From 0c3fd24d6968f21b9b0b72c4d12e4c1ae9df5f8e Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 24 Apr 2025 15:09:51 -0600 Subject: [PATCH 1/3] feat: add support for probe config and ui svc labels --- charts/core/templates/controller-deployment.yaml | 9 +++++++++ charts/core/templates/enforcer-daemonset.yaml | 8 ++++++++ charts/core/templates/manager-service.yaml | 3 +++ charts/core/values.yaml | 10 ++++++++++ 4 files changed, 30 insertions(+) diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 4b296855..6a91de24 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -132,6 +132,10 @@ spec: {{- else }} {{ toYaml .Values.resources | indent 12 }} {{- end }} + {{- if .Values.controller.readinessProbe }} + readinessProbe: + {{- toYaml .Values.controller.readinessProbe | nindent 12 }} + {{- else }} readinessProbe: exec: command: @@ -139,6 +143,11 @@ spec: - /tmp/ready initialDelaySeconds: 5 periodSeconds: 5 + {{- end }} + {{- if .Values.controller.livenessProbe }} + livenessProbe: + {{- toYaml .Values.controller.livenessProbe | nindent 12 }} + {{- end }} env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.{{ .Release.Namespace }} diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml index 10684cb4..42dc1b48 100644 --- a/charts/core/templates/enforcer-daemonset.yaml +++ b/charts/core/templates/enforcer-daemonset.yaml @@ -98,6 +98,14 @@ spec: {{- else }} {{ toYaml .Values.resources | indent 12 }} {{- end }} + {{- if .Values.enforcer.readinessProbe }} + readinessProbe: + {{- toYaml .Values.enforcer.readinessProbe | nindent 12 }} + {{- end }} + {{- if .Values.enforcer.livenessProbe }} + livenessProbe: + {{- toYaml .Values.enforcer.livenessProbe | nindent 12 }} + {{- end }} env: - name: CLUSTER_JOIN_ADDR value: neuvector-svc-controller.{{ .Release.Namespace }} diff --git a/charts/core/templates/manager-service.yaml b/charts/core/templates/manager-service.yaml index b9476748..faa13735 100644 --- a/charts/core/templates/manager-service.yaml +++ b/charts/core/templates/manager-service.yaml @@ -11,6 +11,9 @@ metadata: labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} + {{- with .Values.manager.svc.labels }} + {{- toYaml . | indent 4 }} + {{- end }} spec: type: {{ .Values.manager.svc.type }} {{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} diff --git a/charts/core/values.yaml b/charts/core/values.yaml index fb2eda58..7ff89be9 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -110,6 +110,10 @@ controller: {} # key1: value1 # key2: value2 + readinessProbe: + {} + livenessProbe: + {} apisvc: type: annotations: {} @@ -348,6 +352,10 @@ enforcer: # requests: # cpu: 100m # memory: 2280Mi + readinessProbe: + {} + livenessProbe: + {} internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" @@ -379,6 +387,8 @@ manager: # azure # service.beta.kubernetes.io/azure-load-balancer-internal: "true" # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + labels: + {} # OpenShift Route configuration # Make sure manager env ssl is false for edge termination route: From bef8b42800af602595219a5d9e7c8fd339c7f1cc Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 24 Apr 2025 15:28:24 -0600 Subject: [PATCH 2/3] chore: update docs, change controller template --- charts/core/README.md | 5 + .../core/templates/controller-deployment.yaml | 8 - charts/core/values.yaml | 301 +++++++++--------- 3 files changed, 158 insertions(+), 156 deletions(-) diff --git a/charts/core/README.md b/charts/core/README.md index 9381c73b..d6ff1d2d 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -169,6 +169,8 @@ Parameter | Description | Default | Notes `controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` | `controller.certupgrader.imagePullPolicy` | cert upgrader image pull policy | `IfNotPresent` | +`controller.readinessProbe` | Readiness probe for the controller | `{"exec":{"command":["cat","/tmp/ready"]},"initialDelaySeconds":5,"periodSeconds":5}` +`controller.livenessProbe` | Liveness probe for the controller | `{}` `enforcer.enabled` | If true, create enforcer | `true` | `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | `enforcer.image.imagePullPolicy` | enforcer image pull policy | `IfNotPresent` | @@ -184,6 +186,8 @@ Parameter | Description | Default | Notes `enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` | `enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` | `enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` | +`enforcer.readinessProbe` | Readiness probe for the enforcer | `{}` +`enforcer.livenessProbe` | Liveness probe for the enforcer | `{}` `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.imagePullPolicy` | manager image pull policy | `IfNotPresent` | @@ -203,6 +207,7 @@ Parameter | Description | Default | Notes `manager.svc.nodePort` | set manager service NodePort number | `nil` | `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | `manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) +`manager.svc.labels` | Add labels to manager service | `{}` | `manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | `manager.route.host` | Set OpenShift route host for management console service | `nil` | `manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 6a91de24..2ce30c48 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -135,14 +135,6 @@ spec: {{- if .Values.controller.readinessProbe }} readinessProbe: {{- toYaml .Values.controller.readinessProbe | nindent 12 }} - {{- else }} - readinessProbe: - exec: - command: - - cat - - /tmp/ready - initialDelaySeconds: 5 - periodSeconds: 5 {{- end }} {{- if .Values.controller.livenessProbe }} livenessProbe: diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 7ff89be9..1c1347a9 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -64,7 +64,7 @@ autoGenerateCert: true defaultValidityPeriod: 365 -internal: +internal: certmanager: # enable when cert-manager is installed for the internal certificates enabled: false secretname: neuvector-internal @@ -108,16 +108,21 @@ controller: topologySpreadConstraints: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 readinessProbe: - {} + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 livenessProbe: {} apisvc: type: annotations: {} - nodePort: + nodePort: # OpenShift Route configuration # Controller supports HTTPS only, so edge termination not supported route: @@ -125,18 +130,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ranchersso: # required for rancher authentication enabled: false pvc: @@ -193,18 +198,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- managedsvc: type: loadBalancerIP: @@ -231,18 +236,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -255,31 +260,31 @@ controller: secretName: resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi configmap: enabled: false data: - # passwordprofileinitcfg.yaml: | - # ... - # roleinitcfg.yaml: | - # ... - # ldapinitcfg.yaml: | - # ... - # oidcinitcfg.yaml: | - # ... - # samlinitcfg.yaml: | - # ... - # sysinitcfg.yaml: | - # ... - # userinitcfg.yaml: | - # ... - # fedinitcfg.yaml: | - # ... + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + # fedinitcfg.yaml: | + # ... secret: # NOTE: files defined here have preferrence over the ones defined in the configmap section enabled: false @@ -300,24 +305,24 @@ controller: # ... userinitcfg.yaml: users: - - Fullname: admin - Password: - Role: admin + - Fullname: admin + Password: + Role: admin certupgrader: env: [] # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. # default: "" (off) schedule: "" imagePullPolicy: IfNotPresent - timeout: 3600 + timeout: 3600 priorityClassName: podLabels: {} podAnnotations: {} tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster prime: enabled: false @@ -346,19 +351,19 @@ enforcer: key: node-role.kubernetes.io/control-plane resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi readinessProbe: {} livenessProbe: {} internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. @@ -380,13 +385,13 @@ manager: # value: "#FFFFFF" svc: type: ClusterIP - nodePort: + nodePort: loadBalancerIP: annotations: {} - # azure - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" labels: {} # OpenShift Route configuration @@ -396,18 +401,18 @@ manager: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- certificate: secret: "" keyFile: tls.key @@ -434,12 +439,12 @@ manager: secretName: # my-tls-secret resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi topologySpreadConstraints: [] affinity: {} podLabels: {} @@ -447,8 +452,8 @@ manager: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster probes: enabled: false @@ -467,12 +472,12 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 400m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 1024Mi + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi affinity: {} podLabels: {} podAnnotations: {} @@ -480,8 +485,8 @@ cve: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. ## @@ -504,27 +509,27 @@ cve: loadBalancerIP: annotations: {} - # azure - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" # OpenShift Route configuration route: enabled: true termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -541,7 +546,7 @@ cve: secretName: # my-tls-secret internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. @@ -560,19 +565,19 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 100m - # memory: 256Mi - # requests: - # cpu: 100m - # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 256Mi podLabels: {} podAnnotations: {} tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster scanner: enabled: true @@ -592,12 +597,12 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi topologySpreadConstraints: [] affinity: {} podLabels: {} @@ -606,25 +611,25 @@ cve: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. - volumes: + volumes: volumeMounts: resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi +# limits: +# cpu: 400m +# memory: 2792Mi +# requests: +# cpu: 100m +# memory: 2280Mi runtimePath: From 911f4d6040e3ca2a5a9a8a45284aa98d8ab2eb2b Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Thu, 24 Apr 2025 15:29:45 -0600 Subject: [PATCH 3/3] chore: fix formatting --- charts/core/values.yaml | 294 ++++++++++++++++++++-------------------- 1 file changed, 147 insertions(+), 147 deletions(-) diff --git a/charts/core/values.yaml b/charts/core/values.yaml index 1c1347a9..e57d5210 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -64,7 +64,7 @@ autoGenerateCert: true defaultValidityPeriod: 365 -internal: +internal: certmanager: # enable when cert-manager is installed for the internal certificates enabled: false secretname: neuvector-internal @@ -108,8 +108,8 @@ controller: topologySpreadConstraints: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 readinessProbe: exec: command: @@ -122,7 +122,7 @@ controller: apisvc: type: annotations: {} - nodePort: + nodePort: # OpenShift Route configuration # Controller supports HTTPS only, so edge termination not supported route: @@ -130,18 +130,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ranchersso: # required for rancher authentication enabled: false pvc: @@ -198,18 +198,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- managedsvc: type: loadBalancerIP: @@ -236,18 +236,18 @@ controller: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -260,31 +260,31 @@ controller: secretName: resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi configmap: enabled: false data: - # passwordprofileinitcfg.yaml: | - # ... - # roleinitcfg.yaml: | - # ... - # ldapinitcfg.yaml: | - # ... - # oidcinitcfg.yaml: | - # ... - # samlinitcfg.yaml: | - # ... - # sysinitcfg.yaml: | - # ... - # userinitcfg.yaml: | - # ... - # fedinitcfg.yaml: | - # ... + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + # fedinitcfg.yaml: | + # ... secret: # NOTE: files defined here have preferrence over the ones defined in the configmap section enabled: false @@ -305,24 +305,24 @@ controller: # ... userinitcfg.yaml: users: - - Fullname: admin - Password: - Role: admin + - Fullname: admin + Password: + Role: admin certupgrader: env: [] # The cronjob schedule that cert-upgrader will run to check and rotate internal certificate. # default: "" (off) schedule: "" imagePullPolicy: IfNotPresent - timeout: 3600 + timeout: 3600 priorityClassName: podLabels: {} podAnnotations: {} tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster prime: enabled: false @@ -351,19 +351,19 @@ enforcer: key: node-role.kubernetes.io/control-plane resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi readinessProbe: {} livenessProbe: {} internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. @@ -385,13 +385,13 @@ manager: # value: "#FFFFFF" svc: type: ClusterIP - nodePort: + nodePort: loadBalancerIP: annotations: {} - # azure - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" labels: {} # OpenShift Route configuration @@ -401,18 +401,18 @@ manager: termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- certificate: secret: "" keyFile: tls.key @@ -439,12 +439,12 @@ manager: secretName: # my-tls-secret resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi topologySpreadConstraints: [] affinity: {} podLabels: {} @@ -452,8 +452,8 @@ manager: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster probes: enabled: false @@ -472,12 +472,12 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 400m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 1024Mi + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi affinity: {} podLabels: {} podAnnotations: {} @@ -485,8 +485,8 @@ cve: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. ## @@ -509,27 +509,27 @@ cve: loadBalancerIP: annotations: {} - # azure - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" # OpenShift Route configuration route: enabled: true termination: passthrough host: tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled @@ -546,7 +546,7 @@ cve: secretName: # my-tls-secret internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. @@ -565,19 +565,19 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 100m - # memory: 256Mi - # requests: - # cpu: 100m - # memory: 256Mi + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 100m + # memory: 256Mi podLabels: {} podAnnotations: {} tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster scanner: enabled: true @@ -597,12 +597,12 @@ cve: priorityClassName: resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi topologySpreadConstraints: [] affinity: {} podLabels: {} @@ -611,25 +611,25 @@ cve: tolerations: [] nodeSelector: {} - # key1: value1 - # key2: value2 + # key1: value1 + # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: - secret: "" + secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. - volumes: + volumes: volumeMounts: resources: {} -# limits: -# cpu: 400m -# memory: 2792Mi -# requests: -# cpu: 100m -# memory: 2280Mi + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi runtimePath: