controller-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 8c2a1d5f..a6235285 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -153,7 +153,7 @@ spec: - name: CSP_ENV value: "azure" {{- end }} - {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} + {{- if .Values.global.azure.enabled }} - name: NO_DEFAULT_ADMIN value: "1" {{- end }} From 283941c7fc041568003ce210b104c590f12ffaae Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 23:53:49 +0000 Subject: [PATCH 03/16] Update Notes for bootstrap password support --- charts/core/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/NOTES.txt b/charts/core/templates/NOTES.txt index 30d892fc..f2492a0f 100644 --- a/charts/core/templates/NOTES.txt +++ b/charts/core/templates/NOTES.txt @@ -25,7 +25,7 @@ Get the NeuVector URL by running these commands: {{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} -NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. This password is randomly generated if the bootstrap password is not specified during the deployment or AWS cloud billing is enabled. +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled. To get the bootstrap password: From 2ec2650ee53c43eb1037d4630f0fe32a98beb6f8 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 5 Aug 2024 19:41:01 +0000 Subject: [PATCH 04/16] Removed Heritage --- .../core/templates/admission-webhook-service.yaml | 1 - charts/core/templates/bootstrap-secret.yaml | 1 - charts/core/templates/clusterrole.yaml | 4 ---- .../core/templates/clusterrolebinding-least.yaml | 5 ----- charts/core/templates/clusterrolebinding.yaml | 5 ----- charts/core/templates/controller-deployment.yaml | 1 - charts/core/templates/controller-ingress.yaml | 6 ------ charts/core/templates/controller-route.yaml | 3 --- charts/core/templates/controller-secret.yaml | 1 - charts/core/templates/controller-service.yaml | 4 ---- charts/core/templates/crd-role-least.yaml | 14 -------------- charts/core/templates/crd-role.yaml | 14 -------------- charts/core/templates/crd.yaml | 8 -------- charts/core/templates/csp-clusterrole.yaml | 2 -- charts/core/templates/csp-clusterrolebinding.yaml | 2 -- charts/core/templates/csp-crd.yaml | 1 - charts/core/templates/csp-deployment.yaml | 1 - charts/core/templates/csp-role.yaml | 1 - charts/core/templates/csp-rolebinding.yaml | 1 - charts/core/templates/csp-serviceaccount.yaml | 1 - charts/core/templates/enforcer-daemonset.yaml | 1 - charts/core/templates/init-configmap.yaml | 1 - charts/core/templates/init-secret.yaml | 1 - charts/core/templates/manager-deployment.yaml | 1 - charts/core/templates/manager-ingress.yaml | 2 -- charts/core/templates/manager-route.yaml | 1 - charts/core/templates/manager-secret.yaml | 1 - charts/core/templates/manager-service.yaml | 1 - charts/core/templates/psp.yaml | 6 ------ charts/core/templates/pvc.yaml | 1 - .../core/templates/registry-adapter-ingress.yaml | 3 --- charts/core/templates/registry-adapter.yaml | 2 -- charts/core/templates/role-least.yaml | 1 - charts/core/templates/role.yaml | 1 - charts/core/templates/rolebinding-least.yaml | 5 ----- charts/core/templates/rolebinding.yaml | 3 --- charts/core/templates/scanner-deployment.yaml | 1 - charts/core/templates/serviceaccount-least.yaml | 6 ------ charts/core/templates/serviceaccount.yaml | 1 - charts/core/templates/updater-cronjob.yaml | 1 - 40 files changed, 116 deletions(-) diff --git a/charts/core/templates/admission-webhook-service.yaml b/charts/core/templates/admission-webhook-service.yaml index 0d92eec7..6a1bfa63 100644 --- a/charts/core/templates/admission-webhook-service.yaml +++ b/charts/core/templates/admission-webhook-service.yaml @@ -6,7 +6,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/bootstrap-secret.yaml b/charts/core/templates/bootstrap-secret.yaml index 304aed9d..b631d506 100644 --- a/charts/core/templates/bootstrap-secret.yaml +++ b/charts/core/templates/bootstrap-secret.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} diff --git a/charts/core/templates/clusterrole.yaml b/charts/core/templates/clusterrole.yaml index 54f33a90..49228b70 100644 --- a/charts/core/templates/clusterrole.yaml +++ b/charts/core/templates/clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" @@ -44,7 +43,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: {{- if .Values.openshift }} - apiGroups: @@ -83,7 +81,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - admissionregistration.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - config.openshift.io diff --git a/charts/core/templates/clusterrolebinding-least.yaml b/charts/core/templates/clusterrolebinding-least.yaml index bcfca9a2..edb1007f 100644 --- a/charts/core/templates/clusterrolebinding-least.yaml +++ b/charts/core/templates/clusterrolebinding-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/clusterrolebinding.yaml b/charts/core/templates/clusterrolebinding.yaml index 7147a9ff..4ea258c0 100644 --- a/charts/core/templates/clusterrolebinding.yaml +++ b/charts/core/templates/clusterrolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index a6235285..88496f2a 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.controller.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/core/templates/controller-ingress.yaml b/charts/core/templates/controller-ingress.yaml index 1ea0cdce..d8bcb32a 100644 --- a/charts/core/templates/controller-ingress.yaml +++ b/charts/core/templates/controller-ingress.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} @@ -50,7 +49,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.tls }} tls: @@ -85,7 +83,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} @@ -123,7 +120,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.tls }} tls: @@ -158,7 +154,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} @@ -196,7 +191,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.tls }} tls: diff --git a/charts/core/templates/controller-route.yaml b/charts/core/templates/controller-route.yaml index 377917af..b80816f1 100644 --- a/charts/core/templates/controller-route.yaml +++ b/charts/core/templates/controller-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.apisvc.route.host }} host: {{ .Values.controller.apisvc.route.host }} @@ -45,7 +44,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.route.host }} host: {{ .Values.controller.federation.mastersvc.route.host }} @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.route.host }} host: {{ .Values.controller.federation.managedsvc.route.host }} diff --git a/charts/core/templates/controller-secret.yaml b/charts/core/templates/controller-secret.yaml index e07504dc..b03c16db 100644 --- a/charts/core/templates/controller-secret.yaml +++ b/charts/core/templates/controller-secret.yaml @@ -10,7 +10,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} diff --git a/charts/core/templates/controller-service.yaml b/charts/core/templates/controller-service.yaml index 9fbd0655..4705d491 100644 --- a/charts/core/templates/controller-service.yaml +++ b/charts/core/templates/controller-service.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: clusterIP: None ports: @@ -36,7 +35,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.apisvc.type }} ports: @@ -61,7 +59,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.mastersvc.type }} {{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} @@ -101,7 +98,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.managedsvc.type }} {{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} diff --git a/charts/core/templates/crd-role-least.yaml b/charts/core/templates/crd-role-least.yaml index 64517f12..45222a48 100644 --- a/charts/core/templates/crd-role-least.yaml +++ b/charts/core/templates/crd-role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd-role.yaml b/charts/core/templates/crd-role.yaml index 46d99761..ffa029c4 100644 --- a/charts/core/templates/crd-role.yaml +++ b/charts/core/templates/crd-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd.yaml b/charts/core/templates/crd.yaml index 48c5b07f..72cd24a3 100644 --- a/charts/core/templates/crd.yaml +++ b/charts/core/templates/crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -286,7 +285,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -560,7 +558,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -646,7 +643,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -773,7 +769,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -859,7 +854,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -916,7 +910,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -978,7 +971,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/csp-clusterrole.yaml b/charts/core/templates/csp-clusterrole.yaml index 5e5dea5c..234f50db 100644 --- a/charts/core/templates/csp-clusterrole.yaml +++ b/charts/core/templates/csp-clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net @@ -41,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net diff --git a/charts/core/templates/csp-clusterrolebinding.yaml b/charts/core/templates/csp-clusterrolebinding.yaml index 244e7b43..bb0a331b 100644 --- a/charts/core/templates/csp-clusterrolebinding.yaml +++ b/charts/core/templates/csp-clusterrolebinding.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/csp-crd.yaml b/charts/core/templates/csp-crd.yaml index a0ddf655..b879776e 100644 --- a/charts/core/templates/csp-crd.yaml +++ b/charts/core/templates/csp-crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: susecloud.net names: diff --git a/charts/core/templates/csp-deployment.yaml b/charts/core/templates/csp-deployment.yaml index 6ea55792..82ef4739 100644 --- a/charts/core/templates/csp-deployment.yaml +++ b/charts/core/templates/csp-deployment.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.global.aws.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/core/templates/csp-role.yaml b/charts/core/templates/csp-role.yaml index 4c7df981..3bba9540 100644 --- a/charts/core/templates/csp-role.yaml +++ b/charts/core/templates/csp-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/csp-rolebinding.yaml b/charts/core/templates/csp-rolebinding.yaml index 946b2c52..0327fdc7 100644 --- a/charts/core/templates/csp-rolebinding.yaml +++ b/charts/core/templates/csp-rolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/core/templates/csp-serviceaccount.yaml b/charts/core/templates/csp-serviceaccount.yaml index 0f777c2b..32827502 100644 --- a/charts/core/templates/csp-serviceaccount.yaml +++ b/charts/core/templates/csp-serviceaccount.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm annotations: {{- if .Values.global.aws.enabled }} eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }} diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index 4177c4dd..61195c31 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -28,7 +28,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} diff --git a/charts/core/templates/init-configmap.yaml b/charts/core/templates/init-configmap.yaml index 1300794a..5c29ca25 100644 --- a/charts/core/templates/init-configmap.yaml +++ b/charts/core/templates/init-configmap.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{ toYaml .Values.controller.configmap.data | indent 2 }} {{- end }} diff --git a/charts/core/templates/init-secret.yaml b/charts/core/templates/init-secret.yaml index d4bfca59..d9b4676c 100644 --- a/charts/core/templates/init-secret.yaml +++ b/charts/core/templates/init-secret.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{- range $key, $val := .Values.controller.secret.data }} {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml index fa68e34e..ff96c5ec 100644 --- a/charts/core/templates/manager-deployment.yaml +++ b/charts/core/templates/manager-deployment.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: diff --git a/charts/core/templates/manager-ingress.yaml b/charts/core/templates/manager-ingress.yaml index 52826fc5..9dc4bb53 100644 --- a/charts/core/templates/manager-ingress.yaml +++ b/charts/core/templates/manager-ingress.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.ingressClassName }} ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} @@ -49,7 +48,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.tls }} tls: diff --git a/charts/core/templates/manager-route.yaml b/charts/core/templates/manager-route.yaml index 77262d5b..f79a7332 100644 --- a/charts/core/templates/manager-route.yaml +++ b/charts/core/templates/manager-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.route.host }} host: {{ .Values.manager.route.host }} diff --git a/charts/core/templates/manager-secret.yaml b/charts/core/templates/manager-secret.yaml index 601dae37..622391ac 100644 --- a/charts/core/templates/manager-secret.yaml +++ b/charts/core/templates/manager-secret.yaml @@ -10,7 +10,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} diff --git a/charts/core/templates/manager-service.yaml b/charts/core/templates/manager-service.yaml index 0778d897..b310f63d 100644 --- a/charts/core/templates/manager-service.yaml +++ b/charts/core/templates/manager-service.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.manager.svc.type }} {{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml index 97bf757e..2d9d77e8 100644 --- a/charts/core/templates/psp.yaml +++ b/charts/core/templates/psp.yaml @@ -7,7 +7,6 @@ metadata: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: true @@ -44,7 +43,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -64,7 +62,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -89,7 +86,6 @@ metadata: name: neuvector-binding-psp-controller labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: false @@ -125,7 +121,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -145,7 +140,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/pvc.yaml b/charts/core/templates/pvc.yaml index b7e97e7d..d0c51962 100644 --- a/charts/core/templates/pvc.yaml +++ b/charts/core/templates/pvc.yaml @@ -8,7 +8,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: accessModes: {{ toYaml .Values.controller.pvc.accessModes | indent 4 }} diff --git a/charts/core/templates/registry-adapter-ingress.yaml b/charts/core/templates/registry-adapter-ingress.yaml index aec7161c..ab05054f 100644 --- a/charts/core/templates/registry-adapter-ingress.yaml +++ b/charts/core/templates/registry-adapter-ingress.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.ingressClassName }} ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} @@ -51,7 +50,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.tls }} tls: @@ -87,7 +85,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.route.host }} host: {{ .Values.cve.adapter.route.host }} diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml index 7ae073e4..6d74b139 100644 --- a/charts/core/templates/registry-adapter.yaml +++ b/charts/core/templates/registry-adapter.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: @@ -172,7 +171,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.cve.adapter.svc.type }} {{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/role-least.yaml b/charts/core/templates/role-least.yaml index 85202c9b..7520d7c9 100644 --- a/charts/core/templates/role-least.yaml +++ b/charts/core/templates/role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apps diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml index 01dc47c4..8b2bd825 100644 --- a/charts/core/templates/role.yaml +++ b/charts/core/templates/role.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index 19cdec08..e06d4dde 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -51,7 +50,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -78,7 +76,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -135,7 +132,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - security.openshift.io @@ -156,7 +152,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml index 23c07f4f..dc722ee2 100644 --- a/charts/core/templates/rolebinding.yaml +++ b/charts/core/templates/rolebinding.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -48,7 +47,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml index 0e41c334..4ab69cb5 100644 --- a/charts/core/templates/scanner-deployment.yaml +++ b/charts/core/templates/scanner-deployment.yaml @@ -10,7 +10,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: strategy: diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml index 8b925644..cf47dcd1 100644 --- a/charts/core/templates/serviceaccount-least.yaml +++ b/charts/core/templates/serviceaccount-least.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -19,7 +18,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -31,7 +29,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -43,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -55,7 +51,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -67,6 +62,5 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- end }} diff --git a/charts/core/templates/serviceaccount.yaml b/charts/core/templates/serviceaccount.yaml index 46a3027c..dc625cde 100644 --- a/charts/core/templates/serviceaccount.yaml +++ b/charts/core/templates/serviceaccount.yaml @@ -8,6 +8,5 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- end }} {{- end }} diff --git a/charts/core/templates/updater-cronjob.yaml b/charts/core/templates/updater-cronjob.yaml index eb179b0c..9232d4c6 100644 --- a/charts/core/templates/updater-cronjob.yaml +++ b/charts/core/templates/updater-cronjob.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: schedule: {{ .Values.cve.updater.schedule | quote }} jobTemplate: From 1b42664c5a836dd32a62397dfb93458778a06346 Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Thu, 26 Oct 2023 13:17:07 -0400 Subject: [PATCH 05/16] feat: support internal cert rotation 1. New role and rolebinding for job creation and cert upgrader. 2. A new cronjob to run internal cert rotation regularly. 3. New options to enable cert generation and cert rotation. --- charts/core/templates/_helpers.tpl | 22 +++- .../core/templates/controller-deployment.yaml | 52 +++++--- charts/core/templates/controller-lease.yaml | 8 ++ charts/core/templates/controller-secret.yaml | 9 ++ charts/core/templates/enforcer-daemonset.yaml | 16 +++ charts/core/templates/registry-adapter.yaml | 17 ++- charts/core/templates/role.yaml | 111 ++++++++++++++++++ charts/core/templates/rolebinding-least.yaml | 110 ++++++++++++++++- charts/core/templates/rolebinding.yaml | 91 ++++++++++++++ charts/core/templates/scanner-deployment.yaml | 20 +++- .../core/templates/serviceaccount-least.yaml | 11 ++ charts/core/templates/upgrader-cronjob.yaml | 80 +++++++++++++ charts/core/templates/upgrader-lease.yaml | 8 ++ charts/core/values.yaml | 21 +++- test/role_test.go | 4 +- test/sa_test.go | 2 +- 16 files changed, 555 insertions(+), 27 deletions(-) create mode 100644 charts/core/templates/controller-lease.yaml create mode 100644 charts/core/templates/upgrader-cronjob.yaml create mode 100644 charts/core/templates/upgrader-lease.yaml diff --git a/charts/core/templates/_helpers.tpl b/charts/core/templates/_helpers.tpl index e47c246b..8a598d32 100644 --- a/charts/core/templates/_helpers.tpl +++ b/charts/core/templates/_helpers.tpl @@ -45,4 +45,24 @@ Lookup secret. {{- if $value -}} {{- printf "%s" $value -}} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{- define "neuvector.controller.image" -}} +{{- if .Values.global.azure.enabled }} + {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }} +{{- else }} + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }} + {{- else }} + {{- printf "%s/controller:%s" .Values.registry .Values.tag }} + {{- end }} + {{- else }} + {{- if .Values.controller.image.hash }} + {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }} + {{- else }} + {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 8c2a1d5f..4d4904c7 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -2,6 +2,10 @@ {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} {{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.controller.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -85,25 +89,27 @@ spec: serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoGenerateCert (not $pre540) }} + initContainers: + - name: init + image: {{ include "neuvector.controller.image" . | quote }} + command: ["/usr/local/bin/upgrader", "create-upgrader-job" ] + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + env: + - name: OVERRIDE_CHECKSUM + value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }} + {{- if and .Values.internal.autoRotateCert (not $pre540) }} + - name: ENABLE_ROTATION + value: "1" + {{- end }} + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} containers: - name: neuvector-controller-pod - {{- if .Values.global.azure.enabled }} - image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}:{{ .Values.global.azure.images.controller.tag }}" - {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}" - {{- else }} - image: "{{ .Values.registry }}/controller:{{ .Values.tag }}" - {{- end }} - {{- else }} - {{- if .Values.controller.image.hash }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}" - {{- else }} - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}" - {{- end }} - {{- end }} - {{- end }} + image: {{ include "neuvector.controller.image" . | quote }} {{- if $pre530 }} securityContext: privileged: true @@ -157,6 +163,11 @@ spec: - name: NO_DEFAULT_ADMIN value: "1" {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.controller.env }} {{- toYaml . | nindent 12 }} {{- end }} @@ -223,6 +234,9 @@ spec: subPath: {{ .Values.controller.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 300 restartPolicy: Always @@ -286,6 +300,10 @@ spec: - name: internal-cert secret: secretName: {{ .Values.controller.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- if gt (int .Values.controller.disruptionbudget) 0 }} --- diff --git a/charts/core/templates/controller-lease.yaml b/charts/core/templates/controller-lease.yaml new file mode 100644 index 00000000..cccde547 --- /dev/null +++ b/charts/core/templates/controller-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-controller +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/core/templates/controller-secret.yaml b/charts/core/templates/controller-secret.yaml index e07504dc..65163f83 100644 --- a/charts/core/templates/controller-secret.yaml +++ b/charts/core/templates/controller-secret.yaml @@ -2,6 +2,7 @@ {{- if eq "true" (toString .Values.autoGenerateCert) }} {{- $cn := "neuvector" }} {{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} + apiVersion: v1 kind: Secret metadata: @@ -15,6 +16,14 @@ type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +{{- end}} --- +{{- if .Values.internal.certmanager.enabled }} +{{- else if .Values.internal.autoGenerateCert }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-internal-certs +type: Opaque {{- end}} {{- end}} diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index 4177c4dd..af34458d 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -2,6 +2,10 @@ {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} {{- end }} +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- $runtimePath := "" -}} {{- if .Values.runtimePath }} {{- $runtimePath = .Values.runtimePath -}} @@ -105,6 +109,11 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.enforcer.env }} {{- toYaml . | nindent 12 }} {{- end }} @@ -153,6 +162,9 @@ spec: subPath: {{ .Values.enforcer.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} terminationGracePeriodSeconds: 1200 restartPolicy: Always @@ -192,5 +204,9 @@ spec: - name: internal-cert secret: secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml index 6f636f16..7855558c 100644 --- a/charts/core/templates/registry-adapter.yaml +++ b/charts/core/templates/registry-adapter.yaml @@ -1,3 +1,7 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.cve.adapter.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -97,6 +101,11 @@ spec: name: {{ .Values.cve.adapter.harbor.secretName }} key: password {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.cve.adapter.env }} {{- toYaml . | nindent 14 }} {{- end }} @@ -114,6 +123,9 @@ spec: subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} {{- if .Values.cve.adapter.certificate.secret }} - mountPath: /etc/neuvector/certs/ssl-cert.key @@ -155,8 +167,11 @@ spec: - name: internal-cert secret: secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} - --- apiVersion: v1 diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml index 01dc47c4..694ecff1 100644 --- a/charts/core/templates/role.yaml +++ b/charts/core/templates/role.yaml @@ -22,3 +22,114 @@ rules: - secrets verbs: - get + - list + - watch + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - update +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - get + - delete +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/finalizers + verbs: + - update + - patch +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - update + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "apps" + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - update +{{- end }} diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index 19cdec08..e287dde0 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -35,8 +35,104 @@ userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller {{- end }} +{{- if .Values.internal.autoGenerateCert }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +- system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: cert-upgrader + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} --- - {{- if $oc3 }} apiVersion: authorization.openshift.io/v1 {{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} @@ -62,9 +158,21 @@ subjects: - kind: ServiceAccount name: controller namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: scanner + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: registry-adapter + namespace: {{ .Release.Namespace }} {{- if $oc3 }} userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller +- system:serviceaccount:{{ .Release.Namespace }}:enforcer +- system:serviceaccount:{{ .Release.Namespace }}:scanner +- system:serviceaccount:{{ .Release.Namespace }}:registry-adapter {{- end }} --- diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml index 23c07f4f..f0f7cd90 100644 --- a/charts/core/templates/rolebinding.yaml +++ b/charts/core/templates/rolebinding.yaml @@ -85,4 +85,95 @@ subjects: name: {{ .Values.serviceAccount }} namespace: {{ .Release.Namespace }} {{- end }} + +--- + +{{- if .Values.internal.autoGenerateCert }} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-lease + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-lease +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-job-creation + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role {{- end }} + name: neuvector-binding-job-creation +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} +--- +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-cert-upgrader +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader +{{- end }} +{{- end }} + diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml index 0e41c334..83c92be8 100644 --- a/charts/core/templates/scanner-deployment.yaml +++ b/charts/core/templates/scanner-deployment.yaml @@ -1,3 +1,7 @@ +{{- $pre540 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}} +{{- end }} {{- if .Values.cve.scanner.enabled -}} {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: apps/v1 @@ -94,13 +98,18 @@ spec: - name: SCANNER_DOCKER_URL value: {{ .Values.cve.scanner.dockerPath }} {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + {{- else if .Values.internal.autoGenerateCert }} + - name: AUTO_INTERNAL_CERT + value: "1" + {{- end }} {{- with .Values.cve.scanner.env }} {{- toYaml . | nindent 12 }} {{- end }} resources: {{ toYaml .Values.cve.scanner.resources | indent 12 }} - {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} volumeMounts: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - mountPath: /etc/neuvector/certs/internal/cert.key subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} name: internal-cert @@ -113,12 +122,19 @@ spec: subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} name: internal-cert readOnly: true + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - mountPath: /etc/neuvector/certs/internal/ + name: internal-cert-dir {{- end }} restartPolicy: Always - {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} volumes: + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} - name: internal-cert secret: secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- else if and .Values.internal.autoRotateCert (not $pre540) }} + - name: internal-cert-dir + emptyDir: + sizeLimit: 50Mi {{- end }} {{- end }} diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml index 8b925644..cd1cb2fa 100644 --- a/charts/core/templates/serviceaccount-least.yaml +++ b/charts/core/templates/serviceaccount-least.yaml @@ -69,4 +69,15 @@ metadata: release: {{ .Release.Name }} heritage: Helm +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-upgrader + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm {{- end }} diff --git a/charts/core/templates/upgrader-cronjob.yaml b/charts/core/templates/upgrader-cronjob.yaml new file mode 100644 index 00000000..684c7542 --- /dev/null +++ b/charts/core/templates/upgrader-cronjob.yaml @@ -0,0 +1,80 @@ +{{- if and .Values.controller.enabled .Values.internal.autoGenerateCert -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-cert-upgrader-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.certupgrader.schedule }} + schedule: {{ .Values.controller.certupgrader.schedule | quote }} +{{- else }} + schedule: "0 0 1 1 *" + suspend: true +{{- end }} + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + successfulJobsHistoryLimit: 3 + jobTemplate: + spec: + activeDeadlineSeconds: {{ .Values.controller.certupgrader.timeout }} + parallelism: 1 + completions: 1 + backoffLimit: 6 + template: + metadata: + labels: + app: neuvector-cert-upgrader-pod + release: {{ .Release.Name }} + {{- with .Values.controller.certupgrader.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.controller.certupgrader.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.certupgrader.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.certupgrader.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.controller.certupgrader.priorityClassName }} + priorityClassName: {{ .Values.controller.certupgrader.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: cert-upgrader + serviceAccount: cert-upgrader + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + restartPolicy: Never + {{- if .Values.controller.certupgrader.runAsUser }} + securityContext: + runAsUser: {{ .Values.controller.certupgrader.runAsUser }} + {{- end }} + containers: + - name: neuvector-cert-upgrader-pod + image: {{ include "neuvector.controller.image" . | quote }} + imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }} + command: + - /usr/local/bin/upgrader + - upgrader-job + env: + {{- with .Values.controller.certupgrader.env }} +{{- toYaml . | nindent 14 }} + {{- end }} +{{- end }} diff --git a/charts/core/templates/upgrader-lease.yaml b/charts/core/templates/upgrader-lease.yaml new file mode 100644 index 00000000..2afa935d --- /dev/null +++ b/charts/core/templates/upgrader-lease.yaml @@ -0,0 +1,8 @@ +{{- if .Values.internal.autoGenerateCert }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: neuvector-cert-upgrader +spec: + leaseTransitions: 0 +{{- end }} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 549bdda8..d6a56319 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -61,10 +61,12 @@ autoGenerateCert: true defaultValidityPeriod: 365 -internal: # enable when cert-manager is installed for the internal certificates - certmanager: +internal: + certmanager: # enable when cert-manager is installed for the internal certificates enabled: false secretname: neuvector-internal + autoGenerateCert: true + autoRotateCert: false controller: # If false, controller will not be installed @@ -285,6 +287,21 @@ controller: - Fullname: admin Password: Role: admin + certupgrader: + env: [] + # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. + # default: "" (off) + schedule: "" + imagePullPolicy: IfNotPresent + timeout: 3600 + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster enforcer: # If false, enforcer will not be installed diff --git a/test/role_test.go b/test/role_test.go index ecac3bcc..8f61aebd 100644 --- a/test/role_test.go +++ b/test/role_test.go @@ -18,7 +18,7 @@ func TestRoleBinding(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding.yaml"}) outs := splitYaml(out) - if len(outs) != 2 { + if len(outs) != 4 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } } @@ -98,7 +98,7 @@ func TestRoleBindingLeastPrivilege(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/rolebinding-least.yaml"}) outs := splitYaml(out) - if len(outs) != 2 { + if len(outs) != 5 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } } diff --git a/test/sa_test.go b/test/sa_test.go index 548e66f0..89d0e740 100644 --- a/test/sa_test.go +++ b/test/sa_test.go @@ -19,7 +19,7 @@ func TestServiceAccountLeastPrivilege(t *testing.T) { out := helm.RenderTemplate(t, options, helmChartPath, nvRel, []string{"templates/serviceaccount-least.yaml"}) outs := splitYaml(out) - if len(outs) != 6 { + if len(outs) != 7 { t.Errorf("Resource count is wrong. count=%v\n", len(outs)) } } From ff48af19b81407a2423aec42e483ca65d627d43d Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Wed, 21 Aug 2024 13:29:04 -0400 Subject: [PATCH 06/16] docs: update README --- charts/core/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/charts/core/README.md b/charts/core/README.md index c721f94a..0c79ccb4 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -26,6 +26,8 @@ Parameter | Description | Default | Notes `autoGenerateCert` | Automatically generate certificate or not | `true` | `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` | +`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` | `defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | `global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | `global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. @@ -137,6 +139,13 @@ Parameter | Description | Default | Notes `controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | `controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | `controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`controller.certupgrader.env` | User-defined environment variables. | `[]` | +`controller.certupgrader.schedule` | cert upgrader schedule. Leave empty to disable | `` | +`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` | +`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | `enforcer.enabled` | If true, create enforcer | `true` | `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | From a05c78f658be4a24b55636de14ce8fe4614b33c9 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 21:08:11 +0000 Subject: [PATCH 07/16] Add bootstrap password support --- charts/core/README.md | 1 + charts/core/templates/NOTES.txt | 11 +++++++++++ charts/core/templates/bootstrap-secret.yaml | 20 ++++++++++++++++++++ charts/core/values.yaml | 3 +++ 4 files changed, 35 insertions(+) create mode 100644 charts/core/templates/bootstrap-secret.yaml diff --git a/charts/core/README.md b/charts/core/README.md index 0c79ccb4..b0e560b4 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -23,6 +23,7 @@ Parameter | Description | Default | Notes `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | `leastPrivilege` | Use least privileged service account | `false` | +`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled `autoGenerateCert` | Automatically generate certificate or not | `true` | `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | diff --git a/charts/core/templates/NOTES.txt b/charts/core/templates/NOTES.txt index 2360cee8..30d892fc 100644 --- a/charts/core/templates/NOTES.txt +++ b/charts/core/templates/NOTES.txt @@ -21,3 +21,14 @@ Get the NeuVector URL by running these commands: echo https://$SERVICE_IP:8443 {{- end }} {{- end }} + + +{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} + +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. This password is randomly generated if the bootstrap password is not specified during the deployment or AWS cloud billing is enabled. + +To get the bootstrap password: + +kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}' + +{{- end }} diff --git a/charts/core/templates/bootstrap-secret.yaml b/charts/core/templates/bootstrap-secret.yaml new file mode 100644 index 00000000..304aed9d --- /dev/null +++ b/charts/core/templates/bootstrap-secret.yaml @@ -0,0 +1,20 @@ +{{/* Use the bootstrap password from values.yaml or random value*/}} +{{- $bootstrapPassword := .Values.bootstrapPassword -}} +{{- if .Values.global.aws.enabled -}} + {{- $bootstrapPassword = randAlphaNum 18 -}} +{{- end -}} +{{/* If a bootstrap password was found in the values or AWS is enabled */}} +{{- if $bootstrapPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: "neuvector-bootstrap-secret" + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +type: Opaque +data: + bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} +{{- end }} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index d6a56319..762deff0 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -57,6 +57,9 @@ global: # required for rancher authentication (https:///) tag: latest imagePullPolicy: IfNotPresent +# Set a bootstrap password. If leave empty, default admin password used. +bootstrapPassword: "" + autoGenerateCert: true defaultValidityPeriod: 365 From 3e7b01ee448efab64f129a464b4d24c9bcdb6f74 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 22:58:01 +0000 Subject: [PATCH 08/16] disable admin only for azure --- charts/core/templates/controller-deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 4d4904c7..ffde172a 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -159,7 +159,7 @@ spec: - name: CSP_ENV value: "azure" {{- end }} - {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} + {{- if .Values.global.azure.enabled }} - name: NO_DEFAULT_ADMIN value: "1" {{- end }} From 06be6dda8fce8e7897d3716de8da06639d83f03d Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 22 Jul 2024 23:53:49 +0000 Subject: [PATCH 09/16] Update Notes for bootstrap password support --- charts/core/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/core/templates/NOTES.txt b/charts/core/templates/NOTES.txt index 30d892fc..f2492a0f 100644 --- a/charts/core/templates/NOTES.txt +++ b/charts/core/templates/NOTES.txt @@ -25,7 +25,7 @@ Get the NeuVector URL by running these commands: {{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }} -NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. This password is randomly generated if the bootstrap password is not specified during the deployment or AWS cloud billing is enabled. +NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled. To get the bootstrap password: From 7b1abaf8b528e66dba46fc3f9889bc3622cd9126 Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 5 Aug 2024 19:41:01 +0000 Subject: [PATCH 10/16] Removed Heritage --- .../core/templates/admission-webhook-service.yaml | 1 - charts/core/templates/bootstrap-secret.yaml | 1 - charts/core/templates/clusterrole.yaml | 4 ---- .../core/templates/clusterrolebinding-least.yaml | 5 ----- charts/core/templates/clusterrolebinding.yaml | 5 ----- charts/core/templates/controller-deployment.yaml | 1 - charts/core/templates/controller-ingress.yaml | 6 ------ charts/core/templates/controller-route.yaml | 3 --- charts/core/templates/controller-secret.yaml | 1 - charts/core/templates/controller-service.yaml | 4 ---- charts/core/templates/crd-role-least.yaml | 14 -------------- charts/core/templates/crd-role.yaml | 14 -------------- charts/core/templates/crd.yaml | 8 -------- charts/core/templates/csp-clusterrole.yaml | 2 -- charts/core/templates/csp-clusterrolebinding.yaml | 2 -- charts/core/templates/csp-crd.yaml | 1 - charts/core/templates/csp-deployment.yaml | 1 - charts/core/templates/csp-role.yaml | 1 - charts/core/templates/csp-rolebinding.yaml | 1 - charts/core/templates/csp-serviceaccount.yaml | 1 - charts/core/templates/enforcer-daemonset.yaml | 1 - charts/core/templates/init-configmap.yaml | 1 - charts/core/templates/init-secret.yaml | 1 - charts/core/templates/manager-deployment.yaml | 1 - charts/core/templates/manager-ingress.yaml | 2 -- charts/core/templates/manager-route.yaml | 1 - charts/core/templates/manager-secret.yaml | 1 - charts/core/templates/manager-service.yaml | 1 - charts/core/templates/psp.yaml | 6 ------ charts/core/templates/pvc.yaml | 1 - .../core/templates/registry-adapter-ingress.yaml | 3 --- charts/core/templates/registry-adapter.yaml | 2 -- charts/core/templates/role-least.yaml | 1 - charts/core/templates/role.yaml | 1 - charts/core/templates/rolebinding-least.yaml | 5 ----- charts/core/templates/rolebinding.yaml | 3 --- charts/core/templates/scanner-deployment.yaml | 1 - charts/core/templates/serviceaccount-least.yaml | 6 ------ charts/core/templates/serviceaccount.yaml | 1 - charts/core/templates/updater-cronjob.yaml | 1 - 40 files changed, 116 deletions(-) diff --git a/charts/core/templates/admission-webhook-service.yaml b/charts/core/templates/admission-webhook-service.yaml index 0d92eec7..6a1bfa63 100644 --- a/charts/core/templates/admission-webhook-service.yaml +++ b/charts/core/templates/admission-webhook-service.yaml @@ -6,7 +6,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/bootstrap-secret.yaml b/charts/core/templates/bootstrap-secret.yaml index 304aed9d..b631d506 100644 --- a/charts/core/templates/bootstrap-secret.yaml +++ b/charts/core/templates/bootstrap-secret.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }} diff --git a/charts/core/templates/clusterrole.yaml b/charts/core/templates/clusterrole.yaml index 54f33a90..49228b70 100644 --- a/charts/core/templates/clusterrole.yaml +++ b/charts/core/templates/clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" @@ -44,7 +43,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: {{- if .Values.openshift }} - apiGroups: @@ -83,7 +81,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - admissionregistration.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - config.openshift.io diff --git a/charts/core/templates/clusterrolebinding-least.yaml b/charts/core/templates/clusterrolebinding-least.yaml index bcfca9a2..edb1007f 100644 --- a/charts/core/templates/clusterrolebinding-least.yaml +++ b/charts/core/templates/clusterrolebinding-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/clusterrolebinding.yaml b/charts/core/templates/clusterrolebinding.yaml index 7147a9ff..4ea258c0 100644 --- a/charts/core/templates/clusterrolebinding.yaml +++ b/charts/core/templates/clusterrolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -108,7 +105,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -134,7 +130,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index ffde172a..8d3509ab 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -19,7 +19,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.controller.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/core/templates/controller-ingress.yaml b/charts/core/templates/controller-ingress.yaml index 1ea0cdce..d8bcb32a 100644 --- a/charts/core/templates/controller-ingress.yaml +++ b/charts/core/templates/controller-ingress.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} @@ -50,7 +49,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.ingress.tls }} tls: @@ -85,7 +83,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} @@ -123,7 +120,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.ingress.tls }} tls: @@ -158,7 +154,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} @@ -196,7 +191,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.ingress.tls }} tls: diff --git a/charts/core/templates/controller-route.yaml b/charts/core/templates/controller-route.yaml index 377917af..b80816f1 100644 --- a/charts/core/templates/controller-route.yaml +++ b/charts/core/templates/controller-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.apisvc.route.host }} host: {{ .Values.controller.apisvc.route.host }} @@ -45,7 +44,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.mastersvc.route.host }} host: {{ .Values.controller.federation.mastersvc.route.host }} @@ -77,7 +75,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.federation.managedsvc.route.host }} host: {{ .Values.controller.federation.managedsvc.route.host }} diff --git a/charts/core/templates/controller-secret.yaml b/charts/core/templates/controller-secret.yaml index 65163f83..7658b936 100644 --- a/charts/core/templates/controller-secret.yaml +++ b/charts/core/templates/controller-secret.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} diff --git a/charts/core/templates/controller-service.yaml b/charts/core/templates/controller-service.yaml index 9fbd0655..4705d491 100644 --- a/charts/core/templates/controller-service.yaml +++ b/charts/core/templates/controller-service.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: clusterIP: None ports: @@ -36,7 +35,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.apisvc.type }} ports: @@ -61,7 +59,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.mastersvc.type }} {{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} @@ -101,7 +98,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.controller.federation.managedsvc.type }} {{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} diff --git a/charts/core/templates/crd-role-least.yaml b/charts/core/templates/crd-role-least.yaml index 64517f12..45222a48 100644 --- a/charts/core/templates/crd-role-least.yaml +++ b/charts/core/templates/crd-role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd-role.yaml b/charts/core/templates/crd-role.yaml index 46d99761..ffa029c4 100644 --- a/charts/core/templates/crd-role.yaml +++ b/charts/core/templates/crd-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apiextensions.k8s.io @@ -43,7 +42,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -103,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -135,7 +131,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -162,7 +157,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -189,7 +183,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -221,7 +214,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -253,7 +245,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -280,7 +271,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -312,7 +302,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -339,7 +328,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -371,7 +359,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - neuvector.com @@ -398,7 +385,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/crd.yaml b/charts/core/templates/crd.yaml index 48c5b07f..72cd24a3 100644 --- a/charts/core/templates/crd.yaml +++ b/charts/core/templates/crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -286,7 +285,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -560,7 +558,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -646,7 +643,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -773,7 +769,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -859,7 +854,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -916,7 +910,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: neuvector.com names: @@ -978,7 +971,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: ports: - port: 443 diff --git a/charts/core/templates/csp-clusterrole.yaml b/charts/core/templates/csp-clusterrole.yaml index 5e5dea5c..234f50db 100644 --- a/charts/core/templates/csp-clusterrole.yaml +++ b/charts/core/templates/csp-clusterrole.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net @@ -41,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - susecloud.net diff --git a/charts/core/templates/csp-clusterrolebinding.yaml b/charts/core/templates/csp-clusterrolebinding.yaml index 244e7b43..bb0a331b 100644 --- a/charts/core/templates/csp-clusterrolebinding.yaml +++ b/charts/core/templates/csp-clusterrolebinding.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -46,7 +45,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/csp-crd.yaml b/charts/core/templates/csp-crd.yaml index a0ddf655..b879776e 100644 --- a/charts/core/templates/csp-crd.yaml +++ b/charts/core/templates/csp-crd.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: group: susecloud.net names: diff --git a/charts/core/templates/csp-deployment.yaml b/charts/core/templates/csp-deployment.yaml index 6ea55792..82ef4739 100644 --- a/charts/core/templates/csp-deployment.yaml +++ b/charts/core/templates/csp-deployment.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- with .Values.global.aws.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/core/templates/csp-role.yaml b/charts/core/templates/csp-role.yaml index 4c7df981..3bba9540 100644 --- a/charts/core/templates/csp-role.yaml +++ b/charts/core/templates/csp-role.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/csp-rolebinding.yaml b/charts/core/templates/csp-rolebinding.yaml index 946b2c52..0327fdc7 100644 --- a/charts/core/templates/csp-rolebinding.yaml +++ b/charts/core/templates/csp-rolebinding.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/charts/core/templates/csp-serviceaccount.yaml b/charts/core/templates/csp-serviceaccount.yaml index 0f777c2b..32827502 100644 --- a/charts/core/templates/csp-serviceaccount.yaml +++ b/charts/core/templates/csp-serviceaccount.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm annotations: {{- if .Values.global.aws.enabled }} eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }} diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index af34458d..2554ca73 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -32,7 +32,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} diff --git a/charts/core/templates/init-configmap.yaml b/charts/core/templates/init-configmap.yaml index 1300794a..5c29ca25 100644 --- a/charts/core/templates/init-configmap.yaml +++ b/charts/core/templates/init-configmap.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{ toYaml .Values.controller.configmap.data | indent 2 }} {{- end }} diff --git a/charts/core/templates/init-secret.yaml b/charts/core/templates/init-secret.yaml index d4bfca59..d9b4676c 100644 --- a/charts/core/templates/init-secret.yaml +++ b/charts/core/templates/init-secret.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm data: {{- range $key, $val := .Values.controller.secret.data }} {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml index d9ea4b28..45badb6c 100644 --- a/charts/core/templates/manager-deployment.yaml +++ b/charts/core/templates/manager-deployment.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: diff --git a/charts/core/templates/manager-ingress.yaml b/charts/core/templates/manager-ingress.yaml index 52826fc5..9dc4bb53 100644 --- a/charts/core/templates/manager-ingress.yaml +++ b/charts/core/templates/manager-ingress.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.ingressClassName }} ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} @@ -49,7 +48,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.ingress.tls }} tls: diff --git a/charts/core/templates/manager-route.yaml b/charts/core/templates/manager-route.yaml index 77262d5b..f79a7332 100644 --- a/charts/core/templates/manager-route.yaml +++ b/charts/core/templates/manager-route.yaml @@ -12,7 +12,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.manager.route.host }} host: {{ .Values.manager.route.host }} diff --git a/charts/core/templates/manager-secret.yaml b/charts/core/templates/manager-secret.yaml index 601dae37..622391ac 100644 --- a/charts/core/templates/manager-secret.yaml +++ b/charts/core/templates/manager-secret.yaml @@ -10,7 +10,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm type: Opaque data: ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} diff --git a/charts/core/templates/manager-service.yaml b/charts/core/templates/manager-service.yaml index 0778d897..b310f63d 100644 --- a/charts/core/templates/manager-service.yaml +++ b/charts/core/templates/manager-service.yaml @@ -11,7 +11,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.manager.svc.type }} {{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml index 97bf757e..2d9d77e8 100644 --- a/charts/core/templates/psp.yaml +++ b/charts/core/templates/psp.yaml @@ -7,7 +7,6 @@ metadata: seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: true @@ -44,7 +43,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -64,7 +62,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io @@ -89,7 +86,6 @@ metadata: name: neuvector-binding-psp-controller labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: privileged: false @@ -125,7 +121,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} rules: - apiGroups: @@ -145,7 +140,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/pvc.yaml b/charts/core/templates/pvc.yaml index b7e97e7d..d0c51962 100644 --- a/charts/core/templates/pvc.yaml +++ b/charts/core/templates/pvc.yaml @@ -8,7 +8,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: accessModes: {{ toYaml .Values.controller.pvc.accessModes | indent 4 }} diff --git a/charts/core/templates/registry-adapter-ingress.yaml b/charts/core/templates/registry-adapter-ingress.yaml index aec7161c..ab05054f 100644 --- a/charts/core/templates/registry-adapter-ingress.yaml +++ b/charts/core/templates/registry-adapter-ingress.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.ingressClassName }} ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} @@ -51,7 +50,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.ingress.tls }} tls: @@ -87,7 +85,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.cve.adapter.route.host }} host: {{ .Values.cve.adapter.route.host }} diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml index 7855558c..1e603748 100644 --- a/charts/core/templates/registry-adapter.yaml +++ b/charts/core/templates/registry-adapter.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: replicas: 1 selector: @@ -186,7 +185,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: type: {{ .Values.cve.adapter.svc.type }} {{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} diff --git a/charts/core/templates/role-least.yaml b/charts/core/templates/role-least.yaml index 85202c9b..7520d7c9 100644 --- a/charts/core/templates/role-least.yaml +++ b/charts/core/templates/role-least.yaml @@ -15,7 +15,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - apps diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml index 694ecff1..a171742d 100644 --- a/charts/core/templates/role.yaml +++ b/charts/core/templates/role.yaml @@ -14,7 +14,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index e287dde0..39fc3d17 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -147,7 +146,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -186,7 +184,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -243,7 +240,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - security.openshift.io @@ -264,7 +260,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml index f0f7cd90..17ea2bb7 100644 --- a/charts/core/templates/rolebinding.yaml +++ b/charts/core/templates/rolebinding.yaml @@ -16,7 +16,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -48,7 +47,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -75,7 +73,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml index 83c92be8..3f1c0dec 100644 --- a/charts/core/templates/scanner-deployment.yaml +++ b/charts/core/templates/scanner-deployment.yaml @@ -14,7 +14,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} - heritage: Helm release: {{ .Release.Name }} spec: strategy: diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml index cd1cb2fa..5d1715da 100644 --- a/charts/core/templates/serviceaccount-least.yaml +++ b/charts/core/templates/serviceaccount-least.yaml @@ -7,7 +7,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -19,7 +18,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -31,7 +29,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -43,7 +40,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -55,7 +51,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- @@ -67,7 +62,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm --- diff --git a/charts/core/templates/serviceaccount.yaml b/charts/core/templates/serviceaccount.yaml index 46a3027c..dc625cde 100644 --- a/charts/core/templates/serviceaccount.yaml +++ b/charts/core/templates/serviceaccount.yaml @@ -8,6 +8,5 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- end }} {{- end }} diff --git a/charts/core/templates/updater-cronjob.yaml b/charts/core/templates/updater-cronjob.yaml index e34422ad..936ec4b8 100644 --- a/charts/core/templates/updater-cronjob.yaml +++ b/charts/core/templates/updater-cronjob.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: schedule: {{ .Values.cve.updater.schedule | quote }} jobTemplate: From 6876d051e24055c6f22e8bd81fe70b48e5f62980 Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Thu, 22 Aug 2024 14:45:25 -0400 Subject: [PATCH 11/16] fix: pod created by upgrader cronjob has no effect --- charts/core/templates/controller-deployment.yaml | 4 ---- charts/core/templates/upgrader-cronjob.yaml | 3 +++ 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 8d3509ab..ec67ae96 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -98,10 +98,6 @@ spec: env: - name: OVERRIDE_CHECKSUM value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }} - {{- if and .Values.internal.autoRotateCert (not $pre540) }} - - name: ENABLE_ROTATION - value: "1" - {{- end }} {{- with .Values.controller.certupgrader.env }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/core/templates/upgrader-cronjob.yaml b/charts/core/templates/upgrader-cronjob.yaml index 684c7542..79c6f413 100644 --- a/charts/core/templates/upgrader-cronjob.yaml +++ b/charts/core/templates/upgrader-cronjob.yaml @@ -73,6 +73,9 @@ spec: command: - /usr/local/bin/upgrader - upgrader-job + {{- if and .Values.internal.autoRotateCert }} + - --enable-rotation + {{- end }} env: {{- with .Values.controller.certupgrader.env }} {{- toYaml . | nindent 14 }} From d2f1b957dde20d820ee309aa85fd1d4dfad9dc00 Mon Sep 17 00:00:00 2001 From: Venkatesh Jayagopal Date: Tue, 27 Aug 2024 19:08:18 +0000 Subject: [PATCH 12/16] Adding support for CTRL_SEARCH_REGISTRIES env variable NVSHAS-9255 --- charts/core/README.md | 1 + charts/core/templates/controller-deployment.yaml | 4 ++++ charts/core/values.yaml | 1 + 3 files changed, 6 insertions(+) diff --git a/charts/core/README.md b/charts/core/README.md index b0e560b4..2bbc155b 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -68,6 +68,7 @@ Parameter | Description | Default | Notes `controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | `controller.pvc.storageClass` | Storage Class to be used | `default` | `controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.searchRegistries` | Custom search registries for Admission control | `nil` | `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index ec67ae96..fb479184 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -158,6 +158,10 @@ spec: - name: NO_DEFAULT_ADMIN value: "1" {{- end }} + {{- if .Values.controller.searchRegistries }} + - name: CTRL_SEARCH_REGISTRIES + value: "{{ .Values.controller.searchRegistries }}" + {{- end }} {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} {{- else if .Values.internal.autoGenerateCert }} - name: AUTO_INTERNAL_CERT diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 762deff0..2e612b68 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -89,6 +89,7 @@ controller: priorityClassName: podLabels: {} podAnnotations: {} + searchRegistries: env: [] affinity: podAntiAffinity: From f5604bd708c378f35b7fcd77a4dedc3c2b8561af Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Tue, 27 Aug 2024 16:22:19 -0400 Subject: [PATCH 13/16] feat: NVSHAS-9382 allow providing TLS certificates Allow users to provide TLS certificates in helm charts. --- .../core/templates/controller-deployment.yaml | 8 +++----- charts/core/templates/controller-secret.yaml | 9 +++++++-- charts/core/templates/manager-deployment.yaml | 8 +++----- charts/core/templates/manager-secret.yaml | 9 +++++++-- .../templates/registry-adapter-secret.yaml | 10 ++++++++-- charts/core/templates/registry-adapter.yaml | 8 +++----- charts/core/values.yaml | 18 ++++++++++++++++++ 7 files changed, 49 insertions(+), 21 deletions(-) diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index fb479184..816bfa17 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -39,7 +39,6 @@ spec: {{- with .Values.controller.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: {{- if .Values.controller.secret.enabled }} checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} @@ -47,13 +46,12 @@ spec: {{- if .Values.controller.configmap.enabled }} checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} {{- end }} - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.controller.podAnnotations }} {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.controller.affinity }} affinity: @@ -209,7 +207,7 @@ spec: subPath: {{ .Values.controller.certificate.pemFile }} name: usercert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -285,7 +283,7 @@ spec: - secret: name: neuvector-secret optional: true - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - name: cert secret: secretName: neuvector-controller-secret diff --git a/charts/core/templates/controller-secret.yaml b/charts/core/templates/controller-secret.yaml index 7658b936..fb743c24 100644 --- a/charts/core/templates/controller-secret.yaml +++ b/charts/core/templates/controller-secret.yaml @@ -1,7 +1,12 @@ {{- if .Values.controller.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.controller.certificate.key .Values.controller.certificate.certificate }} +{{- $cert = (dict "Key" .Values.controller.certificate.key "Cert" .Values.controller.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} apiVersion: v1 kind: Secret diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml index 45badb6c..e744c86a 100644 --- a/charts/core/templates/manager-deployment.yaml +++ b/charts/core/templates/manager-deployment.yaml @@ -24,15 +24,13 @@ spec: {{- with .Values.manager.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.manager.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.manager.podAnnotations }} {{- toYaml .Values.manager.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.manager.affinity }} affinity: @@ -111,7 +109,7 @@ spec: subPath: {{ .Values.manager.certificate.pemFile }} name: cert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -174,7 +172,7 @@ spec: - name: cert secret: secretName: {{ .Values.manager.certificate.secret }} - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} - name: cert secret: secretName: neuvector-manager-secret diff --git a/charts/core/templates/manager-secret.yaml b/charts/core/templates/manager-secret.yaml index 622391ac..46563bcb 100644 --- a/charts/core/templates/manager-secret.yaml +++ b/charts/core/templates/manager-secret.yaml @@ -1,7 +1,12 @@ {{- if .Values.manager.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.manager.certificate.key .Values.manager.certificate.certificate }} +{{- $cert = (dict "Key" .Values.manager.certificate.key "Cert" .Values.manager.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +{{- end }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/core/templates/registry-adapter-secret.yaml b/charts/core/templates/registry-adapter-secret.yaml index 64ee05f1..66f0d80e 100644 --- a/charts/core/templates/registry-adapter-secret.yaml +++ b/charts/core/templates/registry-adapter-secret.yaml @@ -1,7 +1,13 @@ {{- if .Values.cve.adapter.enabled -}} -{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} +{{- $cert := (dict) }} +{{- if and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate }} +{{- $cert = (dict "Key" .Values.cve.adapter.certificate.key "Cert" .Values.cve.adapter.certificate.certificate ) }} +{{- else }} {{- $cn := "neuvector" }} -{{- $cert := genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- $cert = genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +{{- end }} + apiVersion: v1 kind: Secret metadata: diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml index 1e603748..d8c7092c 100644 --- a/charts/core/templates/registry-adapter.yaml +++ b/charts/core/templates/registry-adapter.yaml @@ -28,15 +28,13 @@ spec: {{- with .Values.cve.adapter.podLabels }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.cve.adapter.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} annotations: - {{- if eq "true" (toString .Values.autoGenerateCert) }} + {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} {{- end }} {{- if .Values.cve.adapter.podAnnotations }} {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} {{- end }} - {{- end }} spec: {{- if .Values.cve.adapter.affinity }} affinity: @@ -135,7 +133,7 @@ spec: subPath: {{ .Values.cve.adapter.certificate.pemFile }} name: cert readOnly: true - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: ssl-cert.key name: cert @@ -157,7 +155,7 @@ spec: - name: cert secret: secretName: {{ .Values.cve.adapter.certificate.secret }} - {{- else if eq "true" (toString .Values.autoGenerateCert) }} + {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.cve.adapter.certificate.key .Values.cve.adapter.certificate.certificate) }} - name: cert secret: secretName: neuvector-registry-adapter-secret diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 2e612b68..a5610885 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -148,6 +148,12 @@ controller: secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" @@ -384,6 +390,12 @@ manager: secret: "" keyFile: tls.key pemFile: tls.pem + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -455,6 +467,12 @@ cve: secret: "" keyFile: tls.key pemFile: tls.crt + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- harbor: protocol: https secretName: From 3339a7e859a777efff82d4cecad8d79dd8fd7ccc Mon Sep 17 00:00:00 2001 From: Selvam Thangaraj Date: Mon, 5 Aug 2024 19:41:01 +0000 Subject: [PATCH 14/16] Removed Heritage --- charts/core/templates/role.yaml | 3 --- charts/core/templates/rolebinding-least.yaml | 3 --- charts/core/templates/rolebinding.yaml | 3 --- charts/core/templates/serviceaccount-least.yaml | 1 - charts/core/templates/upgrader-cronjob.yaml | 1 - 5 files changed, 11 deletions(-) diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml index a171742d..3ded8c97 100644 --- a/charts/core/templates/role.yaml +++ b/charts/core/templates/role.yaml @@ -41,7 +41,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - coordination.k8s.io @@ -65,7 +64,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - batch @@ -98,7 +96,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm rules: - apiGroups: - "" diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml index 39fc3d17..a3effd3f 100644 --- a/charts/core/templates/rolebinding-least.yaml +++ b/charts/core/templates/rolebinding-least.yaml @@ -50,7 +50,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -85,7 +84,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -116,7 +114,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml index 17ea2bb7..8a721dc7 100644 --- a/charts/core/templates/rolebinding.yaml +++ b/charts/core/templates/rolebinding.yaml @@ -100,7 +100,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -127,7 +126,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io @@ -157,7 +155,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml index 5d1715da..f018447a 100644 --- a/charts/core/templates/serviceaccount-least.yaml +++ b/charts/core/templates/serviceaccount-least.yaml @@ -73,5 +73,4 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm {{- end }} diff --git a/charts/core/templates/upgrader-cronjob.yaml b/charts/core/templates/upgrader-cronjob.yaml index 79c6f413..62f2bc11 100644 --- a/charts/core/templates/upgrader-cronjob.yaml +++ b/charts/core/templates/upgrader-cronjob.yaml @@ -13,7 +13,6 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} - heritage: Helm spec: {{- if .Values.controller.certupgrader.schedule }} schedule: {{ .Values.controller.certupgrader.schedule | quote }} From ad03d0abcdb79d58f07e65f8ef779617230a132a Mon Sep 17 00:00:00 2001 From: "Sam Wang (holyspectral)" Date: Tue, 27 Aug 2024 17:51:09 -0400 Subject: [PATCH 15/16] feat: NVSHAS-9382 remove lookup for aws-addon WARNING: Do not merge this to main tree as this is specifically for aws-addon. --- charts/core/templates/_helpers.tpl | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/charts/core/templates/_helpers.tpl b/charts/core/templates/_helpers.tpl index 8a598d32..f8f5388f 100644 --- a/charts/core/templates/_helpers.tpl +++ b/charts/core/templates/_helpers.tpl @@ -35,17 +35,9 @@ Create chart name and version as used by the chart label. Lookup secret. */}} {{- define "neuvector.secrets.lookup" -}} -{{- $value := "" -}} -{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} -{{- if and $secretData (hasKey $secretData .key) -}} - {{- $value = index $secretData .key -}} -{{- else if .defaultValue -}} - {{- $value = .defaultValue | toString | b64enc -}} -{{- end -}} -{{- if $value -}} +{{- $value := .defaultValue | toString | b64enc -}} {{- printf "%s" $value -}} {{- end -}} -{{- end -}} {{- define "neuvector.controller.image" -}} {{- if .Values.global.azure.enabled }} From 3ef7cbb9235021d025c3057932ed7661a46d368f Mon Sep 17 00:00:00 2001 From: James Mason Date: Wed, 4 Sep 2024 14:49:18 -0700 Subject: [PATCH 16/16] Add schema for required EKS Addon helm attributes --- charts/core/aws_mp_configuration_schema.json | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 charts/core/aws_mp_configuration_schema.json diff --git a/charts/core/aws_mp_configuration_schema.json b/charts/core/aws_mp_configuration_schema.json new file mode 100644 index 00000000..570eef2b --- /dev/null +++ b/charts/core/aws_mp_configuration_schema.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "properties": { + "global" : { + "type": "object", + "properties": { + "aws": { + "type": "object", + "properties": { + "accountNumber": { + "type": ["integer", "string"], + "description": "AWS Account Number; Follow AWS subscription instruction" + }, + "roleName": { + "type": "string", + "description": "AWS Role name for billing; Follow AWS subscription instruction" + } + }, + "required": [ + "accountNumber", + "roleName" + ] + } + } + } + } +}