andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add NeuVector chart version 2.2.0-b1

pull/1732/head
selvamt94 2022-04-13 11:27:53 -07:00
parent 057c46fe4c
commit 5f7f277be0
18 changed files with 2847 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1104
packages/neuvector/generated-changes/exclude/templates/crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

14
packages/neuvector/generated-changes/overlay/app-readme.md Normal file
View File

@ -0,0 +1,14 @@
### Run-Time Protection Without Compromise
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include:
+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning
+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks
+ Complete run-time scanning with network, process, and file system monitoring and protection
+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation
+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures
+ Run-time vulnerability scanning and CIS benchmarks
Please Note: Configure correct container runtime and runtime path under container runtime. Enable only one runtime.

32
packages/neuvector/generated-changes/overlay/crds/_helpers.tpl Executable file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

1104
packages/neuvector/generated-changes/overlay/crds/crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

224
packages/neuvector/generated-changes/overlay/questions.yaml Normal file
View File

@ -0,0 +1,224 @@
questions:
#image configurations
- variable: registry
default: "docker.io"
description: image registry
type: string
label: Image Registry
group: "Container Images"
- variable: controller.image.repository
default: "neuvector/controller.preview"
description: controller image repository
type: string
label: Controller image path
group: "Container Images"
- variable: controller.image.tag
default: ""
description: image tag for controller
type: string
label: Controller Image Tag
group: "Container Images"
- variable: manager.image.repository
default: "neuvector/manager.preview"
description: manager image repository
type: string
label: Manager image path
group: "Container Images"
- variable: manager.image.tag
default: ""
description: image tag for manager
type: string
label: Manager Image Tag
group: "Container Images"
- variable: enforcer.image.repository
default: "neuvector/enforcer.preview"
description: enforcer image repository
type: string
label: Enforcer image path
group: "Container Images"
- variable: enforcer.image.tag
default: ""
description: image tag for enforcer
type: string
label: Enforcer Image Tag
group: "Container Images"
- variable: cve.scanner.image.repository
default: "neuvector/scanner.preview"
description: scanner image repository
type: string
label: Scanner image path
group: "Container Images"
- variable: cve.scanner.image.tag
default: ""
description: image tag for scanner
type: string
label: Scanner Image Tag
group: "Container Images"
- variable: cve.updater.image.repository
default: "neuvector/updater.preview"
description: cve updater image repository
type: string
label: CVE Updater image path
group: "Container Images"
- variable: cve.updater.image.tag
default: ""
description: image tag for updater
type: string
label: Updater Image Tag
group: "Container Images"
#Container Runtime configurations
- variable: docker.enabled
default: true
description: Docker runtime. Enable only one runtime.
type: boolean
label: Docker Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: docker.path
default: "/var/run/docker.sock"
description: "Docker Runtime Path"
type: string
label: Runtime Path
- variable: containerd.enabled
default: "false"
description: Containerd runtime. Enable only one runtime.
type: boolean
label: Containerd Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: containerd.path
default: " /var/run/containerd/containerd.sock"
description: "Containerd Runtime Path"
type: string
label: Runtime Path
- variable: crio.enabled
default: "false"
description: CRI-O runtime. Enable only one runtime.
type: boolean
label: CRI-O Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: crio.path
default: "/var/run/crio/crio.sock"
description: "CRI-O Runtime Path"
type: string
label: Runtime Path
- variable: k3s.enabled
default: "false"
description: k3s containerd runtime. Enable only one runtime.
type: boolean
label: k3s Containerd Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: k3s.runtimePath
default: " /run/k3s/containerd/containerd.sock"
description: "k3s Containerd Runtime Path"
type: string
label: Runtime Path
#storage configurations
- variable: controller.pvc.enabled
default: false
description: If true, enable persistence for controller using PVC
type: boolean
label: PVC status
group: "PVC Configuration"
- variable: controller.pvc.storageClass
default: ""
description: Storage Class to be used
type: string
label: Storage Class Name
group: "PVC Configuration"
#ingress configurations
- variable: manager.ingress.enabled
default: false
description: If true, create ingress, must also set ingress host value
type: boolean
label: Manager ingress status
group: "Ingress Configuration"
- variable: manager.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Manager Ingress host
group: "Ingress Configuration"
- variable: manager.ingress.path
default: "/"
description: Set ingress path
type: string
label: Manager Ingress path
group: "Ingress Configuration"
- variable: manager.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation.
type: string
label: Manager Ingress annotations
group: "Ingress Configuration"
- variable: controller.ingress.enabled
default: false
description: If true, create ingress for rest api, must also set ingress host value
type: boolean
label: Controller ingress status
group: "Ingress Configuration"
- variable: controller.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Controller Ingress host
group: "Ingress Configuration"
- variable: controller.ingress.path
default: "/"
description: Set ingress path
type: string
label: Controller Ingress path
group: "Ingress Configuration"
- variable: controller.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation.
type: string
label: Controller Ingress annotations
group: "Ingress Configuration"
#service configurations
- variable: manager.svc.type
default: "NodePort"
description: Set manager service type for native Kubernetes
type: enum
label: Manager service type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
- variable: controller.federation.mastersvc.type
default: ""
description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and Ingress
type: enum
label: Fed Master Service Type
group: "Service Configuration"
options:
- "NodePort"
- "Ingress"
- "LoadBalancer"
- variable: controller.federation.managedsvc.type
default: ""
description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and Ingress
type: enum
label: Fed Managed service type
group: "Service Configuration"
options:
- "NodePort"
- "Ingress"
- "LoadBalancer"
- variable: controller.apisvc.type
default: "NodePort"
description: Controller REST API service type
type: enum
label: Controller REST API Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"

32
packages/neuvector/generated-changes/patch/Chart.yaml.patch Normal file
View File

@ -0,0 +1,32 @@
--- charts-original/Chart.yaml
+++ charts/Chart.yaml
@@ -1,10 +1,28 @@
+annotations:
+ catalog.cattle.io/auto-install: neuvector-crd=match
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: NeuVector
+ catalog.cattle.io/kube-version: '>=1.18.0-0'
+ catalog.cattle.io/namespace: cattle-neuvector-system
+ catalog.cattle.io/os: linux
+ catalog.cattle.io/permit-os: linux
+ catalog.cattle.io/provides-gvr: neuvector.com/v1
+ catalog.cattle.io/rancher-version: '>= 2.6.5-0 <= 2.6.100-0'
+ catalog.cattle.io/release-name: neuvector
+ catalog.cattle.io/type: cluster-tool
+ catalog.cattle.io/ui-component: neuvector
+ catalog.cattle.io/upstream-version: 2.2.0-b1
apiVersion: v1
appVersion: 5.0.0-b1
description: Helm chart for NeuVector's core services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
+keywords:
+- security
maintainers:
- email: support@neuvector.com
name: becitsthere
-name: core
+name: neuvector
+sources:
+- https://github.com/neuvector/neuvector
version: 2.2.0-b1

76
packages/neuvector/generated-changes/patch/README.md.patch Normal file
View File

@ -0,0 +1,76 @@
--- charts-original/README.md
+++ charts/README.md
@@ -71,7 +71,7 @@
`controller.schedulerName` | kubernetes scheduler name | `nil` |
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
`controller.tolerations` | List of node taints to tolerate | `nil` |
-`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
@@ -100,7 +100,7 @@
`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` |
@@ -110,13 +110,13 @@
`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
@@ -126,7 +126,7 @@
`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
-`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`manager.enabled` | If true, create manager | `true` |
`manager.image.repository` | manager image repository | `neuvector/manager` |
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
@@ -134,7 +134,7 @@
`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
-`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management consol service | `true` |
`manager.route.host` | Set OpenShift route host for management consol service | `nil` |
`manager.route.termination` | Specify TLS termination for OpenShift route for management consol service. Possible passthrough, edge, reencrypt | `passthrough` |
@@ -144,10 +144,10 @@
`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
-`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](values.yaml)
+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
-`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml)
`manager.affinity` | manager affinity rules | `{}` |
`manager.tolerations` | List of node taints to tolerate | `nil` |
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
@@ -165,7 +165,7 @@
`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.scanner.replicas` | external scanner replicas | `3` |
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
-`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) |
+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/master/charts/core/values.yaml) |
`cve.scanner.affinity` | scanner affinity rules | `{}` |
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |

14
packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch Normal file
View File

@ -0,0 +1,14 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
@@ -30,3 +30,11 @@
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}

23
packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch Normal file
View File

@ -0,0 +1,23 @@
--- charts-original/templates/controller-deployment.yaml
+++ charts/templates/controller-deployment.yaml
@@ -52,19 +52,7 @@
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-controller-pod
- {{ if eq .Values.registry "registry.neuvector.com" }}
- {{ if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/controller:{{ .Values.tag }}"
- {{- end }}
- {{- else }}
- {{ if .Values.controller.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
securityContext:
privileged: true
resources:

23
packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch Normal file
View File

@ -0,0 +1,23 @@
--- charts-original/templates/enforcer-daemonset.yaml
+++ charts/templates/enforcer-daemonset.yaml
@@ -40,19 +40,7 @@
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-enforcer-pod
- {{ if eq .Values.registry "registry.neuvector.com" }}
- {{ if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/enforcer:{{ .Values.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/enforcer:{{ .Values.tag }}"
- {{- end }}
- {{- else }}
- {{ if .Values.enforcer.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}@{{ .Values.enforcer.image.hash }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }}
securityContext:
privileged: true
resources:

23
packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch Normal file
View File

@ -0,0 +1,23 @@
--- charts-original/templates/manager-deployment.yaml
+++ charts/templates/manager-deployment.yaml
@@ -46,19 +46,7 @@
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-manager-pod
- {{ if eq .Values.registry "registry.neuvector.com" }}
- {{ if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/manager:{{ .Values.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/manager:{{ .Values.tag }}"
- {{- end }}
- {{- else }}
- {{ if .Values.manager.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}@{{ .Values.manager.image.hash }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}
env:
- name: CTRL_SERVER_IP
value: neuvector-svc-controller.{{ .Release.Namespace }}

23
packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch Normal file
View File

@ -0,0 +1,23 @@
--- charts-original/templates/scanner-deployment.yaml
+++ charts/templates/scanner-deployment.yaml
@@ -47,19 +47,7 @@
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-scanner-pod
- {{ if eq .Values.registry "registry.neuvector.com" }}
- {{ if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/scanner:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
- {{- else }}
- {{ if .Values.cve.scanner.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}@{{ .Values.cve.scanner.image.hash }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}
imagePullPolicy: Always
env:
- name: CLUSTER_JOIN_ADDR

28
packages/neuvector/generated-changes/patch/templates/updater-cronjob.yaml.patch Normal file
View File

@ -0,0 +1,28 @@
--- charts-original/templates/updater-cronjob.yaml
+++ charts/templates/updater-cronjob.yaml
@@ -35,20 +35,12 @@
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-updater-pod
- {{ if eq .Values.registry "registry.neuvector.com" }}
- {{ if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/updater:{{ .Values.cve.updater.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/updater:{{ .Values.cve.updater.image.tag }}"
- {{- end }}
- {{- else }}
- {{ if .Values.cve.updater.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}@{{ .Values.cve.updater.image.hash }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}"
- {{- end }}
- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}
imagePullPolicy: Always
+ command:
+ - /bin/sh
+ - -c
+ - sleep 30
{{- if .Values.cve.scanner.enabled }}
lifecycle:
postStart:

74
packages/neuvector/generated-changes/patch/values.yaml.patch Normal file
View File

@ -0,0 +1,74 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -4,12 +4,10 @@
openshift: false
-registry: registry.neuvector.com
-tag: 4.4.4-s2
+registry: docker.io
oem:
-imagePullSecrets:
psp: false
-serviceAccount: default
+serviceAccount: neuvector
controller:
# If false, controller will not be installed
@@ -20,7 +18,8 @@
maxSurge: 1
maxUnavailable: 0
image:
- repository: neuvector/controller
+ repository: rancher/mirrored-neuvector-controller
+ tag: 5.0.0-b1
hash:
replicas: 3
disruptionbudget: 0
@@ -52,7 +51,7 @@
termination: passthrough
host:
ranchersso:
- enabled: false
+ enabled: true
pvc:
enabled: false
accessModes:
@@ -157,7 +156,8 @@
# If false, enforcer will not be installed
enabled: true
image:
- repository: neuvector/enforcer
+ repository: rancher/mirrored-neuvector-enforcer
+ tag: 5.0.0-b1
hash:
priorityClassName:
tolerations:
@@ -175,7 +175,8 @@
# If false, manager will not be installed
enabled: true
image:
- repository: neuvector/manager
+ repository: rancher/mirrored-neuvector-manager
+ tag: 5.0.0-b1
hash:
priorityClassName:
env:
@@ -228,7 +229,7 @@
enabled: true
secure: false
image:
- repository: neuvector/updater
+ repository: rancher/mirrored-neuvector-updater
tag: latest
hash:
schedule: "0 0 * * *"
@@ -243,7 +244,7 @@
maxSurge: 1
maxUnavailable: 0
image:
- repository: neuvector/scanner
+ repository: rancher/mirrored-neuvector-scanner
tag: latest
hash:
priorityClassName:

7
packages/neuvector/package.yaml Normal file
View File

@ -0,0 +1,7 @@
url: https://neuvector.github.io/neuvector-helm/core-2.2.0-b1.tgz
version: 100.0.0
additionalCharts:
- workingDir: charts-crd
crdOptions:
templateDirectory: crd-template
crdDirectory: templates

16
packages/neuvector/templates/crd-template/Chart.yaml Normal file
View File

@ -0,0 +1,16 @@
annotations:
catalog.cattle.io/release-name: neuvector-crd
catalog.cattle.io/namespace: cattle-neuvector-system
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: true
apiVersion: v1
appVersion: 5.0.0-b1
description: Helm chart for NeuVector's CRD services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-crd
version: 2.2.0-b1
type: application

19
packages/neuvector/templates/crd-template/README.md Executable file
View File

@ -0,0 +1,19 @@
# NeuVector Helm Chart
Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the contaier applications.
Because the CRD poclies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set 'crdwebhook.enabled' to false in the 'core' chart.
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`openshift` | If deploying in OpenShift, set this to true | `false` |
`serviceAccount` | Service account name for NeuVector components | `default` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |
---
Contact <support@neuvector.com> for access to Docker Hub and docs.

11
packages/neuvector/templates/crd-template/values.yaml Executable file
View File

@ -0,0 +1,11 @@
# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
openshift: false
serviceAccount: neuvector
crdwebhook:
type: ClusterIP
enabled: true