diff --git a/charts/core/README.md b/charts/core/README.md
index 9381c73b..906489c9 100644
--- a/charts/core/README.md
+++ b/charts/core/README.md
@@ -80,6 +80,9 @@ Parameter | Description | Default | Notes
`controller.podLabels` | Specify the pod labels. | `{}` |
`controller.podAnnotations` | Specify the pod annotations. | `{}` |
`controller.env` | User-defined environment variables for controller. | `[]` |
+`controller.extraEnv` | User-defined additional environment variables for controller. | `[]` |
+`controller.extraVolumes` | User-defined additional volume definitions that will be added to the manager. | `[]` |
+`controller.extraVolumeMounts` | User-defined additional volumeMount definitions that will be added to the manager. | `[]` |
`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. |
`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi
`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` |
@@ -199,6 +202,9 @@ Parameter | Description | Default | Notes
` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) |
` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. |
` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
+`manager.extraEnv` | User-defined additional environment variables for manager. | `[]` |
+`manager.extraVolumes` | User-defined additional volume definitions that will be added to the manager. | `[]` |
+`manager.extraVolumeMounts` | User-defined additional volumeMount definitions that will be added to the manager. | `[]` |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.nodePort` | set manager service NodePort number | `nil` |
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
index 80004751..8f5fd838 100644
--- a/charts/core/templates/controller-deployment.yaml
+++ b/charts/core/templates/controller-deployment.yaml
@@ -142,6 +142,10 @@ spec:
initialDelaySeconds: 5
periodSeconds: 5
env:
+ # Add extraEnv
+ {{- with .Values.controller.extraEnv }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: CLUSTER_ADVERTISED_ADDR
@@ -186,7 +190,11 @@ spec:
{{- with .Values.controller.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
- volumeMounts:
+ volumeMounts:
+ # Add extraVolumeMounts
+ {{- with .Values.controller.extraVolumeMounts }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- mountPath: /var/neuvector
name: nv-share
@@ -261,6 +269,10 @@ spec:
terminationGracePeriodSeconds: 300
restartPolicy: Always
volumes:
+ # Add extraVolumes
+ {{- with .Values.controller.extraVolumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- name: nv-share
{{- if .Values.controller.pvc.enabled }}
diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml
index 2f1b1bf0..675d2f2f 100644
--- a/charts/core/templates/manager-deployment.yaml
+++ b/charts/core/templates/manager-deployment.yaml
@@ -91,6 +91,10 @@ spec:
containerPort: 8443
protocol: TCP
env:
+ # Add extraEnv
+ {{- with .Values.manager.extraEnv }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
- name: CTRL_SERVER_IP
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if not .Values.manager.env.ssl }}
@@ -101,6 +105,10 @@ spec:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
+ # Add extraVolumeMounts
+ {{- with .Values.manager.extraVolumeMounts }}
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
{{- if .Values.manager.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.manager.certificate.keyFile }}
@@ -169,6 +177,10 @@ spec:
{{- end }}
restartPolicy: Always
volumes:
+ # Add extraVolumes
+ {{- with .Values.manager.extraVolumes }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- if .Values.manager.certificate.secret }}
- name: cert
secret:
diff --git a/charts/core/values.schema.json b/charts/core/values.schema.json
index d4ef6212..9000b2da 100644
--- a/charts/core/values.schema.json
+++ b/charts/core/values.schema.json
@@ -1,1689 +1,1572 @@
{
- "$schema": "https://json-schema.org/draft/2019-09/schema",
- "properties": {
- "openshift": {
- "type": "boolean",
- "description": "If deploying in OpenShift, set this to true"
- },
- "registry": {
- "type": "string",
- "description": "NeuVector container registry"
- },
- "tag": {
- "type": ["string", "null"],
- "description": "image tag for controller enforcer manager"
- },
- "oem": {
- "type": ["string", "null"],
- "description": "OEM release name"
- },
- "imagePullSecrets": {
- "description": "image pull secret"
- },
- "psp": {
- "type": "boolean",
- "description": "NeuVector Pod Security Policy when psp policy is enabled"
- },
- "rbac": {
- "type": "boolean",
- "description": "NeuVector RBAC Manifests are installed when RBAC is enabled; required for rancher authentication"
- },
- "serviceAccount": {
- "type": "string",
- "description": "Service account name for NeuVector components"
- },
- "leastPrivilege": {
- "type": "boolean",
- "description": "Use least privileged service account"
- },
- "global" : {
- "type": "object",
- "properties": {
- "cattle": {
- "type": "object",
- "description": "required for rancher authentication", "properties": {
- "url": {
- "type": ["string", "null"],
- "description": "Set the Rancher Server URL; Required for Rancher Authentication. https:///",
- "format": "uri"
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "type": "object",
+ "properties": {
+ "admissionwebhook": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
}
- }
},
- "azure": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, install Azure billing csp adapter; **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment."
- },
- "identity": {
- "type": "object",
- "properties": {
- "clientId": {
- "type": "string",
- "description": "Azure populates this value at deployment time"
- }
- }
- },
- "marketplace": {
- "type": "object",
- "properties": {
- "planId": {
- "type": "string",
- "description": "Azure populates this value at deployment time"
+ "autoGenerateCert": {
+ "type": "boolean"
+ },
+ "bootstrapPassword": {
+ "type": "string"
+ },
+ "bottlerocket": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "runtimePath": {
+ "type": "string"
}
- }
- },
- "extension": {
- "type": "object",
- "properties": {
- "resourceId": {
- "type": "string",
- "description": "application's Azure Resource ID, Azure populates this value at deployment time"
+ }
+ },
+ "containerd": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
}
- }
- },
- "serviceAccount": {
- "type": "string",
- "description": "Service account name for csp adapter"
- },
- "imagePullSecrets": {
- "description": "Pull secret for csp adapter image"
- },
- "images": {
- "type": "object",
- "properties": {
- "neuvector_csp_pod": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string",
- "description": "csp adapter image digest"
- },
- "image": {
- "type": "string",
- "description": " csp adapter image repository"
- },
- "registry": {
- "type": "string",
- "description": "csp adapter image registry"
- },
- "imagePullPolicy": {
- "enum": ["Always", "Never", "IfNotPresent"],
- "description": "csp adapter image pull policy"
+ }
+ },
+ "controller": {
+ "type": "object",
+ "properties": {
+ "affinity": {
+ "type": "object",
+ "properties": {
+ "podAntiAffinity": {
+ "type": "object",
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "podAffinityTerm": {
+ "type": "object",
+ "properties": {
+ "labelSelector": {
+ "type": "object",
+ "properties": {
+ "matchExpressions": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ }
+ },
+ "weight": {
+ "type": "integer"
+ }
+ }
+ }
+ }
+ }
+ }
}
- }
- },
- "controller": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string"
- },
- "image": {
- "type": "string"
- },
- "registry": {
- "type": "string"
+ },
+ "annotations": {
+ "type": "object"
+ },
+ "apisvc": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "nodePort": {
+ "type": "null"
+ },
+ "route": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "termination": {
+ "type": "string"
+ },
+ "tls": {
+ "type": "null"
+ }
+ }
+ },
+ "type": {
+ "type": "null"
+ }
}
- }
- },
- "manager": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string"
- },
- "image": {
- "type": "string"
- },
- "registry": {
- "type": "string"
+ },
+ "azureFileShare": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "null"
+ },
+ "shareName": {
+ "type": "null"
+ }
}
- }
},
- "scanner": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string"
- },
- "image": {
- "type": "string"
- },
- "registry": {
- "type": "string"
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ },
+ "certupgrader": {
+ "type": "object",
+ "properties": {
+ "env": {
+ "type": "array"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "runAsUser": {
+ "type": "null"
+ },
+ "schedule": {
+ "type": "string"
+ },
+ "timeout": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "type": "array"
+ }
+ }
+ },
+ "configmap": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "null"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
+ "disruptionbudget": {
+ "type": "integer"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "env": {
+ "type": "array"
+ },
+ "extraEnv": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "extraVolumeMounts": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "extraVolumes": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "projected": {
+ "type": "object",
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "configMap": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "federation": {
+ "type": "object",
+ "properties": {
+ "managedsvc": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "clusterIP": {
+ "type": "null"
+ },
+ "externalTrafficPolicy": {
+ "type": "null"
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object",
+ "properties": {
+ "nginx.ingress.kubernetes.io/backend-protocol": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "ingressClassName": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "null"
+ },
+ "tls": {
+ "type": "boolean"
+ }
+ }
+ },
+ "internalTrafficPolicy": {
+ "type": "null"
+ },
+ "loadBalancerIP": {
+ "type": "null"
+ },
+ "nodePort": {
+ "type": "null"
+ },
+ "route": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "termination": {
+ "type": "string"
+ },
+ "tls": {
+ "type": "null"
+ }
+ }
+ },
+ "type": {
+ "type": "null"
+ }
+ }
+ },
+ "mastersvc": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "clusterIP": {
+ "type": "null"
+ },
+ "externalTrafficPolicy": {
+ "type": "null"
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object",
+ "properties": {
+ "nginx.ingress.kubernetes.io/backend-protocol": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "ingressClassName": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "null"
+ },
+ "tls": {
+ "type": "boolean"
+ }
+ }
+ },
+ "internalTrafficPolicy": {
+ "type": "null"
+ },
+ "loadBalancerIP": {
+ "type": "null"
+ },
+ "nodePort": {
+ "type": "null"
+ },
+ "route": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "termination": {
+ "type": "string"
+ },
+ "tls": {
+ "type": "null"
+ }
+ }
+ },
+ "type": {
+ "type": "null"
+ }
+ }
+ }
+ }
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ }
+ }
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object",
+ "properties": {
+ "nginx.ingress.kubernetes.io/backend-protocol": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "ingressClassName": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "null"
+ },
+ "tls": {
+ "type": "boolean"
+ }
+ }
+ },
+ "internal": {
+ "type": "object",
+ "properties": {
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "caFile": {
+ "type": "string"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "prime": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "pvc": {
+ "type": "object",
+ "properties": {
+ "accessModes": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
+ "capacity": {
+ "type": "null"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "existingClaim": {
+ "type": "boolean"
+ },
+ "storageClass": {
+ "type": "null"
+ }
+ }
+ },
+ "ranchersso": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ },
+ "replicas": {
+ "type": "integer"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "schedulerName": {
+ "type": "null"
+ },
+ "searchRegistries": {
+ "type": "null"
+ },
+ "secret": {
+ "type": "object",
+ "properties": {
+ "data": {
+ "type": "object",
+ "properties": {
+ "userinitcfg.yaml": {
+ "type": "object",
+ "properties": {
+ "users": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "Fullname": {
+ "type": "string"
+ },
+ "Password": {
+ "type": "null"
+ },
+ "Role": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ }
}
- }
- },
- "enforcer": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string"
- },
- "image": {
- "type": "string"
- },
- "registry": {
- "type": "string"
+ },
+ "strategy": {
+ "type": "object",
+ "properties": {
+ "rollingUpdate": {
+ "type": "object",
+ "properties": {
+ "maxSurge": {
+ "type": "integer"
+ },
+ "maxUnavailable": {
+ "type": "integer"
+ }
+ }
+ },
+ "type": {
+ "type": "string"
+ }
}
- }
+ },
+ "svc": {
+ "type": "null"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
}
- }
}
- },
- "required": [
- "enabled"
- ]
},
- "aws": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, install AWS billing csp adapter. **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment."
- },
- "accountNumber": {
- "type": ["integer", "string"],
- "description": "AWS Account Number; Follow AWS subscription instruction"
- },
- "roleName": {
- "type": "string",
- "description": "AWS Role name for billing; Follow AWS subscription instruction"
- },
- "serviceAccount": {
- "type": "string",
- "description": "Service account name for csp adapter"
- },
- "annotations": {
- "type": "object"
- },
- "imagePullSecrets": {
- "description": "Pull secret for csp adapter image"
- },
- "image": {
- "type": "object",
- "properties": {
- "digest": {
- "type": "string",
- "description": "csp adapter image digest"
- },
- "repository": {
- "type": "string",
- "description": "csp adapter image repository"
- },
- "tag": {
- "type": ["string", "null"],
- "description": "csp adapter image tag"
- },
- "imagePullPolicy": {
- "type": "string",
- "enum": ["Always", "Never", "IfNotPresent"],
- "description": "csp adapter image pull policy"
+ "crdwebhook": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "type": {
+ "type": "string"
}
- }
}
- },
- "required": [
- "enabled"
- ]
- }
- },
- "required": [
- "azure",
- "aws"
- ]
- },
- "autoGenerateCert": {
- "type": "boolean",
- "description": "Automatically generate certificate or not"
- },
- "defaultValidityPeriod": {
- "type": "integer",
- "description": "The default validity period used for certs automatically generated (days)"
- },
- "internal": {
- "type": "object",
- "properties": {
- "certmanager": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "enable when cert-manager is installed for the internal certificates"
- },
- "secretname": {
- "type": "string"
- }
- },
- "required": [
- "enabled"
- ]
- }
- }
- },
- "controller": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If false, controller will not be installed"
- },
- "annotations": {
- "type": "object"
},
- "strategy": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["Recreate", "RollingUpdate"]
- },
- "rollingUpdate": {
- "type": "object",
- "properties": {
- "maxSurge": {
- "type": "integer"
- },
- "maxUnavailable": {
- "type": "integer"
+ "crdwebhooksvc": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
}
- }
}
- }
},
- "image": {
- "type": "object",
- "properties": {
- "repository": {
- "type": "string",
- "description": "controller image repository"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
+ "crio": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ }
}
- }
},
- "replicas": {
- "type": "integer",
- "description": "controller replicas"
- },
- "disruptionbudget": {
- "type": "integer",
- "description": "controller PodDisruptionBudget. 0 to disable. Recommended value: 2."
- },
- "schedulerName": {
- "type": ["string", "null"],
- "description": "kubernetes scheduler name"
- },
- "priorityClassName": {
- "type": ["string", "null"],
- "description": "controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
+ "cve": {
+ "type": "object",
+ "properties": {
+ "adapter": {
+ "type": "object",
+ "properties": {
+ "affinity": {
+ "type": "object"
+ },
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "env": {
+ "type": "array"
+ },
+ "harbor": {
+ "type": "object",
+ "properties": {
+ "protocol": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "null"
+ }
+ }
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object",
+ "properties": {
+ "nginx.ingress.kubernetes.io/backend-protocol": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "ingressClassName": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "null"
+ },
+ "tls": {
+ "type": "boolean"
+ }
+ }
+ },
+ "internal": {
+ "type": "object",
+ "properties": {
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "caFile": {
+ "type": "string"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "route": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
+ },
+ "termination": {
+ "type": "string"
+ },
+ "tls": {
+ "type": "null"
+ }
+ }
+ },
+ "runAsUser": {
+ "type": "null"
+ },
+ "svc": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "loadBalancerIP": {
+ "type": "null"
+ },
+ "type": {
+ "type": "string"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ }
+ }
+ },
+ "scanner": {
+ "type": "object",
+ "properties": {
+ "affinity": {
+ "type": "object"
+ },
+ "dockerPath": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "env": {
+ "type": "array"
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "internal": {
+ "type": "object",
+ "properties": {
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "caFile": {
+ "type": "string"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "replicas": {
+ "type": "integer"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "runAsUser": {
+ "type": "null"
+ },
+ "strategy": {
+ "type": "object",
+ "properties": {
+ "rollingUpdate": {
+ "type": "object",
+ "properties": {
+ "maxSurge": {
+ "type": "integer"
+ },
+ "maxUnavailable": {
+ "type": "integer"
+ }
+ }
+ },
+ "type": {
+ "type": "string"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ },
+ "volumeMounts": {
+ "type": "null"
+ },
+ "volumes": {
+ "type": "null"
+ }
+ }
+ },
+ "updater": {
+ "type": "object",
+ "properties": {
+ "cacert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "runAsUser": {
+ "type": "null"
+ },
+ "schedule": {
+ "type": "string"
+ },
+ "secure": {
+ "type": "boolean"
+ },
+ "tolerations": {
+ "type": "array"
+ }
+ }
+ }
+ }
},
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
+ "defaultValidityPeriod": {
+ "type": "integer"
},
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
+ "docker": {
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string"
+ }
+ }
},
- "env": {
- "type": "array",
- "description": "User-defined environment variables for controller."
+ "enforcer": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "env": {
+ "type": "array"
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ }
+ }
+ },
+ "internal": {
+ "type": "object",
+ "properties": {
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "caFile": {
+ "type": "string"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podLabels": {
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "null"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "privileged": {
+ "type": "boolean"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "updateStrategy": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ }
+ }
+ }
},
- "affinity": {
- "type": "object",
- "description": "controller affinity rules",
- "properties": {
- "podAntiAffinity": {
- "type": "object",
- "properties": {
- "preferredDuringSchedulingIgnoredDuringExecution": {
- "type": "array",
- "items": {
+ "global": {
+ "type": "object",
+ "properties": {
+ "aws": {
+ "type": "object",
+ "properties": {
+ "accountNumber": {
+ "type": "string"
+ },
+ "annotations": {
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "image": {
+ "type": "object",
+ "properties": {
+ "digest": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "imagePullSecrets": {
+ "type": "null"
+ },
+ "roleName": {
+ "type": "string"
+ },
+ "serviceAccount": {
+ "type": "string"
+ }
+ }
+ },
+ "azure": {
"type": "object",
"properties": {
- "weight": {
- "type": "integer",
- "minimum": 1,
- "maximum": 100
- },
- "podAffinityTerm": {
- "type": "object",
- "properties": {
- "labelSelector": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "extension": {
"type": "object",
"properties": {
- "matchExpressions": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "key": {
- "type": "string"
- },
- "operator": {
- "type": "string"
- },
- "values": {
- "type": "array",
- "items": {
- "type": "string"
- }
+ "resourceId": {
+ "type": "string"
+ }
+ }
+ },
+ "identity": {
+ "type": "object",
+ "properties": {
+ "clientId": {
+ "type": "string"
+ }
+ }
+ },
+ "imagePullSecrets": {
+ "type": "null"
+ },
+ "images": {
+ "type": "object",
+ "properties": {
+ "controller": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "enforcer": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
}
- }
+ },
+ "manager": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "neuvector_csp_pod": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "marketplace": {
+ "type": "object",
+ "properties": {
+ "planId": {
+ "type": "string"
}
- }
}
- },
- "topologyKey": {
+ },
+ "serviceAccount": {
"type": "string"
- }
}
- }
}
- }
+ },
+ "cattle": {
+ "type": "object",
+ "properties": {
+ "url": {
+ "type": "null"
+ }
+ }
}
- }
}
- }
- },
- "tolerations": {
- "type": "array",
- "description": "List of node taints to tolerate"
},
- "nodeSelector": {
- "type": "object",
- "description": "Enable and specify nodeSelector labels"
+ "imagePullSecrets": {
+ "type": "null"
},
- "apisvc": {
- "type": "object",
- "properties": {
- "type": {
- "description": "Controller REST API service type"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to controller REST API service"
- },
- "route": {
- "type": "object",
- "description": "OpenShift Route configuration. Controller supports HTTPS only, so edge termination not supported.",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create a OpenShift route to expose the Controller REST API service"
- },
- "termination": {
- "enum": ["passthrough", "reencrypt"],
- "description": "Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, reencrypt"
- },
- "host": {
- "type": ["string", "null"],
- "format": "hostname",
- "description": "Set controller REST API service hostname"
- },
- "tls": {
- "type": ["object", "null"],
- "properties": {
- "certificate": {
- "type": "string",
- "description": "Set controller REST API service PEM format certificate file"
- },
- "caCertificate": {
- "type": "string",
- "description": "Set controller REST API service CA certificate may be required to establish a certificate chain for validation"
- },
- "destinationCACertificate": {
- "type": "string",
- "description": "Set controller REST API service CA certificate to validate the endpoint certificate"
- },
- "key": {
- "type": "string",
- "description": "Set controller REST API service PEM format key file"
+ "internal": {
+ "type": "object",
+ "properties": {
+ "autoGenerateCert": {
+ "type": "boolean"
+ },
+ "autoRotateCert": {
+ "type": "boolean"
+ },
+ "certmanager": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "secretname": {
+ "type": "string"
+ }
}
- }
}
- },
- "required": [
- "enabled"
- ]
- }
- }
- },
- "ranchersso": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, enable single sign on for Rancher; required for rancher authentication"
}
- },
- "required": [
- "enabled"
- ]
},
- "pvc": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, enable persistence for controller using PVC"
- },
- "existingClaim": {
- "type": ["boolean", "string"],
- "description": "If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used."
- },
- "accessModes": {
- "type": "array",
- "description": "Access modes for the created PVC. Requires RWX",
- "items": {
- "enum": ["ReadWriteOnce", "ReadOnlyMany", "ReadWriteMany", "ReadWriteOncePod"]
- }
- },
- "storageClass": {
- "type": ["string", "null"],
- "description": "Storage Class to be used"
- },
- "capacity": {
- "type": ["string", "null"],
- "description": "Storage capacity. Requires 1Gi",
- "pattern": "^([0-9]+)(m|k|M|G|T|P|E|Ki|Mi|Gi|Ti|Pi|Ei)$"
+ "k3s": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "runtimePath": {
+ "type": "string"
+ }
}
- },
- "required": [
- "enabled"
- ]
},
- "azureFileShare": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, enable the usage of an existing or statically provisioned Azure File Share"
- },
- "secretName": {
- "type": ["string", "null"],
- "description": "The name of the secret containing the Azure file share storage account name and key"
- },
- "shareName": {
- "type": ["string", "null"],
- "description": "The name of the Azure file share to use"
+ "lease": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
}
- },
- "required": [
- "enabled"
- ]
},
- "certificate": {
- "type": "object",
- "properties": {
- "secret": {
- "description": "Replace controller REST API certificate using secret if secret name is specified"
- },
- "keyFile": {
- "type": "string",
- "description": "Replace controller REST API certificate key file"
- },
- "pemFile": {
- "type": "string",
- "description": "Replace controller REST API certificate pem file"
- }
- }
+ "leastPrivilege": {
+ "type": "boolean"
},
- "internal": {
- "type": "object",
- "properties": {
- "certificate": {
- "type": "object",
- "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)",
- "properties": {
- "secret": {
- "type": "string"
- },
- "keyFile": {
- "type": "string"
+ "manager": {
+ "type": "object",
+ "properties": {
+ "affinity": {
+ "type": "object"
},
- "pemFile": {
- "type": "string"
+ "certificate": {
+ "type": "object",
+ "properties": {
+ "keyFile": {
+ "type": "string"
+ },
+ "pemFile": {
+ "type": "string"
+ },
+ "secret": {
+ "type": "string"
+ }
+ }
},
- "caFile": {
- "type": "string",
- "description": "must be the same CA for all internal."
- }
- }
- }
- }
- },
- "federation": {
- "type": "object",
- "properties": {
- "mastersvc": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName", null],
- "description": "Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP."
+ "enabled": {
+ "type": "boolean"
},
- "clusterIP": {
- "type": ["string", "null"],
- "format": "ipv4",
- "description": "Set clusterIP to be used for mastersvc"
+ "env": {
+ "type": "object",
+ "properties": {
+ "envs": {
+ "type": "array"
+ },
+ "ssl": {
+ "type": "boolean"
+ }
+ }
},
- "externalTrafficPolicy": {
- "description": "Set externalTrafficPolicy to be used for mastersvc"
+ "extraEnv": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ }
+ }
},
- "internalTrafficPolicy": {
- "description": "Set internalTrafficPolicy to be used for mastersvc"
+ "extraVolumeMounts": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ }
+ }
+ }
},
- "ingress": {
- "type": "object",
- "description": "Federation Master Ingress",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create ingress for federation master service, must also set ingress host value"
- },
- "host": {
- "type": ["string", "null"],
- "description": "MUST be set, if ingress is enabled",
- "format": "hostname"
- },
- "ingressClassName": {
- "type": "string",
- "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned"
- },
- "path": {
- "type": "string",
- "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation",
- "format": "uri-reference"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to ingress to influence behavior",
- "properties": {
- "nginx.ingress.kubernetes.io/backend-protocol": {
- "type": "string"
- },
- "ingress.kubernetes.io/rewrite-target": {
- "type": "string"
+ "extraVolumes": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "projected": {
+ "type": "object",
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "configMap": {
+ "type": "object",
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
- }
- },
- "tls": {
- "type": "boolean",
- "description": "If true, TLS is enabled for controller federation master ingress service. If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`."
- },
- "secretName": {
- "type": ["string", "null"],
- "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)"
}
- },
- "required": [
- "enabled"
- ]
},
- "annotations": {
- "type": "object",
- "description": "Add annotations to Multi-cluster primary cluster REST API service"
+ "image": {
+ "type": "object",
+ "properties": {
+ "hash": {
+ "type": "null"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ }
+ }
},
- "route": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create a OpenShift route to expose the Multi-cluster primary cluster service"
- },
- "termination": {
- "enum": ["passthrough", "reencrypt"],
- "description": "Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, reencrypt"
- },
- "host": {
- "type": ["string", "null"],
- "format": "hostname",
- "description": "Set OpenShift route host for primary cluster service"
- },
- "tls": {
- "type": ["object", "null"],
- "properties": {
- "certificate": {
- "type": "string",
- "description": "Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service"
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object",
+ "properties": {
+ "nginx.ingress.kubernetes.io/backend-protocol": {
+ "type": "string"
+ }
+ }
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "host": {
+ "type": "null"
},
- "caCertificate": {
- "type": "string",
- "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service"
+ "ingressClassName": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
},
- "destinationCACertificate": {
- "type": "string",
- "description": "Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service"
+ "secretName": {
+ "type": "null"
},
- "key": {
- "type": "string",
- "description": "Set PEM format key file for OpenShift route for Multi-cluster primary cluster service"
+ "tls": {
+ "type": "boolean"
}
- }
}
- },
- "required": [
- "enabled"
- ]
- }
- }
- },
- "managedsvc": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName", null],
- "description": "Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed cluster. Possible values include NodePort, LoadBalancer and ClusterIP."
},
- "clusterIP": {
- "type": ["string", "null"],
- "format": "ipv4",
- "description": "Set clusterIP to be used for managedsvc"
+ "nodeSelector": {
+ "type": "object"
},
- "externalTrafficPolicy": {
- "description": "Set externalTrafficPolicy to be used for managedsvc"
+ "podAnnotations": {
+ "type": "object"
},
- "internalTrafficPolicy": {
- "description": "Set internalTrafficPolicy to be used for managedsvc"
+ "podLabels": {
+ "type": "object"
},
- "ingress": {
- "type": "object",
- "description": "Federation Managed Ingress",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create ingress for federation managed service, must also set ingress host value"
- },
- "host": {
- "type": ["string", "null"],
- "description": "MUST be set, if ingress is enabled",
- "format": "hostname"
- },
- "ingressClassName": {
- "type": "string",
- "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned"
- },
- "path": {
- "type": "string",
- "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation",
- "format": "uri-reference"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to ingress to influence behavior",
- "properties": {
- "nginx.ingress.kubernetes.io/backend-protocol": {
- "type": "string"
- },
- "ingress.kubernetes.io/rewrite-target": {
- "type": "string"
+ "priorityClassName": {
+ "type": "null"
+ },
+ "probes": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "startupFailureThreshold": {
+ "type": "integer"
+ },
+ "timeout": {
+ "type": "integer"
}
- }
- },
- "tls": {
- "type": "boolean",
- "description": "If true, TLS is enabled for controller federation managed ingress service"
- },
- "secretName": {
- "type": ["string", "null"],
- "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)"
}
- },
- "required": [
- "enabled"
- ]
},
- "annotations": {
- "type": "object",
- "description": "Add annotations to Multi-cluster managed cluster REST API service"
+ "resources": {
+ "type": "object"
},
"route": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create a OpenShift route to expose the Multi-cluster managed cluster service"
- },
- "termination": {
- "enum": ["passthrough", "reencrypt"],
- "description": "Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, reencrypt"
- },
- "host": {
- "type": ["string", "null"],
- "format": "hostname",
- "description": "Set OpenShift route host for manageed service"
- },
- "tls": {
- "type": ["object", "null"],
- "properties": {
- "certificate": {
- "type": "string",
- "description": "Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service"
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
},
- "caCertificate": {
- "type": "string",
- "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service"
+ "host": {
+ "type": "null"
},
- "destinationCACertificate": {
- "type": "string",
- "description": "Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service"
+ "termination": {
+ "type": "string"
},
- "key": {
- "type": "string",
- "description": "Set PEM format key file for OpenShift route for Multi-cluster managed cluster service"
+ "tls": {
+ "type": "null"
}
- }
}
- },
- "required": [
- "enabled"
- ]
- }
- }
- }
- }
- },
- "ingress": {
- "type": "object",
- "description": "Federation Managed Ingress",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create ingress for rest api, must also set ingress host value"
- },
- "host": {
- "type": ["string", "null"],
- "description": "MUST be set, if ingress is enabled",
- "format": "hostname"
- },
- "ingressClassName": {
- "type": "string",
- "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned"
- },
- "path": {
- "type": "string",
- "description": "or this could be \"/api\", but might need \"rewrite-target\" annotation",
- "format": "uri-reference"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to ingress to influence behavior",
- "properties": {
- "nginx.ingress.kubernetes.io/backend-protocol": {
- "type": "string"
- },
- "ingress.kubernetes.io/rewrite-target": {
- "type": "string"
- }
- }
- },
- "tls": {
- "type": "boolean",
- "description": "If true, TLS is enabled for controller rest api ingress service. If set, the tls-host used is the one set with `controller.ingress.host`"
- },
- "secretName": {
- "type": ["string", "null"],
- "description": " Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)"
- }
- },
- "required": [
- "enabled"
- ]
- },
- "resources": {
- "type": "object",
- "description": "Add resources requests and limits to controller deployment"
- },
- "configmap": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, configure NeuVector global settings using a ConfigMap"
- },
- "data": {
- "type": ["object", "null"],
- "description": "NeuVector configuration in YAML format"
- }
- },
- "required": [
- "enabled"
- ]
- },
- "secret": {
- "type": "object",
- "description": "files defined here have preferrence over the ones defined in the configmap section",
- "properties": {
- "enabled": {
- "type":"boolean",
- "description": "If true, configure NeuVector global settings using secrets"
- },
- "data": {
- "type": "object",
- "description": "NeuVector configuration in key/value pair format",
- "properties": {
- "userinitcfg.yaml": {
- "type": "object",
- "properties": {
- "users": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "Fullname": {
- "type": "string"
- },
- "Password": {
- "type": ["string", "null"]
- },
- "Role": {
+ },
+ "runAsUser": {
+ "type": "null"
+ },
+ "svc": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "loadBalancerIP": {
+ "type": "null"
+ },
+ "nodePort": {
+ "type": "null"
+ },
+ "type": {
"type": "string"
- }
}
- }
}
- }
- }
- }
- }
- },
- "required": [
- "enabled"
- ]
- }
- },
- "required": [
- "enabled"
- ]
- },
- "enforcer": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If false, enforcer will not be installed",
- "description": "If true, create enforcer"
- },
- "image": {
- "type": "object",
- "properties": {
- "repository": {
- "type": "string",
- "description": "enforcer image repository"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
- }
- }
- },
- "updateStrategy": {
- "type": "object",
- "description": "enforcer update strategy type.",
- "properties": {
- "type": {
- "enum": ["Recreate", "RollingUpdate"]
- }
- }
- },
- "priorityClassName": {
- "description": "enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
- },
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
- },
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
- },
- "env": {
- "type": "array",
- "description": "User-defined environment variables for enforcers."
- },
- "tolerations": {
- "type": "array",
- "description": "List of node taints to tolerate. Other taints can be added after the default",
- "items": {
- "type": "object",
- "properties": {
- "effect": {
- "enum": ["NoExecute", "NoSchedule", "PreferNoSchedule"]
- },
- "key": {
- "type": "string"
- }
- }
- }
- },
- "resources": {
- "type": "object",
- "description": "Add resources requests and limits to enforcer deployment"
- },
- "internal": {
- "type": "object",
- "properties": {
- "certificate": {
- "type": "object",
- "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)",
- "properties": {
- "secret": {
- "type": "string"
- },
- "keyFile": {
- "type": "string"
},
- "pemFile": {
- "type": "string"
+ "tolerations": {
+ "type": "array"
},
- "caFile": {
- "type": "string",
- "description": "must be the same CA for all internal."
+ "topologySpreadConstraints": {
+ "type": "array"
}
- }
- }
- }
- }
- },
- "required": [
- "enabled"
- ]
- },
- "manager": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create manager"
- },
- "image": {
- "type": "object",
- "properties": {
- "repository": {
- "type": "string",
- "description": "manager image repository"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
}
- }
- },
- "priorityClassName": {
- "type": ["string", "null"],
- "description": "manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
},
- "env": {
- "type": "object",
- "properties": {
- "ssl": {
- "type": "boolean",
- "description": "If false, manager will listen on HTTP access instead of HTTPS"
- },
- "envs": {
- "type": "array",
- "description": "Other environment variables. The following variables are accepted.",
- "items": {
- "type": "object",
- "properties": {
- "name": {
- "type": "string"
- },
- "value": {
- "type": "string"
- }
- }
- }
- }
- },
- "required": [
- "ssl"
- ]
+ "oem": {
+ "type": "null"
},
- "svc": {
- "type": "object",
- "description": "set manager service type for native Kubernetes. if it is OpenShift platform or ingress is enabled, then default is `ClusterIP`. Set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google.",
- "properties": {
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"]
- },
- "loadBalancerIP": {
- "type": ["string", "null"],
- "format": "ipv4",
- "description": "if manager service type is LoadBalancer, this is used to specify the load balancer's IP"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to manager service"
- }
- }
+ "openshift": {
+ "type": "boolean"
},
- "route": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create a OpenShift route to expose the management console service"
- },
- "termination": {
- "enum": ["passthrough", "reencrypt", "edge"],
- "description": "Specify TLS termination for OpenShift route for management console service. Possible passthrough, reencrypt, edge"
- },
- "host": {
- "type": ["string", "null"],
- "format": "hostname",
- "description": "Set OpenShift route host for management console service"
- },
- "tls": {
- "type": ["object", "null"],
- "properties": {
- "certificate": {
- "type": "string",
- "description": "Set PEM format certificate file for OpenShift route for management console service"
- },
- "caCertificate": {
- "type": "string",
- "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service"
- },
- "destinationCACertificate": {
- "type": "string",
- "description": "Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service"
- },
- "key": {
- "type": "string",
- "description": "Set PEM format key file for OpenShift route for management console service"
- }
- }
- }
- },
- "required": [
- "enabled"
- ]
+ "psp": {
+ "type": "boolean"
},
- "certificate": {
- "type": "object",
- "properties": {
- "secret": {
- "type": ["string", "null"],
- "description": "Replace manager UI certificate using secret if secret name is specified"
- },
- "keyFile": {
- "type": "string",
- "description": "Replace manager UI certificate key file"
- },
- "pemFile": {
- "type": "string",
- "description": "Replace manager UI certificate pem file"
- }
- }
+ "rbac": {
+ "type": "boolean"
},
- "ingress": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create ingress, must also set ingress host value"
- },
- "host": {
- "type": ["string", "null"],
- "description": "MUST be set, if ingress is enabled",
- "format": "hostname"
- },
- "ingressClassName": {
- "type": "string",
- "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned"
- },
- "path": {
- "type": "string",
- "format": "uri-reference",
- "description": "Set ingress path. If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to ingress to influence behavior",
- "properties": {
- "nginx.ingress.kubernetes.io/backend-protocol": {
- "type": "string"
- },
- "kubernetes.io/ingress.class": {
- "type": "string"
- },
- "nginx.ingress.kubernetes.io/whitelist-source-range": {
- "type": "string"
- },
- "ingress.kubernetes.io/rewrite-target": {
- "type": "string"
- },
- "nginx.ingress.kubernetes.io/enable-rewrite-log": {
- "type": "string"
- }
- }
- },
- "tls": {
- "type": "boolean",
- "description": "only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert"
- },
- "secretName": {
- "description": "my-tls-secret",
- "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)"
- }
- },
- "required": [
- "enabled"
- ]
+ "registry": {
+ "type": "string"
},
"resources": {
- "type": "object",
- "description": "Add resources requests and limits to manager deployment"
- },
- "affinity": {
- "type": "object",
- "description": "manager affinity rules"
- },
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
- },
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
- },
- "tolerations": {
- "type": "array",
- "description": "List of node taints to tolerate"
- },
- "nodeSelector": {
- "type": "object",
- "description": "Enable and specify nodeSelector labels"
- },
- "runAsUser": {
- "type": ["string", "null"],
- "description": "MUST be set for Rancher hardened cluster"
- }
- },
- "required": [
- "enabled"
- ]
- },
- "cve": {
- "type": "object",
- "properties": {
- "adapter": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create registry adapter"
- },
- "image": {
- "type": "object",
- "properties": {
- "repository": {
- "type": "string",
- "description": "registry adapter image repository"
- },
- "tag": {
- "type": ["string", "null"],
- "description": "registry adapter image tag"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
- }
- }
- },
- "priorityClassName": {
- "type": ["string", "null"],
- "description": "registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
- },
- "resources": {
- "type": "object",
- "description": "Add resources requests and limits to registry adapter deployment"
- },
- "affinity": {
- "type": "object",
- "description": "registry adapter affinity rules"
- },
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
- },
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
- },
- "env": {
- "type": "array",
- "description": "User-defined environment variables for adapter."
- },
- "tolerations": {
- "type": "array",
- "description": "List of node taints to tolerate"
- },
- "nodeSelector": {
- "type": "object",
- "description": "Enable and specify nodeSelector labels"
- },
- "runAsUser": {
- "type": ["string", "null"],
- "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster"
- },
- "certificate": {
- "type": "object",
- "description": "TLS cert/key. If absent, TLS cert/key automatically generated will be used.",
- "properties": {
- "secret": {
- "type": ["string", "null"],
- "description": "Replace registry adapter certificate using secret if secret name is specified"
- },
- "keyFile": {
- "type": "string",
- "description": "Replace registry adapter certificate key file"
- },
- "pemFile": {
- "type": "string",
- "description": "Replace registry adapter certificate pem file"
- }
- }
- },
- "harbor": {
- "type": "object",
- "properties": {
- "protocol": {
- "enum": ["http", "https"],
- "description": "Harbor registry request protocol"
- },
- "secretName": {
- "type": ["string", "null"],
- "description": "Harbor registry adapter's basic authentication secret"
- }
- }
- },
- "svc": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"],
- "description": "set registry adapter service type for native Kubernetes. If it is OpenShift platform or ingress is enabled, then default is `ClusterIP`. Set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google"
- },
- "loadBalancerIP": {
- "type": ["string", "null"],
- "format": "ipv4",
- "description": "if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to registry adapter service"
- }
- }
- },
- "route": {
- "type": "object",
- "description": "OpenShift Route configuration",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create a OpenShift route to expose the management console service"
- },
- "termination": {
- "enum": ["passthrough", "reencrypt", "edge"],
- "description": "Specify TLS termination for OpenShift route for management console service. Possible passthrough, reencrypt, edge"
- },
- "host": {
- "type": ["string", "null"],
- "format": "hostname",
- "description": "Set OpenShift route host for management console service"
- },
- "tls": {
- "type": ["object", "null"],
- "properties": {
- "certificate": {
- "type": "string",
- "description": "Set PEM format certificate file for OpenShift route for management console service"
- },
- "caCertificate": {
- "type": "string",
- "description": "Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service"
- },
- "destinationCACertificate": {
- "type": "string",
- "description": "Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service"
- },
- "key": {
- "type": "string",
- "description": "Set PEM format key file for OpenShift route for management console service"
- }
- }
- }
- }
- },
- "ingress": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create ingress, must also set ingress host value"
- },
- "host": {
- "type": ["string", "null"],
- "description": "MUST be set, if ingress is enabled",
- "format": "hostname"
- },
- "ingressClassName": {
- "type": "string",
- "description": "To be used instead of the ingress.class annotation if an IngressClass is provisioned"
- },
- "path": {
- "type": "string",
- "format": "uri-reference",
- "description": "Set ingress path. If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`"
- },
- "annotations": {
- "type": "object",
- "description": "Add annotations to ingress to influence behavior",
- "properties": {
- "nginx.ingress.kubernetes.io/backend-protocol": {
- "type": "string"
- },
- "kubernetes.io/ingress.class": {
- "type": "string"
- },
- "nginx.ingress.kubernetes.io/whitelist-source-range": {
- "type": "string"
- },
- "ingress.kubernetes.io/rewrite-target": {
- "type": "string"
- },
- "nginx.ingress.kubernetes.io/enable-rewrite-log": {
- "type": "string"
- }
- }
- },
- "tls": {
- "type": "boolean",
- "description": "If true, TLS is enabled for registry adapter ingress service. If set, the tls-host used is the one set with `cve.adapter.ingress.host`."
- },
- "secretName": {
- "type": ["string", "null"],
- "description": "Name of the secret to be used for TLS-encryption. Secret must be created separately (Let's encrypt, manually)"
- }
- }
- },
- "internal": {
- "type": "object",
- "properties": {
- "certificate": {
- "type": "object",
- "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)",
- "properties": {
- "secret": {
- "type": "string"
- },
- "keyFile": {
- "type": "string"
- },
- "pemFile": {
- "type": "string"
- },
- "caFile": {
- "type": "string",
- "description": "must be the same CA for all internal."
- }
- }
- }
- }
- }
- },
- "required": [
- "enabled"
- ]
+ "type": "object"
},
- "updater": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, create cve updater . If false, cve updater will not be installed"
- },
- "secure": {
- "type": "boolean",
- "description": "If true, API server's certificate is validated"
- },
- "cacert": {
- "type": "string",
- "format": "uri-reference",
- "description": "If set, use this ca file to validate API server's certificate"
- },
- "image": {
- "type": "object",
- "properties": {
- "registry": {
- "type": "string",
- "description": "cve updater image registry to overwrite global registry"
- },
- "repository": {
- "type": "string",
- "description": "cve updater image repository"
- },
- "tag": {
- "type": ["string", "null"],
- "description": "image tag for cve updater"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
- }
- }
- },
- "schedule": {
- "type": "string",
- "description": "cronjob cve updater schedule"
- },
- "priorityClassName": {
- "type": ["string", "null"],
- "description": "cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
- },
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
- },
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
- },
- "nodeSelector": {
- "type": "object",
- "description": "Enable and specify nodeSelector labels"
- },
- "runAsUser": {
- "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster"
- }
- },
- "required": [
- "enabled"
- ]
+ "runtimePath": {
+ "type": "null"
},
- "scanner": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "If true, cve scanners will be deployed"
- },
- "replicas": {
- "type": "integer",
- "description": "external scanner replicas"
- },
- "dockerPath": {
- "type": "string",
- "description": "the remote docker socket if CI/CD integration need scan images before they are pushed to the registry"
- },
- "strategy": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["Recreate", "RollingUpdate"]
- },
- "rollingUpdate": {
- "type": "object",
- "properties": {
- "maxSurge": {
- "type": "integer"
- },
- "maxUnavailable": {
- "type": "integer"
- }
- }
- }
- }
- },
- "image": {
- "type": "object",
- "properties": {
- "registry": {
- "type": "string",
- "description": "cve scanner image registry to overwrite global registry"
- },
- "repository": {
- "type": "string",
- "description": "cve scanner image repository"
- },
- "tag": {
- "type": ["string", "null"],
- "description": "cve scanner image tag"
- },
- "hash": {
- "type": ["string", "null"],
- "description": "cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value."
- }
- }
- },
- "priorityClassName": {
- "type": ["string", "null"],
- "description": "cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable."
- },
- "resources": {
- "type": "object",
- "description": "Add resources requests and limits to scanner deployment"
- },
- "affinity": {
- "type": "object",
- "description": "scanner affinity rules"
- },
- "podLabels": {
- "type": "object",
- "description": "Specify the pod labels."
- },
- "podAnnotations": {
- "type": "object",
- "description": "Specify the pod annotations."
- },
- "env": {
- "type": "array",
- "description": "User-defined environment variables for scanner."
- },
- "tolerations": {
- "type": "array",
- "description": "List of node taints to tolerate"
- },
- "nodeSelector": {
- "type": "object",
- "description": "Enable and specify nodeSelector labels"
- },
- "runAsUser": {
- "description": "Specify the run as User ID. MUST be set for Rancher hardened cluster"
- },
- "internal": {
- "type": "object",
- "properties": {
- "certificate": {
- "type": "object",
- "description": "this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer)",
- "properties": {
- "secret": {
- "type": "string"
- },
- "keyFile": {
- "type": "string"
- },
- "pemFile": {
- "type": "string"
- },
- "caFile": {
- "type": "string",
- "description": "must be the same CA for all internal."
- }
- }
- }
- }
- }
- },
- "required": [
- "enabled"
- ]
- }
- },
- "required": [
- "adapter",
- "updater",
- "scanner"
- ]
- },
- "resources": {
- "type": "object"
- },
- "runtimePath": {
- "type": ["string", "null"],
- "format": "uri-reference",
- "description": "container runtime socket path, if it's not at the default location."
- },
- "admissionwebhook": {
- "type": "object",
- "properties": {
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"],
- "description": "admission webhook type"
- }
- }
- },
- "crdwebhook": {
- "type": "object",
- "properties": {
- "enabled": {
- "type": "boolean",
- "description": "Enable crd service and create crd related resources"
+ "serviceAccount": {
+ "type": "string"
},
- "type": {
- "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"],
- "description": "crd webhook type"
+ "tag": {
+ "type": "string"
}
- },
- "required": [
- "enabled"
- ]
}
- },
- "required": [
- "openshift",
- "registry",
- "psp",
- "rbac",
- "serviceAccount",
- "leastPrivilege",
- "global",
- "autoGenerateCert",
- "defaultValidityPeriod",
- "internal",
- "controller",
- "enforcer",
- "manager",
- "cve"
- ],
- "title": "Values",
- "type": "object"
}
diff --git a/charts/core/values.yaml b/charts/core/values.yaml
index f89381be..1c8678cf 100644
--- a/charts/core/values.yaml
+++ b/charts/core/values.yaml
@@ -92,6 +92,23 @@ controller:
podAnnotations: {}
searchRegistries:
env: []
+ # To add your own CA set a ConfigMap with your CA (i.e. ca-bundle)
+ extraEnv:
+ - name: SSL_CERT_FILE
+ value: /etc/ssl/certs/ca-bundle.pem
+ extraVolumes:
+ - name: ca-bundle
+ projected:
+ defaultMode: 420
+ sources:
+ - configMap:
+ name: ca-bundle
+ extraVolumeMounts:
+ - name: ca-bundle
+ mountPath: /etc/ssl/certs/ca-bundle.pem
+ subPath: ca-bundle.pem # remember that subPath field must exactly match the key name in the ConfigMap.
+ readOnly: true
+ svc:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
@@ -381,6 +398,23 @@ manager:
# value: "#FFFFFF"
# - name: CUSTOM_PAGE_FOOTER_COLOR
# value: "#FFFFFF"
+
+ # To add your own CA set a ConfigMap with your CA (i.e. ca-bundle)
+ extraEnv:
+ - name: SSL_CERT_FILE
+ value: /etc/ssl/certs/ca-bundle.pem
+ extraVolumes:
+ - name: ca-bundle
+ projected:
+ defaultMode: 420
+ sources:
+ - configMap:
+ name: ca-bundle
+ extraVolumeMounts:
+ - name: ca-bundle
+ mountPath: /etc/ssl/certs/ca-bundle.pem
+ subPath: ca-bundle.pem # remember that subPath field must exactly match the key name in the ConfigMap.
+ readOnly: true
svc:
type: ClusterIP
nodePort: