neuvector · selvamt94 · Jul 22, 2024 · Jul 22, 2024 · Jul 22, 2024 · Aug 5, 2024
@@ -23,9 +23,12 @@ Parameter | Description | Default | Notes
 `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` |
 `serviceAccount` | Service account name for NeuVector components | `default` |
 `leastPrivilege` | Use least privileged service account | `false` |
+`bootstrapPassword` | Set password for admin user account if present | `false` | Random password generated if aws billing is enabled
 `autoGenerateCert` | Automatically generate certificate or not | `true` |
 `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` |
 `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` |
+`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` |
+`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` |
 `defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` |
 `global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https://<Rancher_URL>/` |
 `global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment.
@@ -65,6 +68,7 @@ Parameter | Description | Default | Notes
 `controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` |
 `controller.pvc.storageClass` | Storage Class to be used | `default` |
 `controller.pvc.capacity` | Storage capacity | `1Gi` |
+`controller.searchRegistries` | Custom search registries for Admission control | `nil` |
 `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` |
 `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` |
 `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` |
@@ -137,6 +141,13 @@ Parameter | Description | Default | Notes
 `controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` |
 `controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` |
 `controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` |
+`controller.certupgrader.env` | User-defined environment variables. | `[]` |
+`controller.certupgrader.schedule` | cert upgrader schedule.  Leave empty to disable | `` |
+`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
+`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` |
+`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` |
+`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
+`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` |
 `enforcer.enabled` | If true, create enforcer | `true` |
 `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` |
 `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |

@@ -0,0 +1,27 @@
+{
+  "$schema": "https://json-schema.org/draft/2019-09/schema",
+  "properties": {
+    "global" : {
+      "type": "object",
+      "properties": {
+        "aws": {
+          "type": "object",
+          "properties": {
+            "accountNumber": {
+              "type": ["integer", "string"],
+              "description": "AWS Account Number; Follow AWS subscription instruction"
+            },
+            "roleName": {
+              "type": "string",
+              "description": "AWS Role name for billing; Follow AWS subscription instruction"
+            }
+          },
+          "required": [
+            "accountNumber",
+            "roleName"
+          ]
+        }
+      }
+    }
+  }
+}
@@ -21,3 +21,14 @@ Get the NeuVector URL by running these commands:
   echo https://$SERVICE_IP:8443
 {{- end }}
 {{- end }}
+
+
+{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }}
+
+NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled.
+
+To get the bootstrap password:
+
+kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}'
+
+{{- end }}
@@ -35,14 +35,26 @@ Create chart name and version as used by the chart label.
 Lookup secret.
 */}}
 {{- define "neuvector.secrets.lookup" -}}
-{{- $value := "" -}}
-{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data  -}}
-{{- if and $secretData (hasKey $secretData .key) -}}
-  {{- $value = index $secretData .key -}}
-{{- else if .defaultValue -}}
-  {{- $value = .defaultValue | toString | b64enc -}}
-{{- end -}}
-{{- if $value -}}
+{{- $value := .defaultValue | toString | b64enc -}}
 {{- printf "%s" $value -}}
 {{- end -}}
-{{- end -}}
+
+{{- define "neuvector.controller.image" -}}
+{{- if .Values.global.azure.enabled }}
+  {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }}
+{{- else }}
+  {{- if eq .Values.registry "registry.neuvector.com" }}
+    {{- if .Values.oem }}
+      {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }}
+    {{- else }}
+      {{- printf "%s/controller:%s" .Values.registry .Values.tag }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.controller.image.hash }}
+      {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }}
+    {{- else }}
+      {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
@@ -6,7 +6,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 spec:
   ports:
     - port: 443

@@ -0,0 +1,19 @@
+{{/* Use the bootstrap password from values.yaml or random value*/}}
+{{- $bootstrapPassword := .Values.bootstrapPassword -}}
+{{- if .Values.global.aws.enabled -}}
+    {{- $bootstrapPassword = randAlphaNum 18 -}}
+{{- end -}}
+{{/* If a bootstrap password was found in the values or AWS is enabled */}}
+{{- if $bootstrapPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "neuvector-bootstrap-secret"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+type: Opaque
+data:
+  bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }}
+{{- end }}
@@ -14,7 +14,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 rules:
 - apiGroups:
   - ""
@@ -44,7 +43,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 rules:
 {{- if .Values.openshift }}
 - apiGroups:
@@ -83,7 +81,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 rules:
 - apiGroups:
   - admissionregistration.k8s.io
@@ -108,7 +105,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 rules:
 - apiGroups:
   - config.openshift.io

@@ -15,7 +15,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -46,7 +45,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -77,7 +75,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -108,7 +105,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -134,7 +130,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

@@ -15,7 +15,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -46,7 +45,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -77,7 +75,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -108,7 +105,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
 {{- if not $oc3 }}
   apiGroup: rbac.authorization.k8s.io
@@ -134,7 +130,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

@@ -2,6 +2,10 @@
 {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
 {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}}
 {{- end }}
+{{- $pre540 := false -}}                                                
+{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}               
+{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}}                  
+{{- end }}    
 {{- if .Values.controller.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -15,7 +19,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: Helm
 {{- with .Values.controller.annotations }}
   annotations:
 {{ toYaml . | indent 4 }}
@@ -36,21 +39,19 @@ spec:
         {{- with .Values.controller.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
       annotations:
         {{- if .Values.controller.secret.enabled }}
         checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.controller.configmap.enabled }}
         checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
         {{- end }}
-        {{- if eq "true" (toString .Values.autoGenerateCert) }}
+        {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
         checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.controller.podAnnotations }}
         {{- toYaml .Values.controller.podAnnotations | nindent 8 }}
         {{- end }}
-      {{- end }}
     spec:
       {{- if .Values.controller.affinity }}
       affinity:
@@ -85,25 +86,23 @@ spec:
       serviceAccountName: {{ .Values.serviceAccount }}
       serviceAccount: {{ .Values.serviceAccount }}
       {{- end }}
+      {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
+      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      initContainers:
+        - name: init
+          image: {{ include "neuvector.controller.image" . | quote }}
+          command: ["/usr/local/bin/upgrader", "create-upgrader-job" ]
+          imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }}
+          env:
+            - name: OVERRIDE_CHECKSUM
+              value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }}
+          {{- with .Values.controller.certupgrader.env }}
+{{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- end }}
       containers:
         - name: neuvector-controller-pod
-          {{- if .Values.global.azure.enabled }}
-          image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}:{{ .Values.global.azure.images.controller.tag }}"
-          {{- else }}
-          {{- if eq .Values.registry "registry.neuvector.com" }}
-          {{- if .Values.oem }}
-          image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}"
-          {{- else }}
-          image: "{{ .Values.registry }}/controller:{{ .Values.tag }}"
-          {{- end }}
-          {{- else }}
-          {{- if .Values.controller.image.hash }}
-          image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}"
-          {{- else }}
-          image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"
-          {{- end }}
-          {{- end }}
-          {{- end }}
+          image: {{ include "neuvector.controller.image" . | quote }}
           {{- if $pre530 }}
           securityContext:
             privileged: true
@@ -153,10 +152,19 @@ spec:
             - name: CSP_ENV
               value: "azure"
           {{- end }}
-          {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
+          {{- if .Values.global.azure.enabled }}
             - name: NO_DEFAULT_ADMIN
               value: "1"
           {{- end }}
+          {{- if .Values.controller.searchRegistries }}
+            - name: CTRL_SEARCH_REGISTRIES
+              value: "{{ .Values.controller.searchRegistries }}"
+          {{- end }}
+          {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
+          {{- else if .Values.internal.autoGenerateCert }}
+            - name: AUTO_INTERNAL_CERT
+              value: "1"
+          {{- end }}
           {{- with .Values.controller.env }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -199,7 +207,7 @@ spec:
               subPath: {{ .Values.controller.certificate.pemFile }}
               name: usercert
               readOnly: true
-          {{- else if eq "true" (toString .Values.autoGenerateCert) }}
+          {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
             - mountPath: /etc/neuvector/certs/ssl-cert.key
               subPath: ssl-cert.key
               name: cert
@@ -223,6 +231,9 @@ spec:
               subPath: {{ .Values.controller.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+            - mountPath: /etc/neuvector/certs/internal/
+              name: internal-cert-dir
           {{- end }}
       terminationGracePeriodSeconds: 300
       restartPolicy: Always
@@ -272,7 +283,7 @@ spec:
               - secret:
                   name: neuvector-secret
                   optional: true
-      {{- if eq "true" (toString .Values.autoGenerateCert) }}
+      {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
         - name: cert
           secret:
             secretName: neuvector-controller-secret
@@ -286,6 +297,10 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.controller.internal.certificate.secret }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+        - name: internal-cert-dir
+          emptyDir:
+            sizeLimit: 50Mi
       {{- end }}
 {{- if gt (int .Values.controller.disruptionbudget) 0 }}
 ---