From f7fa08d13819e64f695157f93ed18002b1e3ea88 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Wed, 8 Feb 2023 12:13:42 -0800 Subject: [PATCH 1/5] Remove charts/assets for neuvector 101.0.2+up2.4.0 --- .../neuvector/neuvector-101.0.2+up2.4.0.tgz | Bin 15434 -> 0 bytes charts/neuvector/101.0.2+up2.4.0/.helmignore | 21 - charts/neuvector/101.0.2+up2.4.0/Chart.yaml | 28 -- charts/neuvector/101.0.2+up2.4.0/README.md | 237 ----------- .../neuvector/101.0.2+up2.4.0/app-readme.md | 18 - .../101.0.2+up2.4.0/crds/_helpers.tpl | 32 -- .../neuvector/101.0.2+up2.4.0/questions.yaml | 335 --------------- .../101.0.2+up2.4.0/templates/NOTES.txt | 20 - .../101.0.2+up2.4.0/templates/_helpers.tpl | 40 -- .../templates/admission-webhook-service.yaml | 18 - .../templates/clusterrole.yaml | 121 ------ .../templates/clusterrolebinding.yaml | 147 ------- .../templates/controller-deployment.yaml | 204 ---------- .../templates/controller-ingress.yaml | 219 ---------- .../templates/controller-route.yaml | 98 ----- .../templates/controller-service.yaml | 97 ----- .../templates/enforcer-daemonset.yaml | 117 ------ .../templates/init-configmap.yaml | 13 - .../templates/init-secret.yaml | 15 - .../templates/manager-deployment.yaml | 92 ----- .../templates/manager-ingress.yaml | 71 ---- .../templates/manager-route.yaml | 33 -- .../templates/manager-service.yaml | 26 -- .../101.0.2+up2.4.0/templates/psp.yaml | 77 ---- .../101.0.2+up2.4.0/templates/pvc.yaml | 27 -- .../templates/rolebinding.yaml | 56 --- .../templates/scanner-deployment.yaml | 73 ---- .../templates/serviceaccount.yaml | 13 - .../templates/updater-cronjob.yaml | 77 ---- charts/neuvector/101.0.2+up2.4.0/values.yaml | 383 ------------------ index.yaml | 32 -- 31 files changed, 2740 deletions(-) delete mode 100644 assets/neuvector/neuvector-101.0.2+up2.4.0.tgz delete mode 100644 charts/neuvector/101.0.2+up2.4.0/.helmignore delete mode 100644 charts/neuvector/101.0.2+up2.4.0/Chart.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/README.md delete mode 100644 charts/neuvector/101.0.2+up2.4.0/app-readme.md delete mode 100644 charts/neuvector/101.0.2+up2.4.0/crds/_helpers.tpl delete mode 100644 charts/neuvector/101.0.2+up2.4.0/questions.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/NOTES.txt delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/_helpers.tpl delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/admission-webhook-service.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/clusterrole.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/clusterrolebinding.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/controller-deployment.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/controller-ingress.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/controller-route.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/controller-service.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/enforcer-daemonset.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/init-configmap.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/init-secret.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/manager-deployment.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/manager-ingress.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/manager-route.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/manager-service.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/psp.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/pvc.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/rolebinding.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/scanner-deployment.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/serviceaccount.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/templates/updater-cronjob.yaml delete mode 100644 charts/neuvector/101.0.2+up2.4.0/values.yaml diff --git a/assets/neuvector/neuvector-101.0.2+up2.4.0.tgz b/assets/neuvector/neuvector-101.0.2+up2.4.0.tgz deleted file mode 100644 index 6b6739b78eec431753509e1970b9aa6a3eb38401..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15434 zcmV-QJhj6giwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYcbK5wwD87H|Q{bn}{4&XylHZ=Advfme*q#}mO&pi)WY5;t zRt%AlgfT^M0Z@)M$^GoN@FGDHq^O5wClRM=B9lO)(P;DwKqErQ1o@oM?#T#J-kHL2 z_?Hzw+uPgQhx_~T-|g+~;=embySsnc+21=jINaIY+dllu_Rik!&hB5p_NozaJqhEG z{$+dVwu+tmN*)+RghP%=#Ck0Ne8^!)h8-Vr9-O+Ue~4 z(%JU5!GFF2JDuGF@%y>6ssPVo=%XG`FTJcEY|1zqJF5}a10jx*kIt_#qGQax8HFgB z-~cgiIH4BxIzAb9Cp*q6nqIlCg5A!M>MGdn{8HUfib4b#()3K5bC%`PSkNO(7)R9O zgoMsw3HE$4j!A?fJ_}?LGfoj4XSnZn_B-1x7~}Wm&19zq<2e2EptIB2ZUu<>6vte? z`U8byFhGze6aimIB`_c~LUru;HprRcx6I5 ztC5m;XM3l!-P!#)i50QuoBtW;2@Dg&9zp@s%m3Zo{k@X>-#^&d$p3Xb&%h}fz$D~A zjlY~~8UMDPftwL#05br=-;dwC_6CHGA?GLn0~{hz;1u~GqzFtP#jqbD1~>tI1Y*b- z3IL8c0epl2N8>nz9I;NTH4I4~hFatB5Q$#^C|Rr#xnK`kvUj(wjbc}dn1B7l-GL{y;h44e;C z^(~Nn0rxlzK}5LdnO27=XaRsC(dR(70)VYh!KW`R02rr`qv2HbQHk9v5{5V$zKa9M zk$g|>H>xNAWBBnpp+nRIJK39e5u89Aie`IYy9EFq!=bK1QA`--M36-*lI|E&N+=2} zrI+_U(UI>ZS0wAWC z2oZS_LdMdUBzO(`C^RIANpM`E6N)B1@Q;5A8V&|H!dz2K7UuXk_fj;328dD=oF)`U z!)t{Ij)v#Mh@`L2J|aJndPP_Bz&*ml5f_4UTfb9nX!tjXj(h0`078NIH3}u=>=TYI4nuNW=TMxK~&WlN4733r)AsJ5p zDjIDIYl%ik%r;EABf_{)IqjAx7mDT;;U&2v5}>q$YAnPwxI@#Op2BD+d$p@y?TT@V zF`M`nU&~+R86c{@jZt(hCNQ`n2}fdT4e&5gnCLPm*>uyYlz~5PZZ59@iNfg?U<9CG zC?p9T<4D$&Q&Ja3fu2c8HiOdXsRV*1RaUGV#c53;AD*nCl>jlWNpNz!jt1pisDgcY zb^iYN<_!Gx?C;gE9fh=rV~nUlDhlJ+aHoR}&_^stFgyt%9@`(F?<2y@AnGDJxDW93m;_R5>5U(AN?Q{yU-QHyont5u~UR35I-%xDk^8Fj3n4X>*%Z zTK&F5QvtpwIJ9$z6izW3XD?&v)(lXfr@N{*hQi)Yr>#A41-XAqi-R|^BsheXK6W%poxC{h zL;ns%ffrN4iBG~FXiG8Gw(36v?z(x5dZ3%u5u&C*#UgvSg=;hMx;g<{5V4g!Fhk7d z1#LmpRtww4a;c$YsuQ^n&{h+{`vA=r#BXB(JW~V)HZo-+Q#LZC zN~Yulf`bv}6$F(+;6Vg{WAZOE@#mZLg$bXZ>=c`nx3|aX zn=u;8c*5?{f9$@&`ZY!WN)Rhm+;LXi{bgHLR03oS|vbmM}!?%h{&=GjQ?t=By_JYzzcwfFl%u z5uyl;-~^?SkH|-WOc0gPH4<56aU|cR^cLV#{;VRqE&5B8&&UZv?4yXG4|4i%|LViT zz4PhrZ}@+H|JR>)cCTlQkyS3hR7M}BJ*jkFpB`UUKq(ENRqmXz1ko(oUyVy?c&o}4 zhPR?vX?P3eS|}P2>X+k-=6&Pn;{2gL(}a=^?m%B6gO1k?;*^U=_w2BfY`_C(FhD-< zfeWI8cSg-i&WcEYJW4`TkbBC3T?&Mbp?Pr#BlPHUv84>?5_9O+56Bz3g*w)74mgS? zIv~NqwE27_5L}P|T@uRWtB}CpR~W*`NA&!%I!q`CAR{N)3{+wJP9Jet7)4po6QI4m zhV9{qBN{=WLIdOSbOH8>lgGSKgMgYTaNfOxhXd>`LNz z>$iy?#+c2QH&A>TMFr!jC!wdM>)N^>VU9w~xTmDIM`1J+{n+Wq|Jse9RQb;JwG<^i zQ#mBVlEe|-ubSUc;Bn%iC=kObC6Kq)g!aVl~j40xp#>Q$5cw#8)rHS1iW6mgC(E@{0|w z?qGw#tr)`cj4#f4*Q~Fc_vM-In)?;Azcl~n;IOh3cr30{OeF1K$w=J^q+OasUA^Um z5&y2$D$?Did6C{uTIcCpq_N9oxZ7jBmctI9NyPCODYloG-t95z@5s$+f%Q`(-zS`h zh>HI3h9Fhv*$9s{j0~s~LVGiyChw*N2Pp4Gj0dvkW(;UD>m+L*Ebdw1_>r?CHT|7ho6v;S`$ z&!^wH7}Nv`w_4T|$UW{EiR}q8$J(-kzR)xO{tc^XiA6gh$}>5DXCqo|o=12clP3 zY9n^%B7OVi3-Ac|laWY>vRCa-9Tp?MBiGCRvHj0Zq%ru?PB%7NyT0@*?;iCN{K6n| zepx_60AULugE<;YJQ#;OVI3F*VjPfsr~mlU7A+%xMA8uJ4;qi&4=H7GLzYoE6|A#J zeDeC;_08E;xpNEC*f&i#q;0;389u#V_V@QHy7$_OaLs0-o3kD`=U@z{fWtckAQ+%~ zFvd~B^%h*g&NfVNeyO+BrnY7$wL$*|xj&Ls)aco)|J)`aoA?dMcwa@J=dBh1*JoGn z&rci-*tmfT=%w*f+-S!SjffD8iDMT}X4qLH76qv|kv|_>@IH~prT;&SP#7c1Iy_#< zQGl8H|KOmY{|^p#wm15J9nYsv-Irj3$35i?;SdQq^=d50;*U@dyzI(p(|y@G`xpx| zL5LYK!2ua4RWHvCwsbj9uR(%#c8EakJO*C&U7k1Sr~`*WDx~sKlzclulnOiIv#`t~ z9~|zlx0T{;;_fG3?NI{q7 zxoAW5gMmKsVZsn#WQ@RH)0m&?@c^SRU;t92JUkQtdA0#F@Kb*(sd0L7Ey@bXD|F9` zPV0OC^sy`jB-I(}Xp?-0xe6xr5lEQ8lL?iOgrUZ^hPa|sp1^pJ($joQX==(;7HC9t zq5aGsKgbUBUNs+A3(u4m3QA5@WVq(u&W&J9al{9p{Uh^!WbFbp)$Tl;R`ol_f!5H9 zDWlJ7iD8w)t9eD0lIII*hggp{x5kJ=vm>i;V%1|4-zzbSE~n30R~i2;eW=PD zn-DTfmNqQt5Plt14;WoqhHeUs5XBr03ng@yL?NM<)wUJN)4eF-j~)=-f(gIVA>xb6lq+=o?)!-L(;`QNoX1=UUa(9cXe;_nN~&JGS{akrls8cz^CA>&vW#BG_7Vb|Mk zgP&N^XPkl^;O&6U35;PMhnQo;I>MsX@}~1U=KAN07j~O_HEl+OOSE1%oBxkxTgL;1 zz?Uz%oCPr9BSP`N<(gE6P6w0jWG5F8a$)t$qF5EM5M$HHqjL8PDUN#X{qR*Oq7|HGLTiu?4938K4k3Wa<7~!@bx*`s9g@pd#=L z5v1p}Ngh!*4$cJ+cl2Y1{jW*4oEtF1{y*9~D*FH1+XqJ*`+ptJ#{M_0f1eugS2e-E z7C(T5=n4%|15dNVo&sQ`Y7M1Y0F-ryMW6c4v!wqg^0^e@xk#DLDwS5ZB0l-NQ&}6c zVq^twOqfcsq|(sIhoX497viF;bu$c%?$T50E zt&oynGbJ`tV(3jUy8m8ggY4^f#`a5wDdu6N$B$MRMp~R}YJ0bC)@c|K`Mw@!{3ly% z4p1DD=@>=J+ze13|JgY>+%Cm`4mRgM*7FqNKiSZy$2+XG(UrzriuOYsvpOY>K5`Vv zEW6#wP9JgTP}-*{x7JG7QVQLtzh^~s^&az)YoM$n`dY`^XZ8h(DRXbxGT_G4uuaQrpfc3!Pb}rqu)pQw@DONzLxDQ6ASbl9$ ze#X|A7Dz`#1F#qYfcz*nfo6{I&KN=Q)D2R4__bKU8k|TI;+JBX)bMK1%5jk!fIExB z?6wOn8y+#A+)~4w`nB3l^LE$rLs~KAhiX*n5U>spXT@{LhicKVt1pR(ePlT+pF7B0 zk4p}~lE~!pv}YCa>Dw!2eMQ|_t;;p@%Oni1Wl9QbIEr7g+31x`zG^UYbiZ_BKC4td zOkY8U8W<%^@^)$os>_TmS8G%yJwolEVuP&lDp5gRkyY;X77EQx8?}cbOLS21u}UR5 z9NIz-q&KUakcgv?+)mmlhiHOBG|VM@P)}}=)RviUK1hoz1z0orvXbe{+u6Pv0~{g7E-C4wJR#7>Oa_}rpK2|>mP^KvJKlErIPQv8rn!$o`eGQKq7Y^p z{UARMh++~rKc*?cvUU^?n&XrI{r3Fg!}00qRRJTJq@lR6*cyi#gRHu-IfK9(4h;QX={kzda*){8<7>!-Q$?UUOsy);(D5opx=-v&)KlmPp8-@knS0zIiYcp=EKR`i{H+FZ$gVotg9?G6itjR?y$xh35*E|lQDWD)I#Y7lCgMundQ!~ z@9(l7tuH2?ynvwaQOJt7Q8+E;Vs>(yPUlfc-XcabGJ+KPu0zPC!Mi=Srk3n9DQjv{ zrZ<_dseD!x2lz%{?Bq5xcrW7}ohHUB)XMWuL3tMu7!k(1F(tmU1@Xa~$ZP5rhwcw4 zNs1TpDER8rGA$tPchz1lcLVa1r{-(ZHmU`>l~%B$vcA<1ufQ$~_ler9%UI}%UuovS z>|se?Rdm~NcI!HaVHInn3G5amX(iGsGvb0s>l}-#K)N(FtQ4KUQ|P11yy3K$-aJJS zjkQA|GTo@ic^F$`=7uX-~II z7D7sLaNh8))8G!l?9~fpS0i()^4K-cbQSTf!dGgj;L6ZN;bw4atb!6)QP#?EHXC>o zL!i`3uF~x0W`WZRx`G;RR&Z#~T3*YkVXsa_)`DSE)*Y~-+Vy5=#F&ylk_*-ogvC{_O1^8qT1baYbh6!vt?pkQ-y_7JOD!u ze!>xV0V-Y*`2uW(SH+&c7(^n1Z|;9z&og`dx18U@j^>tg0oJS)@2qOE zI70lM&^sIrOS^5%)nawBLt5Q2HrzeO9+Ijsj-kT})?%MRa)j9fUQ8da8Ym}~uUG`A zg7O*sD{OHW&6K@`*~-;j*R2Nt&?m%94`u;1 zsLP?{JT-rW@nv0J>NM30po+$%`1?ktuehXWfIp@mbc*_3&g_uhQWR@T*)SWSwpO9G5e{Fka9G%|a?bj^eYLZ+ zeP!-Z|Ediv(}{-?MkOMBU(%@5{T13+vtch|WR;*VFGx!u=ai(S`b&$_84y<~ODj9S zDq&h`;BibXiN+GKq7~a(8~L_g`L>Y~U%8Z6(&j2o|G9!%o6PSso*C=E@*?VGlR(eN z|8}^2uv^Ige6)YK$^W*N=TlXtRL8vz_U5-3iz%d;Q}I}0>Ua~grWU|2#EszOG$|uSaXYsI#>(Hi6Xeg1VuqeY+UGX z`I+JWFL&{qerDbOw12c+^#6~J_BQ_iI-c44zrC`Wo$r>o4CYs)S^-FJ4ex;q5+V16 zaXY_cXF0R0;o3JRmnJKKqDWgq^SB>-vQoPQXJ-*OJB{GHJFS9~1Qwh*uArM8ZZJ37 z6_;O@;Ga1nG7a4AZ)9D?am!%!V7QssdB35H`EnyMKgTQ@oOlRUnmZ&gx3~6P@K^14 zS=^TL+K%BhH9iBqwo|-U^I;h)HIyHYv*z(7=Qr@bKi(=0nTxr$ADp?qHE+me|D$L? zsE?=@Kr|*1L(3%pZE*k7;oecn{@>r6|6I#c5SV7@zsl^tl3TB5oEuM>dp)UtX9~iZ z;?zh=b%)-y$*!AA;94BLd|4}@*n&BB3q)Hg!)^hVdKSyCoA&nsv+LSztRc7Vr?uu# zEuc{)3>L|$>#ST(Vp|#jnN8&U)XI`kh1J42U1vimVfEDVxjHA&a@kx{s?5mcS}3>H zOs;9$GxE4P%B?wz>n0zn6Opy&L#;}V>2MS`nJYJ$D+>j_o6MCV?svx|NYtI-|ZA9V982e)n zZiAd#X?`Sjs*YZ@)f6V~1Ccla(eOoi%0~AI>1b(HmoGi=8DugQ)_kZng?tfg%Q<(pH=)cP4pJtao8s`35ZhkCZ&A79`0#3fyOReAJL8)i4+H4zQmMPm*3DePYq@1JgX4@RijqA5_tVt}yqRU_2(WISbUS*yCx01^rX8V78 zhevxw|8IAHd*lDD5xt;#0Zw;U4vqrSrTOY4DBg!>$lxOQaZ_ z38G0R!6K06slbXgD>8l+i#1N{RbO$D{9RQTgE`Z572!O5&OTL0&9D5@W=)#DUmom6 zhs``+c%EB; zo=nT}t}(m?GX)#Q3{7hE)@OF@>ov$*Icn`CmyW7jBQOLdjXyeu_U zYSOP1YBkTY0zlOtk9M}OPX4bX`9}l!zk66Z|F^rl$^WsIr@{K~;^(3ZLSZRO{M$bD zZ1>U}aIOi>h+-ju!LKlck&o#4rBke>(Aux9!b++EkOxqSPNAJ5IUV^Ve#z2F=>4#% z+z0cX#(EM z4?KVQ{D~aTcARW9t7lh)@ZWHV)RJ-!3}DE_ciE#$Q}2xVFw};y2B5oaJ4`CNasBt} z567o(&M)L&7iTxtU*g;4&DHVAnf&wo^5nzowsy|t zu5b-5RO~&)OrB-P(r=7$)C1dkFVe>zI6OGmJJ7|>FHiE-ti!$8vcDp95~3b>ekI-> zN7Lt0IlRVE^0E4R62~DLqlm-scS@3&RTdpES)k&3F#`4(43;&pJWMu0w66;!3|Y0*6qX;{ zBwKJuepMj8t&t%i(q~}J*woOYWn6a2q4m9IN&ipeb2;oe(_U}$NvqG;2-MWL-xzRD z>T%kC6Mvod-_HJa(f{8++S}a!v6jcN`^(xuCO83o#Ej!;coIT9w!^}&`_V*r~=ii#pYAt zE-9pTCwf9N>> zeYna0yOyWumrYPd5C1oO2HY_C*Omg9ndHB&pn)}VEKB^G4;N&I$ZfaUs%Z-7u)v(B z%=2_z>XdmNlzK{gLu||+@DO>Sna4OtZlf^YVRC29MNU!MfEGDaUR8ftToyZAUJ2o= zJYb&V&_xfKHw5x@4w~l#*V2d0XFyxvYc%)!|(d!_~PR1>ci>VlfRx_eRy|OaZ0^{U{wvwI{I8MYi68Bb{{={KtIfB z|L4L9>&XAOQ?&ng4tF;8|2iJW`d=D_$n5?IRmtYImRIc=8--1vqHLD0AY}2laiFg{ zVB(tp>h=)o`IJO|lKw;Q|35k?t^XhGZt}mb=W%FQJ^W4m|J|Jx1pxZOzg*{fifPaa zCOF~_y40@Rlj?{$oKO<|H|f^~9L$XR+LF#Oe}n?LQ?g(r86GhO?Bo0Z{7L#ZIp^Q@ zZ1Z6O;0O%>M|c2~Lj-xE+O}AOWOSg)(KkJF#uGrbTVKp7Q(-91YSS590PX<89N0K; zvBzW%j~3K=wP0S))`?n;P;z_wprOa_gi?_hXg<7Z9A?nS^KJyl$x;jY-{q=}tJToK z;W>j@mjYG$<1?T-$>H+Lfzvmy5+KX_=LYWv{&~J=$v+2;e00_C@fhY452$W;`#9>d zQR%%`ysX3nEJP>|&j=dj)n;-w^{rIN$QBA(~q`H1tF^}2Q^ z^}OlA7_+Wk>*=PJ5bIW1Lfvc?l69SNwdan3b=^1O7{9yC06x_LEZ^6(8P|s&*YYCk zLkw}HW$e7As}z6+a|EHmY68)Pxa+Xd&*B1|LKfSIL5<>P_*JUX2ySaiueEQ z?Qin`tmkebGf0x8yfJ4MuFFWi$ZoTaE;a%%xhmYgd%m3SY2Hr!8Ny5PS=^1NvVoLr* zK5un!fM8dZqvX%8Q3_=9|LW}c^vzjk9IU*J`uTsbyIYF??jCH;|F7qH1};$YUIjw_ zK;amij3DK$mi#RPi(o*gRVa0@Q=k4h1HO;MregN8_0z<@st}Q|3Ac-oi*12396Cw;y z#1k5!U<+^|AYl-QAI0{2tyb=ZTs{%78V(cZns?BVi|o-N*DD^kHuI3 z&$9}?$`J#2ULJ>6R=d4YyV8RInU!stQ*VG5S2-2tT|S!E?zI(wwsH%+$nLfpqi4^+ z$<=A=SLDNlAxYblt5fjPNy0c81H&cY6v;hhm_#ptIrR^G7=b?02%`Y>(LhLuREijp z5mOQ*KHmZmMCcwo_i6APj55)Knc<8MxDlgEgDfJ4)rdbAke+81?oh0`W`v|}zlSsc zJ{iZ5W63Vl4!D%oK46H;M(aJR?0^bYNA0YZU& z8LQz?DXFGvn(-0B6p;JKKmkmZ6?R$&{GB9#jYtv(Kv6+gFoj7h-O(*zUqdVKb=@2* ztU$qf!VV0lnn?1_#6)R?mL$x8gdw??(?_-#V#d=htHR>7P$Of+5oLf3Xxi|TLB-k8NQsZd0z2#2yram6NUE>6Nwr|q>X z2xXS<$kngMCjtRHKw?-SMV5A#E`~g9h#4^K^cma=DoJ=Ti}T}@VI znr?ZP))4@oL8l`yW-&!Duu94~8sNbIQPJ&49k5G8D5CZ5U9LJ)6I0FCBqEDDx|NO}W z{Dzp1l77c0W9w#_EFva!ZkJPpy1SkI&UROdRn`@%wQIq9k?V@RiYhQUQ+h*SFN8lH zOmmB}dQCsYJO?Ylj3!bt_mg0VcwrbXNpPB$_*ItZfNeEoOtjhoSI8&hF^U2dn26u5 z80p*XVq2vp)Y?;Y?aVI0Uz80xENS=uSq87c4@2|bI(F`wozb2CD^!9a>5O)oLO zgtwze)p64*zfHhZ-HIPqz(CPNRD8#z6*<5W5_*4vDTyR|O(4Yrdsa{_65K!jS>kFK z`6EObBTk8^Es85u3J6;%M1bL81f(iXMRisL(TSM8K|m2>048c8NTUD+odQ9!ydth< zW0O(DM@2=cywc0}CwU}PqO`0c*NHY{;!be&xBpSTh|Vz~Q%scbvD2mqpuZ9lA{Z&& z6#QZ42$nXD(2io}15;6A<%`;#tVi+0H=;XlCJQGjVZu(%DZZNA9g=T!2UIc-PK41e zpwuWlJM)GOBF)C}8Qkvtj!WYC-w8#(;SgPqAVqbfCHj^y0g?=I^dJ;4!PGts!>Mo` zCRq5c?-V;4axR0s%XWg96|GXgi`LM`m>5^IzG3&^+ihF9zHI?|^ZMFONiM}j5fkyQ zru`1MB#dF@xG=^?lqAE^7C^xe3BO2ZA{S^{-)oT_5vGk+UQ2ROuFgct5g=rpJ2Y(q z_VVnFF%$()OI~c)f^|XJoGn>3=W7w3%-810ajvZ~oC+yua%D=sW5PYfYy@Dgs6T>O zvB(65IDp!(Y=mZjgiw=JPL7wum=n{!nj0tzVuGVQ3EgOw?~haJFAkxPoH*DpmGabL z5)aHT$$^+@{f3n`nbEkuOmUvpZC1>fxv~X)`Qbb*#AuvrA(n1)u7v>#v`f$#L&g!c zrSF?0yy& z0Rk5!khjTf0Xq%2)KNOVe16#h6{FlFzWK&6s5#>PI{%YzuVJ7sjDQ!poSQdM2 z-VLsT6KNNOaIr$H1z)<{8-qwn$qZ$o?+{m-j)%;XJ(Kzkt0*Ih)bfnn9nu(MDT6!B zduU{~jPIn;dW*~!IrG8gd0C=(0jBizGKX7?4uXO4`b;ffI_8;fRe4vkhY8q103Z- zX3deAZ3r0@<v5e8H zT7O)tx73j(%wE->hqrr6IL|VC-4!0h@+~#>giPNOZcp3xEus6U#%~Fm@6-C7Q{GV| zWLk{ZC*2m4V+PNMkzO@&>OmyZ(~vz+R?0kift`Y;q! z<~SNMz2pY-r(-d<7G@CICpdMx`X4{%4>5*XYfCJ&MsgRl6 zsbwKL|0dIP1fReb)50a>u1Rd|YftB}spgu(rhNSj)}2#6d6?;IT6WGfgTMn$ zw6y*C=9yJ(v1yhK`=rBIsE1u2!!iAqG2u{d$^;|=LaXcR)NET$Dtjk$*nw(cyBN5+ zU2(z$i_{@z>zLwaaBCvUxBpAbVPTKT&6io6B|YFnsKZv(2M5g=70keG8i+OsagvW# zr$;CKkR*XJIRix57GQ}#0+6X4f?MEt4F64{E$}-b!w}_roWH|ep5++0yN+3|`7P~$ zuypSUvj$Uu1$|xgIRodHE`FWmeihO-yNdENUKSA&23K1U;Z-Yvhq(bb@1Z(~J^Ra+We zP#yajE1*_wV@xfa#__BN4q+7$T0S6Dg!l;2pdt!uh`4~0gi;i7nN1~}W`~V$ySHV8 zzN1h~vFi;2q^ZHbvY@Dw%R6P{o<__t)c|vQl!kIo$f2~)h#K_D2Skhh$l}L74TPl+ zN~WV=@}L&oDw;&X6_6=X&rfqP@p49QmxT8xNQZ+8rjdbZGT1&3{|zV3sQP z02DTr)Fen1z-?6O{dHZc0;>Cve7>L7q4+X@^aOQU=b_I~*X02&lI9^#sk-uDH;V#P zr?Z|T65z@(F1xQTB*>A$%0Pa*4Yt8c@m~qb@<)|j*@)+xg@v@a`B^wYK!0cHzPB`e zN^wF~UH@ZPM1P+#dvvJ^sCxF4!3m}<&zyW^d*8^hw0*@+a1NO*w%+ZvfBEnxGrx_3#96r zyM<+7>4voCGEk?mF%FRCCFT2o+cXcaE+%*^T~1f|kZj3$tqfo#J=F>Na-JlaKPpS7 zWc#KsUtSQ7UcT(fR7!VyEK8XrOm#cSk;&boy~7+vrZeXQyP+T zbe~O$ti1KpA`Hc3F_Oq!Q+bjZh`0B9-BpOSDve42hw2u@!ziV3Au7z$$={ODOYg?ol`T4jqo_@ z4GhMZF-#(p`phhfq#uC(k|qkUmnsCu6tkvTGR3FaHgB2JOgkAgQ0ZZjEyr`#O$OB< zBr4US(lX))L4TAb3)3SZGcYuO0>9euTp`9hV`K%4qkXeI5WyL+WIZp4a*sGv|IAPiEl2 zIQA%l!5FPN2k?yi-+Q}z#r(f}hr0)x{J-mXo;`a8u9C>R5w^i4B^>$EjQ<3f&u0WY3FGMmD9eFCPq)F1pNSH`qGVqz1A~7XCVyvr@+Ne~k zan`g@7?UK75LMY-r^;GZ`8CIVnW{=cRI$}?s&wybI7Jj3S?vrkMfWfaJEmiRp@?C* zt{*@S6%?xrekr$cx}e{&yKnp*A$;+0#KWlqWs+Bk9#|U(peF6j;30`dQ{%!cmZj-acoF zpTbI3QfmV82#s0L0DL5@8xSCyfnmbQSjX9iqSsKjcN|P$*EAWFu4M9mh(5sbk0Oyn~++d{bt#m>eqeCWr@Crbm?{V+mdj412yc)2^j z?PrGlx4XT!SFr!~5B4_qzpUl?^r`z2Oz^lTWrk3i!pD9kWG?has0Utl<@LYam#wpp zvCgxdOHioupzCrTP}xN7`)Nh#c6yDl+5Om&H%+LESdT}kv%AG?o@?UgX=YxEbZLJB6HdNb* z3OT-@u&f308rvG;ic)z3TbCM|k10(}naTodv+S|;?{!}Fbbe&i7xAsg0?J?-oMeSyXc?= zWTd|b7#B{vxeUK&r`uY#UW!)jgRG#a zE?$t;kO!1rZ<`Bm1`SoP7_qb z8=R`WDzid&X;=E{u7|8I8o*Urj*ZCu2bT1W{{4UlY1`#a>Ux5pRvmpCU#VBI8b*64 zT)S)9x{TG)b{XSzilVS8*(#5i9t@XT@8!V+5+;x^e$`!D$pD> z*vR7=gEIb0jf1sIsL2RioqKPWA-=5t&~!Jum8!TrzwO9LWE;i zH5B4y?q%QHfMZmTod%TnsTQ8!7L>v|t${?EE2BhQb9cva+E@)8Y;gEA5> zMnr*0O31}$=*$Z?9!qAk==K zIMvUBv2s|-7wPfu^o^afcD^u3i6$jl6mLwD|2)lGoGS+6Hxv{N&L=e%xhn+c8;sRo zE~tlh1$PV9jz(SpJoa$t`{|nth?AN;uNsQ0@2+ZVr@^zga?0fZ=Li$CxWQU}c3Sb0 z1ld{KOA=y#3hqZJ5`aLg{>~Y)RV&10I2J)1SiAR+rnz}$ED={`?MX4j5ig7L6uc_g z7(HkDpw*&iHsdXWVkyhpYEd-1+U7y=u{Vitp3Sp)zRBnR1pom5|9qz^=K$0J0Kl^X A9RL6T diff --git a/charts/neuvector/101.0.2+up2.4.0/.helmignore b/charts/neuvector/101.0.2+up2.4.0/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/neuvector/101.0.2+up2.4.0/Chart.yaml b/charts/neuvector/101.0.2+up2.4.0/Chart.yaml deleted file mode 100644 index 6a5f861f7..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -annotations: - catalog.cattle.io/auto-install: neuvector-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: NeuVector - catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0' - catalog.cattle.io/namespace: cattle-neuvector-system - catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux - catalog.cattle.io/provides-gvr: neuvector.com/v1 - catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' - catalog.cattle.io/release-name: neuvector - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: neuvector - catalog.cattle.io/upstream-version: 2.4.0 -apiVersion: v1 -appVersion: 5.1.0 -description: Helm feature chart for NeuVector's core services -home: https://neuvector.com -icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 -keywords: -- security -maintainers: -- email: support@neuvector.com - name: becitsthere -name: neuvector -sources: -- https://github.com/neuvector/neuvector -version: 101.0.2+up2.4.0 diff --git a/charts/neuvector/101.0.2+up2.4.0/README.md b/charts/neuvector/101.0.2+up2.4.0/README.md deleted file mode 100644 index 6f9ef064f..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/README.md +++ /dev/null @@ -1,237 +0,0 @@ -# NeuVector Helm Chart - -Helm chart for NeuVector container security's core services. - -## Preparation if using Helm 2 - -- Kubernetes 1.7+ -- Helm installed and Tiller pod is running -- Cluster role `cluster-admin` available, check by: - -```console -$ kubectl get clusterrole cluster-admin -``` - -If nothing returned, then add the `cluster-admin`: - -cluster-admin.yaml -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cluster-admin -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -- nonResourceURLs: - - '*' - verbs: - - '*' -``` - -```console -$ kubectl create -f cluster-admin.yaml -``` - -- If you have not created a service account for tiller, and give it admin abilities on the cluster: - -```console -$ kubectl create serviceaccount --namespace kube-system tiller -$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller -$ kubectl patch deployment tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' -n kube-system -``` - -## CRD -Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set 'crdwebhook.enabled' to false, if you use the new 'crd' chart. - -## Choosing container runtime -The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, k3s.enabled and bottlerocket.enabled, respectively. - -## Configuration - -The following table lists the configurable parameters of the NeuVector chart and their default values. - -Parameter | Description | Default | Notes ---------- | ----------- | ------- | ----- -`openshift` | If deploying in OpenShift, set this to true | `false` | -`registry` | NeuVector container registry | `docker.io` | -`tag` | image tag for controller enforcer manager | `latest` | -`oem` | OEM release name | `nil` | -`imagePullSecrets` | image pull secret | `nil` | -`rbac` | NeuVector RBAC manifests are installed when rbac is enabled | `true` | -`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | -`serviceAccount` | Service account name for NeuVector components | `default` | -`controller.enabled` | If true, create controller | `true` | -`controller.image.repository` | controller image repository | `neuvector/controller` | -`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -`controller.replicas` | controller replicas | `3` | -`controller.schedulerName` | kubernetes scheduler name | `nil` | -`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | -`controller.tolerations` | List of node taints to tolerate | `nil` | -`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | -`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -`controller.podLabels` | Specify the pod labels. | `{}` | -`controller.podAnnotations` | Specify the pod annotations. | `{}` | -`controller.env` | User-defined environment variables for controller. | `[]` | -`controller.ranchersso.enabled` | If true, enable Rancher single sign on | `false` | Rancher server address auto configured.| -`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi -`controller.pvc.existingClaim` | Boolean value to specify if there is an existing PVC claim. If true, pvc in the helm chart is not used. | `false` | -`controller.pvc.storageClass` | Storage Class to be used | `default` | -`controller.pvc.capacity` | Storage capacity | `1Gi` | -`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | -`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | -`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | -`controller.apisvc.type` | Controller REST API service type | `nil` | -`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | -`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | -`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | -`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | -`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | -`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | -`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | -`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | -`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | -`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | -`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | -`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | -`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | -`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | -`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | -`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | -`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | -`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | -`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | -`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | -`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed -`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. -`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | -`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | -`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | -`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | -`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | -`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | -`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | -`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | -`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | -`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | -`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | -`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed -`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. -`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | -`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | -`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed -`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. -`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | -`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | -`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` -`controller.configmap.data` | NeuVector configuration in YAML format | `{}` -`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` -`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` -`enforcer.enabled` | If true, create enforcer | `true` | -`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | -`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | -`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -`enforcer.podLabels` | Specify the pod labels. | `{}` | -`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | -`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default -`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`manager.enabled` | If true, create manager | `true` | -`manager.image.repository` | manager image repository | `neuvector/manager` | -`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -`manager.podLabels` | Specify the pod labels. | `{}` | -`manager.podAnnotations` | Specify the pod annotations. | `{}` | -`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | -`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google -`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | -`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | -`manager.route.host` | Set OpenShift route host for management console service | `nil` | -`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | -`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | -`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | -`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | -`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | -`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | -`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | -`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | -`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed -`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | -`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | -`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` -`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. -`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) -`manager.affinity` | manager affinity rules | `{}` | -`manager.tolerations` | List of node taints to tolerate | `nil` | -`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -`manager.runAsUser` | Specify the run as User ID | `nil` | -`cve.updater.enabled` | If true, create cve updater | `true` | -`cve.updater.secure` | If ture, API server's certificate is validated | `false` | -`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | -`cve.updater.image.tag` | image tag for cve updater | `latest` | -`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -`cve.updater.podLabels` | Specify the pod labels. | `{}` | -`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | -`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | -`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -`cve.updater.runAsUser` | Specify the run as User ID | `nil` | -`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | -`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | -`cve.scanner.image.tag` | cve scanner image tag | `latest` | -`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -`cve.scanner.podLabels` | Specify the pod labels. | `{}` | -`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | -`cve.scanner.replicas` | external scanner replicas | `3` | -`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | -`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) | -`cve.scanner.affinity` | scanner affinity rules | `{}` | -`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | -`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | -`docker.path` | docker path | `/var/run/docker.sock` | -`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s cluster, set k3s.enabled to true instead -`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | -`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | -`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | -`k3s.enabled` | Set to true for k3s or rke2 | `false` | -`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | -`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | -`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | -`admissionwebhook.type` | admission webhook type | `ClusterIP` | -`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | -`crdwebhook.type` | crd webhook type | `ClusterIP` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off -``` - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, - -```console -$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml -``` - ---- - diff --git a/charts/neuvector/101.0.2+up2.4.0/app-readme.md b/charts/neuvector/101.0.2+up2.4.0/app-readme.md deleted file mode 100644 index 32da7fb2c..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/app-readme.md +++ /dev/null @@ -1,18 +0,0 @@ -### Run-Time Protection Without Compromise - -NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. - -NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: - -+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning -+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks -+ Complete run-time scanning with network, process, and file system monitoring and protection -+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation -+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures -+ Run-time vulnerability scanning and CIS benchmarks - -Additional Notes: -+ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. -+ Configure correct container runtime and runtime path under container runtime. Enable only one runtime. -+ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. -+ For deploying on hardened RKE cluster, enable PSP from other configuration. diff --git a/charts/neuvector/101.0.2+up2.4.0/crds/_helpers.tpl b/charts/neuvector/101.0.2+up2.4.0/crds/_helpers.tpl deleted file mode 100644 index c0cc49294..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/crds/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "neuvector.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "neuvector.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "neuvector.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/questions.yaml b/charts/neuvector/101.0.2+up2.4.0/questions.yaml deleted file mode 100644 index 45a15c2ca..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/questions.yaml +++ /dev/null @@ -1,335 +0,0 @@ -questions: -#image configurations -- variable: controller.image.repository - default: "neuvector/controller" - description: controller image repository - type: string - label: Controller Image Path - group: "Container Images" -- variable: controller.image.tag - default: "" - description: image tag for controller - type: string - label: Controller Image Tag - group: "Container Images" -- variable: manager.image.repository - default: "neuvector/manager" - description: manager image repository - type: string - label: Manager Image Path - group: "Container Images" -- variable: manager.image.tag - default: "" - description: image tag for manager - type: string - label: Manager Image Tag - group: "Container Images" -- variable: enforcer.image.repository - default: "neuvector/enforcer" - description: enforcer image repository - type: string - label: Enforcer Image Path - group: "Container Images" -- variable: enforcer.image.tag - default: "" - description: image tag for enforcer - type: string - label: Enforcer Image Tag - group: "Container Images" -- variable: cve.scanner.image.repository - default: "neuvector/scanner" - description: scanner image repository - type: string - label: Scanner Image Path - group: "Container Images" -- variable: cve.scanner.image.tag - default: "" - description: image tag for scanner - type: string - label: Scanner Image Tag - group: "Container Images" -- variable: cve.updater.image.repository - default: "neuvector/updater" - description: cve updater image repository - type: string - label: CVE Updater Image Path - group: "Container Images" -- variable: cve.updater.image.tag - default: "" - description: image tag for updater - type: string - label: Updater Image Tag - group: "Container Images" -#Container Runtime configurations -- variable: docker.enabled - default: true - description: Docker runtime. Enable only one runtime - type: boolean - label: Docker Runtime - show_subquestion_if: true - group: "Container Runtime" - subquestions: - - variable: docker.path - default: "/var/run/docker.sock" - description: "Docker Runtime Path" - type: string - label: Runtime Path -- variable: containerd.enabled - default: "false" - description: Containerd runtime. Enable only one runtime - type: boolean - label: Containerd Runtime - show_subquestion_if: true - group: "Container Runtime" - subquestions: - - variable: containerd.path - default: " /var/run/containerd/containerd.sock" - description: "Containerd Runtime Path" - type: string - label: Runtime Path -- variable: crio.enabled - default: "false" - description: CRI-O runtime. Enable only one runtime - type: boolean - label: CRI-O Runtime - show_subquestion_if: true - group: "Container Runtime" - subquestions: - - variable: crio.path - default: "/var/run/crio/crio.sock" - description: "CRI-O Runtime Path" - type: string - label: Runtime Path -- variable: k3s.enabled - default: "false" - description: k3s containerd runtime. Enable only one runtime - type: boolean - label: k3s Containerd Runtime - show_subquestion_if: true - group: "Container Runtime" - subquestions: - - variable: k3s.runtimePath - default: " /run/k3s/containerd/containerd.sock" - description: "k3s Containerd Runtime Path" - type: string - label: Runtime Path -#storage configurations -- variable: controller.pvc.enabled - default: false - description: If true, enable persistence for controller using PVC - type: boolean - label: PVC Status - group: "PVC Configuration" -- variable: controller.pvc.storageClass - default: "" - description: Storage Class to be used - type: string - label: Storage Class Name - group: "PVC Configuration" -#ingress configurations -- variable: manager.ingress.enabled - default: false - description: If true, create ingress, must also set ingress host value - type: boolean - label: Manager Ingress Status - group: "Ingress Configuration" - show_subquestion_if: true - subquestions: - - variable: manager.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Manager Ingress Host - group: "Ingress Configuration" - - variable: manager.ingress.path - default: "/" - description: Set ingress path - type: string - label: Manager Ingress Path - group: "Ingress Configuration" - - variable: manager.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation - type: string - label: Manager Ingress Annotations - group: "Ingress Configuration" -- variable: controller.ingress.enabled - default: false - description: If true, create ingress for rest api, must also set ingress host value - type: boolean - label: Controller Ingress Status - group: "Ingress Configuration" - show_subquestion_if: true - subquestions: - - variable: controller.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Controller Ingress Host - group: "Ingress Configuration" - - variable: controller.ingress.path - default: "/" - description: Set ingress path - type: string - label: Controller Ingress Path - group: "Ingress Configuration" - - variable: controller.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation - type: string - label: Controller Ingress Annotations - group: "Ingress Configuration" -- variable: controller.federation.mastersvc.ingress.enabled - default: false - description: If true, create ingress for rest api, must also set ingress host value - type: boolean - label: Controller Federation Master Service Ingress Status - group: "Ingress Configuration" - show_subquestion_if: true - subquestions: - - variable: controller.federation.mastersvc.ingress.tls - default: false - description: If true, TLS is enabled for controller federation master ingress service - type: boolean - label: Controller Federation Master Service Ingress TLS Status - group: "Ingress Configuration" - - variable: controller.federation.mastersvc.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Controller Federation Master Service Ingress Host - group: "Ingress Configuration" - - variable: controller.federation.mastersvc.ingress.path - default: "/" - description: Set ingress path - type: string - label: Controller Federation Master Service Ingress Path - group: "Ingress Configuration" - - variable: controller.federation.mastersvc.ingress.ingressClassName - default: "" - description: To be used instead of the ingress.class annotation if an IngressClass is provisioned - type: string - label: Controller Federation Master Service Ingress IngressClassName - group: "Ingress Configuration" - - variable: controller.federation.mastersvc.ingress.secretName - default: "" - description: Name of the secret to be used for TLS-encryption - type: string - label: Controller Federation Master Service Ingress SecretName - group: "Ingress Configuration" - - variable: controller.federation.mastersvc.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation - type: string - label: Controller Federation Master Service Ingress Annotations - group: "Ingress Configuration" -- variable: controller.federation.managedsvc.ingress.enabled - default: false - description: If true, create ingress for rest api, must also set ingress host value - type: boolean - label: Controller Federation Managed Service Ingress Status - group: "Ingress Configuration" - show_subquestion_if: true - subquestions: - - variable: controller.federation.managedsvc.ingress.tls - default: false - description: If true, TLS is enabled for controller federation managed ingress service - type: boolean - label: Controller Federation Managed Service Ingress TLS Status - group: "Ingress Configuration" - - variable: controller.federation.managedsvc.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Controller Federation Managed Service Ingress Host - group: "Ingress Configuration" - - variable: controller.federation.managedsvc.ingress.path - default: "/" - description: Set ingress path - type: string - label: Controller Federation Managed Service Ingress Path - group: "Ingress Configuration" - - variable: controller.federation.managedsvc.ingress.ingressClassName - default: "" - description: To be used instead of the ingress.class annotation if an IngressClass is provisioned - type: string - label: Controller Federation Managed Service Ingress IngressClassName - group: "Ingress Configuration" - - variable: controller.federation.managedsvc.ingress.secretName - default: "" - description: Name of the secret to be used for TLS-encryption - type: string - label: Controller Federation Managed Service Ingress SecretName - group: "Ingress Configuration" - - variable: controller.federation.managedsvc.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation - type: string - label: Controller Federation Managed Service Ingress Annotations - group: "Ingress Configuration" -#service configurations -- variable: manager.svc.type - default: "NodePort" - description: Set manager service type for native Kubernetes - type: enum - label: Manager Service Type - group: "Service Configuration" - options: - - "NodePort" - - "ClusterIP" - - "LoadBalancer" -- variable: controller.federation.mastersvc.type - default: "" - description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP - type: enum - label: Fed Master Service Type - group: "Service Configuration" - options: - - "NodePort" - - "ClusterIP" - - "LoadBalancer" -- variable: controller.federation.managedsvc.type - default: "" - description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP - type: enum - label: Fed Managed Service Type - group: "Service Configuration" - options: - - "NodePort" - - "ClusterIP" - - "LoadBalancer" -- variable: controller.apisvc.type - default: "NodePort" - description: Controller REST API service type - type: enum - label: Controller REST API Service Type - group: "Service Configuration" - options: - - "NodePort" - - "ClusterIP" - - "LoadBalancer" -#Other Configuration -- variable: psp - default: "false" - description: NeuVector Pod Security Policy when psp policy is enabled - type: boolean - label: Pod Security Policy - group: "Other Configuration" -- variable: manager.runAsUser - default: "" - description: Specify the run as User ID - type: int - label: Manager runAsUser ID - group: "Other Configuration" -- variable: cve.scanner.runAsUser - default: "" - description: Specify the run as User ID - type: int - label: Scanner runAsUser ID - group: "Other Configuration" -- variable: cve.updater.runAsUser - default: "" - description: Specify the run as User ID - type: int - label: Updater runAsUser ID - group: "Other Configuration" diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/NOTES.txt b/charts/neuvector/101.0.2+up2.4.0/templates/NOTES.txt deleted file mode 100644 index e79b2cc21..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/NOTES.txt +++ /dev/null @@ -1,20 +0,0 @@ -{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} -From outside the cluster, the NeuVector URL is: -http://{{ .Values.manager.ingress.host }} -{{- else if not .Values.openshift }} -Get the NeuVector URL by running these commands: -{{- if contains "NodePort" .Values.manager.svc.type }} - NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) - NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo https://$NODE_IP:$NODE_PORT -{{- else if contains "ClusterIP" .Values.manager.svc.type }} - CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) - echo https://$CLUSTER_IP:8443 -{{- else if contains "LoadBalancer" .Values.manager.svc.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' - - SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") - echo https://$SERVICE_IP:8443 -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/_helpers.tpl b/charts/neuvector/101.0.2+up2.4.0/templates/_helpers.tpl deleted file mode 100644 index 5d21a1824..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "neuvector.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "neuvector.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "neuvector.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/admission-webhook-service.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/admission-webhook-service.yaml deleted file mode 100644 index 8a0a76aaa..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/admission-webhook-service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-admission-webhook - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: 443 - targetPort: 20443 - protocol: TCP - name: admission-webhook - type: {{ .Values.admissionwebhook.type }} - selector: - app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/clusterrole.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/clusterrole.yaml deleted file mode 100644 index cce7a8254..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/clusterrole.yaml +++ /dev/null @@ -1,121 +0,0 @@ -{{- if .Values.rbac -}} -{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-app - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - "" - resources: - - nodes - - pods - - services - - namespaces - verbs: - - get - - list - - watch - - update - ---- - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-rbac - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -{{- if .Values.openshift }} -- apiGroups: - - image.openshift.io - resources: - - imagestreams - verbs: - - get - - list - - watch -{{- end }} -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - - clusterrolebindings - - clusterroles - verbs: - - get - - list - - watch - ---- - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-admission - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - delete - ---- - -{{- if $oc4 }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: neuvector-binding-co - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - config.openshift.io - resources: - - clusteroperators - verbs: - - get - - list -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/clusterrolebinding.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/clusterrolebinding.yaml deleted file mode 100644 index 70596a2b3..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,147 +0,0 @@ -{{- if .Values.rbac -}} -{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-app - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-app -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} - ---- - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-rbac - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-rbac -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} - ---- - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-admission - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-admission -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} - ---- - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-view - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: view -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} - ---- - -{{- if $oc4 }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-co - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: neuvector-binding-co -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/controller-deployment.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/controller-deployment.yaml deleted file mode 100644 index d8a87bd21..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/controller-deployment.yaml +++ /dev/null @@ -1,204 +0,0 @@ -{{- if .Values.controller.enabled -}} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: neuvector-controller-pod - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- with .Values.controller.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.controller.replicas }} - minReadySeconds: 60 - strategy: -{{ toYaml .Values.controller.strategy | indent 4 }} - selector: - matchLabels: - app: neuvector-controller-pod - template: - metadata: - labels: - app: neuvector-controller-pod - release: {{ .Release.Name }} - {{- with .Values.controller.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.controller.affinity }} - affinity: -{{ toYaml .Values.controller.affinity | indent 8 }} - {{- end }} - {{- if .Values.controller.tolerations }} - tolerations: -{{ toYaml .Values.controller.tolerations | indent 8 }} - {{- end }} - {{- if .Values.controller.nodeSelector }} - nodeSelector: -{{ toYaml .Values.controller.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.controller.schedulerName }} - schedulerName: {{ .Values.controller.schedulerName }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount }} - serviceAccount: {{ .Values.serviceAccount }} - containers: - - name: neuvector-controller-pod - image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} - securityContext: - privileged: true - resources: - {{- if .Values.controller.resources }} -{{ toYaml .Values.controller.resources | indent 12 }} - {{- else }} -{{ toYaml .Values.resources | indent 12 }} - {{- end }} - readinessProbe: - exec: - command: - - cat - - /tmp/ready - initialDelaySeconds: 5 - periodSeconds: 5 - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.{{ .Release.Namespace }} - - name: CLUSTER_ADVERTISED_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CLUSTER_BIND_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - {{- if .Values.controller.ranchersso.enabled }} - - name: RANCHER_SSO - value: "1" - - name: RANCHER_EP - value: "{{ .Values.global.cattle.url }}" - {{- end }} - {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} - - name: CTRL_PERSIST_CONFIG - value: "1" - {{- end }} - {{- with .Values.controller.env }} -{{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - - mountPath: /var/neuvector - name: nv-share - readOnly: false - {{- if .Values.containerd.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.k3s.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.bottlerocket.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.crio.enabled }} - - mountPath: /var/run/crio/crio.sock - {{- else }} - - mountPath: /var/run/docker.sock - {{- end }} - name: runtime-sock - readOnly: true - - mountPath: /host/proc - name: proc-vol - readOnly: true - - mountPath: /host/cgroup - name: cgroup-vol - readOnly: true - - mountPath: /etc/config - name: config-volume - readOnly: true - {{- if .Values.controller.certificate.secret }} - - mountPath: /etc/neuvector/certs/ssl-cert.key - subPath: {{ .Values.controller.certificate.keyFile }} - name: cert - readOnly: true - - mountPath: /etc/neuvector/certs/ssl-cert.pem - subPath: {{ .Values.controller.certificate.pemFile }} - name: cert - readOnly: true - {{- end }} - terminationGracePeriodSeconds: 300 - restartPolicy: Always - volumes: - - name: nv-share - {{- if .Values.controller.pvc.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} - {{- else if .Values.controller.azureFileShare.enabled }} - azureFile: - secretName: {{ .Values.controller.azureFileShare.secretName }} - shareName: {{ .Values.controller.azureFileShare.shareName }} - readOnly: false - {{- else }} - hostPath: - path: /var/neuvector - {{- end }} - - name: runtime-sock - hostPath: - {{- if .Values.containerd.enabled }} - path: {{ .Values.containerd.path }} - {{- else if .Values.crio.enabled }} - path: {{ .Values.crio.path }} - {{- else if .Values.k3s.enabled }} - path: {{ .Values.k3s.runtimePath }} - {{- else if .Values.bottlerocket.enabled }} - path: {{ .Values.bottlerocket.runtimePath }} - {{- else }} - path: {{ .Values.docker.path }} - {{- end }} - - name: proc-vol - hostPath: - path: /proc - - name: cgroup-vol - hostPath: - path: /sys/fs/cgroup - - name: config-volume - projected: - sources: - - configMap: - name: neuvector-init - optional: true - - secret: - name: neuvector-init - optional: true - {{- if .Values.controller.certificate.secret }} - - name: cert - secret: - secretName: {{ .Values.controller.certificate.secret }} - {{- end }} -{{- if gt (int .Values.controller.disruptionbudget) 0 }} ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - name: neuvector-controller-pdb - namespace: {{ .Release.Namespace }} -spec: - minAvailable: {{ .Values.controller.disruptionbudget }} - selector: - matchLabels: - app: neuvector-controller-pod -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/controller-ingress.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/controller-ingress.yaml deleted file mode 100644 index b36fbbdc0..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/controller-ingress.yaml +++ /dev/null @@ -1,219 +0,0 @@ -{{- if .Values.controller.enabled }} -{{- if .Values.controller.ingress.enabled }} -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: neuvector-restapi-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.ingress.ingressClassName }} - ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} -{{ end }} -{{- if .Values.controller.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.ingress.host }} -{{- if .Values.controller.ingress.secretName }} - secretName: {{ .Values.controller.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.ingress.host }} - http: - paths: - - path: {{ .Values.controller.ingress.path }} - pathType: Prefix - backend: - service: - name: neuvector-svc-controller-api - port: - number: 10443 -{{- else }} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: neuvector-restapi-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.ingress.host }} -{{- if .Values.controller.ingress.secretName }} - secretName: {{ .Values.controller.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.ingress.host }} - http: - paths: - - path: {{ .Values.controller.ingress.path }} - backend: - serviceName: neuvector-svc-controller-api - servicePort: 10443 -{{- end }} -{{- end }} -{{- if .Values.controller.federation.mastersvc.ingress.enabled }} -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: neuvector-mastersvc-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.mastersvc.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} - ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} -{{ end }} -{{- if .Values.controller.federation.mastersvc.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.federation.mastersvc.ingress.host }} -{{- if .Values.controller.federation.mastersvc.ingress.secretName }} - secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.federation.mastersvc.ingress.host }} - http: - paths: - - path: {{ .Values.controller.federation.mastersvc.ingress.path }} - pathType: Prefix - backend: - service: - name: neuvector-svc-controller-fed-master - port: - number: 11443 -{{- else }} ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: neuvector-mastersvc-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.mastersvc.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.mastersvc.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.federation.mastersvc.ingress.host }} -{{- if .Values.controller.federation.mastersvc.ingress.secretName }} - secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.federation.mastersvc.ingress.host }} - http: - paths: - - path: {{ .Values.controller.federation.mastersvc.ingress.path }} - backend: - serviceName: neuvector-svc-controller-fed-master - servicePort: 11443 -{{- end }} -{{- end }} -{{- if .Values.controller.federation.managedsvc.ingress.enabled }} -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: neuvector-managedsvc-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.managedsvc.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} - ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} -{{ end }} -{{- if .Values.controller.federation.managedsvc.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.federation.managedsvc.ingress.host }} -{{- if .Values.controller.federation.managedsvc.ingress.secretName }} - secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.federation.managedsvc.ingress.host }} - http: - paths: - - path: {{ .Values.controller.federation.managedsvc.ingress.path }} - pathType: Prefix - backend: - service: - name: neuvector-svc-controller-fed-managed - port: - number: 10443 -{{- else }} ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: neuvector-managedsvc-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.managedsvc.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.managedsvc.ingress.tls }} - tls: - - hosts: - - {{ .Values.controller.federation.managedsvc.ingress.host }} -{{- if .Values.controller.federation.managedsvc.ingress.secretName }} - secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.controller.federation.managedsvc.ingress.host }} - http: - paths: - - path: {{ .Values.controller.federation.managedsvc.ingress.path }} - backend: - serviceName: neuvector-svc-controller-fed-managed - servicePort: 10443 -{{- end }} -{{- end }} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/controller-route.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/controller-route.yaml deleted file mode 100644 index 686a77ec4..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/controller-route.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{- if .Values.openshift -}} -{{- if .Values.controller.apisvc.route.enabled }} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: route.openshift.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: Route -metadata: - name: neuvector-route-api - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.apisvc.route.host }} - host: {{ .Values.controller.apisvc.route.host }} -{{- end }} - to: - kind: Service - name: neuvector-svc-controller-api - port: - targetPort: controller-api - tls: - termination: {{ .Values.controller.apisvc.route.termination }} -{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} -{{- with .Values.controller.apisvc.route.tls }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} - ---- -{{ end -}} -{{- if .Values.controller.federation.mastersvc.route.enabled }} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: route.openshift.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: Route -metadata: - name: neuvector-route-fed-master - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.mastersvc.route.host }} - host: {{ .Values.controller.federation.mastersvc.route.host }} -{{- end }} - to: - kind: Service - name: neuvector-svc-controller-fed-master - port: - targetPort: fed - tls: - termination: {{ .Values.controller.federation.mastersvc.route.termination }} -{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} -{{- with .Values.controller.federation.mastersvc.route.tls }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} ---- -{{ end -}} -{{- if .Values.controller.federation.managedsvc.route.enabled }} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: route.openshift.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: Route -metadata: - name: neuvector-route-fed-managed - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.controller.federation.managedsvc.route.host }} - host: {{ .Values.controller.federation.managedsvc.route.host }} -{{- end }} - to: - kind: Service - name: neuvector-svc-controller-fed-managed - port: - targetPort: fed - tls: - termination: {{ .Values.controller.federation.managedsvc.route.termination }} -{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} -{{- with .Values.controller.federation.managedsvc.route.tls }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{ end -}} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/controller-service.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/controller-service.yaml deleted file mode 100644 index d4040a78a..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/controller-service.yaml +++ /dev/null @@ -1,97 +0,0 @@ -{{- if .Values.controller.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-controller - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - clusterIP: None - ports: - - port: 18300 - protocol: "TCP" - name: "cluster-tcp-18300" - - port: 18301 - protocol: "TCP" - name: "cluster-tcp-18301" - - port: 18301 - protocol: "UDP" - name: "cluster-udp-18301" - selector: - app: neuvector-controller-pod -{{- if .Values.controller.apisvc.type }} ---- -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-controller-api - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.apisvc.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.controller.apisvc.type }} - ports: - - port: 10443 - protocol: "TCP" - name: "controller-api" - selector: - app: neuvector-controller-pod -{{ end -}} -{{- if .Values.controller.federation.mastersvc.type }} ---- -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-controller-fed-master - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.mastersvc.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.controller.federation.mastersvc.type }} - ports: - - port: 11443 - name: fed - protocol: TCP - selector: - app: neuvector-controller-pod -{{ end -}} -{{- if .Values.controller.federation.managedsvc.type }} ---- -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-controller-fed-managed - namespace: {{ .Release.Namespace }} -{{- with .Values.controller.federation.managedsvc.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.controller.federation.managedsvc.type }} - ports: - - port: 10443 - name: fed - protocol: TCP - selector: - app: neuvector-controller-pod -{{ end -}} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/enforcer-daemonset.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/enforcer-daemonset.yaml deleted file mode 100644 index 6dfde1dd3..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/enforcer-daemonset.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{- if .Values.enforcer.enabled -}} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: DaemonSet -metadata: - name: neuvector-enforcer-pod - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} - selector: - matchLabels: - app: neuvector-enforcer-pod - template: - metadata: - labels: - app: neuvector-enforcer-pod - release: {{ .Release.Name }} - {{- with .Values.enforcer.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.enforcer.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - {{- if .Values.enforcer.tolerations }} - tolerations: -{{ toYaml .Values.enforcer.tolerations | indent 8 }} - {{- end }} - hostPID: true - {{- if .Values.enforcer.priorityClassName }} - priorityClassName: {{ .Values.enforcer.priorityClassName }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount }} - serviceAccount: {{ .Values.serviceAccount }} - containers: - - name: neuvector-enforcer-pod - image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} - securityContext: - privileged: true - resources: - {{- if .Values.enforcer.resources }} -{{ toYaml .Values.enforcer.resources | indent 12 }} - {{- else }} -{{ toYaml .Values.resources | indent 12 }} - {{- end }} - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.{{ .Release.Namespace }} - - name: CLUSTER_ADVERTISED_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CLUSTER_BIND_ADDR - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - {{- if .Values.containerd.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.k3s.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.bottlerocket.enabled }} - - mountPath: /var/run/containerd/containerd.sock - {{- else if .Values.crio.enabled }} - - mountPath: /var/run/crio/crio.sock - {{- else }} - - mountPath: /var/run/docker.sock - {{- end }} - name: runtime-sock - readOnly: true - - mountPath: /host/proc - name: proc-vol - readOnly: true - - mountPath: /host/cgroup - name: cgroup-vol - readOnly: true - - mountPath: /lib/modules - name: modules-vol - readOnly: true - terminationGracePeriodSeconds: 1200 - restartPolicy: Always - volumes: - - name: runtime-sock - hostPath: - {{- if .Values.containerd.enabled }} - path: {{ .Values.containerd.path }} - {{- else if .Values.crio.enabled }} - path: {{ .Values.crio.path }} - {{- else if .Values.k3s.enabled }} - path: {{ .Values.k3s.runtimePath }} - {{- else if .Values.bottlerocket.enabled }} - path: {{ .Values.bottlerocket.runtimePath }} - {{- else }} - path: {{ .Values.docker.path }} - {{- end }} - - name: proc-vol - hostPath: - path: /proc - - name: cgroup-vol - hostPath: - path: /sys/fs/cgroup - - name: modules-vol - hostPath: - path: /lib/modules -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/init-configmap.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/init-configmap.yaml deleted file mode 100644 index 4d3b97129..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/init-configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.controller.configmap.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: neuvector-init - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ toYaml .Values.controller.configmap.data | indent 4 }} -{{- end }} \ No newline at end of file diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/init-secret.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/init-secret.yaml deleted file mode 100644 index 8a5081408..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/init-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.controller.secret.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: neuvector-init - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{- range $key, $val := .Values.controller.secret.data }} - {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/manager-deployment.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/manager-deployment.yaml deleted file mode 100644 index f2be290b2..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/manager-deployment.yaml +++ /dev/null @@ -1,92 +0,0 @@ -{{- if .Values.manager.enabled -}} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: neuvector-manager-pod - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - selector: - matchLabels: - app: neuvector-manager-pod - template: - metadata: - labels: - app: neuvector-manager-pod - release: {{ .Release.Name }} - {{- with .Values.manager.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.manager.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.manager.affinity }} - affinity: -{{ toYaml .Values.manager.affinity | indent 8 }} - {{- end }} - {{- if .Values.manager.tolerations }} - tolerations: -{{ toYaml .Values.manager.tolerations | indent 8 }} - {{- end }} - {{- if .Values.manager.nodeSelector }} - nodeSelector: -{{ toYaml .Values.manager.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - {{- if .Values.manager.priorityClassName }} - priorityClassName: {{ .Values.manager.priorityClassName }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount }} - serviceAccount: {{ .Values.serviceAccount }} - {{- if .Values.manager.runAsUser }} - securityContext: - runAsUser: {{ .Values.manager.runAsUser }} - {{- end }} - containers: - - name: neuvector-manager-pod - image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} - env: - - name: CTRL_SERVER_IP - value: neuvector-svc-controller.{{ .Release.Namespace }} - {{- if not .Values.manager.env.ssl }} - - name: MANAGER_SSL - value: "off" - {{- end }} - volumeMounts: - {{- if .Values.manager.certificate.secret }} - - mountPath: /etc/neuvector/certs/ssl-cert.key - subPath: {{ .Values.manager.certificate.keyFile }} - name: cert - readOnly: true - - mountPath: /etc/neuvector/certs/ssl-cert.pem - subPath: {{ .Values.manager.certificate.pemFile }} - name: cert - readOnly: true - {{- end }} - resources: - {{- if .Values.manager.resources }} -{{ toYaml .Values.manager.resources | indent 12 }} - {{- else }} -{{ toYaml .Values.resources | indent 12 }} - {{- end }} - restartPolicy: Always - volumes: - {{- if .Values.manager.certificate.secret }} - - name: cert - secret: - secretName: {{ .Values.manager.certificate.secret }} - {{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/manager-ingress.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/manager-ingress.yaml deleted file mode 100644 index d6e2e3350..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/manager-ingress.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: neuvector-webui-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.manager.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.manager.ingress.ingressClassName }} - ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} -{{ end }} -{{- if .Values.manager.ingress.tls }} - tls: - - hosts: - - {{ .Values.manager.ingress.host }} -{{- if .Values.manager.ingress.secretName }} - secretName: {{ .Values.manager.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.manager.ingress.host }} - http: - paths: - - path: {{ .Values.manager.ingress.path }} - pathType: Prefix - backend: - service: - name: neuvector-service-webui - port: - number: 8443 -{{- else }} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: neuvector-webui-ingress - namespace: {{ .Release.Namespace }} -{{- with .Values.manager.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.manager.ingress.tls }} - tls: - - hosts: - - {{ .Values.manager.ingress.host }} -{{- if .Values.manager.ingress.secretName }} - secretName: {{ .Values.manager.ingress.secretName }} -{{- end }} -{{- end }} - rules: - - host: {{ .Values.manager.ingress.host }} - http: - paths: - - path: {{ .Values.manager.ingress.path }} - backend: - serviceName: neuvector-service-webui - servicePort: 8443 -{{- end }} -{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/manager-route.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/manager-route.yaml deleted file mode 100644 index 784a4ae23..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/manager-route.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.openshift -}} -{{- if .Values.manager.route.enabled }} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: route.openshift.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: Route -metadata: - name: neuvector-route-webui - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: -{{- if .Values.manager.route.host }} - host: {{ .Values.manager.route.host }} -{{- end }} - to: - kind: Service - name: neuvector-service-webui - port: - targetPort: manager - tls: - termination: {{ .Values.manager.route.termination }} -{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} -{{- with .Values.manager.route.tls }} -{{ toYaml . | indent 4 }} -{{- end }} -{{- end }} -{{- end }} -{{- end -}} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/manager-service.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/manager-service.yaml deleted file mode 100644 index e18e55c35..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/manager-service.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.manager.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: neuvector-service-webui - namespace: {{ .Release.Namespace }} -{{- with .Values.manager.svc.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.manager.svc.type }} -{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} - loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} -{{- end }} - ports: - - port: 8443 - name: manager - protocol: TCP - selector: - app: neuvector-manager-pod -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/psp.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/psp.yaml deleted file mode 100644 index c1d68857b..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/psp.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{- if .Values.psp -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: neuvector-binding-psp - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - privileged: true - readOnlyRootFilesystem: false - allowPrivilegeEscalation: true - allowedCapabilities: - - SYS_ADMIN - - NET_ADMIN - - SYS_PTRACE - - IPC_LOCK - requiredDropCapabilities: - - ALL - volumes: - - '*' - hostNetwork: true - hostPorts: - - min: 0 - max: 65535 - hostIPC: true - hostPID: true - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: neuvector-binding-psp - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: - - policy - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - neuvector-binding-psp ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: neuvector-binding-psp - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: neuvector-binding-psp -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/pvc.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/pvc.yaml deleted file mode 100644 index 3821d0485..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if not .Values.controller.pvc.existingClaim -}} -{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: neuvector-data - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - accessModes: -{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} - volumeMode: Filesystem -{{- if .Values.controller.pvc.storageClass }} - storageClassName: {{ .Values.controller.pvc.storageClass }} -{{- end }} - resources: - requests: -{{- if .Values.controller.pvc.capacity }} - storage: {{ .Values.controller.pvc.capacity }} -{{- else }} - storage: 1Gi -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/rolebinding.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/rolebinding.yaml deleted file mode 100644 index 6e6af5b6a..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/rolebinding.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.rbac -}} -{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} - -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: RoleBinding -metadata: - name: neuvector-admin - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: admin -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} - ---- - -{{- if $oc4 }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: system:openshift:scc:privileged - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:openshift:scc:privileged -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/scanner-deployment.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/scanner-deployment.yaml deleted file mode 100644 index 57aba899b..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/scanner-deployment.yaml +++ /dev/null @@ -1,73 +0,0 @@ -{{- if .Values.cve.scanner.enabled -}} -{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apps/v1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Deployment -metadata: - name: neuvector-scanner-pod - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -spec: - strategy: -{{ toYaml .Values.cve.scanner.strategy | indent 4 }} - replicas: {{ .Values.cve.scanner.replicas }} - selector: - matchLabels: - app: neuvector-scanner-pod - template: - metadata: - labels: - app: neuvector-scanner-pod - {{- with .Values.cve.scanner.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.cve.scanner.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.cve.scanner.affinity }} - affinity: -{{ toYaml .Values.cve.scanner.affinity | indent 8 }} - {{- end }} - {{- if .Values.cve.scanner.tolerations }} - tolerations: -{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} - {{- end }} - {{- if .Values.cve.scanner.nodeSelector }} - nodeSelector: -{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - {{- if .Values.cve.scanner.priorityClassName }} - priorityClassName: {{ .Values.cve.scanner.priorityClassName }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount }} - serviceAccount: {{ .Values.serviceAccount }} - {{- if .Values.cve.scanner.runAsUser }} - securityContext: - runAsUser: {{ .Values.cve.scanner.runAsUser }} - {{- end }} - containers: - - name: neuvector-scanner-pod - image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} - imagePullPolicy: Always - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.{{ .Release.Namespace }} - {{- if .Values.cve.scanner.dockerPath }} - - name: SCANNER_DOCKER_URL - value: {{ .Values.cve.scanner.dockerPath }} - {{- end }} - resources: -{{ toYaml .Values.cve.scanner.resources | indent 12 }} - restartPolicy: Always -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/serviceaccount.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/serviceaccount.yaml deleted file mode 100644 index 47da190a5..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if not .Values.openshift}} -{{- if ne .Values.serviceAccount "default"}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- end }} -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/templates/updater-cronjob.yaml b/charts/neuvector/101.0.2+up2.4.0/templates/updater-cronjob.yaml deleted file mode 100644 index 1027a3ebd..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/templates/updater-cronjob.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{- if .Values.cve.updater.enabled -}} -{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: batch/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: batch/v1beta1 -{{- else }} -apiVersion: batch/v2alpha1 -{{- end }} -kind: CronJob -metadata: - name: neuvector-updater-pod - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - schedule: {{ .Values.cve.updater.schedule | quote }} - jobTemplate: - spec: - template: - metadata: - labels: - app: neuvector-updater-pod - release: {{ .Release.Name }} - {{- with .Values.cve.updater.podLabels }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.cve.updater.podAnnotations }} - annotations: - {{- toYaml . | nindent 12 }} - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - - name: {{ .Values.imagePullSecrets }} - {{- end }} - {{- if .Values.cve.updater.nodeSelector }} - nodeSelector: -{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} - {{- end }} - {{- if .Values.cve.updater.priorityClassName }} - priorityClassName: {{ .Values.cve.updater.priorityClassName }} - {{- end }} - serviceAccountName: {{ .Values.serviceAccount }} - serviceAccount: {{ .Values.serviceAccount }} - {{- if .Values.cve.updater.runAsUser }} - securityContext: - runAsUser: {{ .Values.cve.updater.runAsUser }} - {{- end }} - containers: - - name: neuvector-updater-pod - image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} - imagePullPolicy: Always - command: - - /bin/sh - - -c - - sleep 30 - {{- if .Values.cve.scanner.enabled }} - command: - - /bin/sh - - -c - {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - {{- if .Values.cve.updater.secure }} - - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' - {{- else }} - - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' - {{- end }} - {{- else }} - - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' - {{- end }} - {{- end }} - env: - - name: CLUSTER_JOIN_ADDR - value: neuvector-svc-controller.{{ .Release.Namespace }} - restartPolicy: Never -{{- end }} diff --git a/charts/neuvector/101.0.2+up2.4.0/values.yaml b/charts/neuvector/101.0.2+up2.4.0/values.yaml deleted file mode 100644 index bf6105ee0..000000000 --- a/charts/neuvector/101.0.2+up2.4.0/values.yaml +++ /dev/null @@ -1,383 +0,0 @@ -# Default values for neuvector. -# This is a YAML-formatted file. -# Declare variables to be passed into the templates. - -global: - cattle: - systemDefaultRegistry: "" - -openshift: false - -registry: docker.io -oem: -psp: false -rbac: true -serviceAccount: neuvector - -controller: - # If false, controller will not be installed - enabled: true - annotations: {} - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - image: - repository: rancher/mirrored-neuvector-controller - tag: 5.1.0 - hash: - replicas: 3 - disruptionbudget: 0 - schedulerName: - priorityClassName: - podLabels: {} - podAnnotations: {} - env: [] - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - neuvector-controller-pod - topologyKey: "kubernetes.io/hostname" - tolerations: [] - nodeSelector: {} - # key1: value1 - # key2: value2 - apisvc: - type: - annotations: {} - # OpenShift Route configuration - # Controller supports HTTPS only, so edge termination not supported - route: - enabled: false - termination: passthrough - host: - tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- - ranchersso: - enabled: true - pvc: - enabled: false - existingClaim: false - accessModes: - - ReadWriteMany - storageClass: - capacity: - azureFileShare: - enabled: false - secretName: - shareName: - certificate: - secret: - keyFile: tls.key - pemFile: tls.pem - federation: - mastersvc: - type: - # Federation Master Ingress - ingress: - enabled: false - host: # MUST be set, if ingress is enabled - ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # ingress.kubernetes.io/rewrite-target: / - tls: false - secretName: - annotations: {} - # OpenShift Route configuration - # Controller supports HTTPS only, so edge termination not supported - route: - enabled: false - termination: passthrough - host: - tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- - managedsvc: - type: - # Federation Managed Ingress - ingress: - enabled: false - host: # MUST be set, if ingress is enabled - ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # ingress.kubernetes.io/rewrite-target: / - tls: false - secretName: - annotations: {} - # OpenShift Route configuration - # Controller supports HTTPS only, so edge termination not supported - route: - enabled: false - termination: passthrough - host: - tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- - ingress: - enabled: false - host: # MUST be set, if ingress is enabled - ingressClassName: "" - path: "/" # or this could be "/api", but might need "rewrite-target" annotation - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # ingress.kubernetes.io/rewrite-target: / - tls: false - secretName: - resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi - configmap: - enabled: false - data: - # eulainitcfg.yaml: | - # ... - # ldapinitcfg.yaml: | - # ... - # oidcinitcfg.yaml: | - # ... - # samlinitcfg.yaml: | - # ... - # sysinitcfg.yaml: | - # ... - # userinitcfg.yaml: | - # ... - secret: - # NOTE: files defined here have preferrence over the ones defined in the configmap section - enabled: false - data: {} - # eulainitcfg.yaml: - # license_key: 0Bca63Iy2FiXGqjk... - # ... - # ldapinitcfg.yaml: - # directory: OpenLDAP - # ... - # oidcinitcfg.yaml: - # Issuer: https://... - # ... - # samlinitcfg.yaml: - # ... - # sysinitcfg.yaml: - # ... - # userinitcfg.yaml: - # ... - -enforcer: - # If false, enforcer will not be installed - enabled: true - image: - repository: rancher/mirrored-neuvector-enforcer - tag: 5.1.0 - hash: - updateStrategy: - type: RollingUpdate - priorityClassName: - podLabels: {} - podAnnotations: {} - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/master - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi - -manager: - # If false, manager will not be installed - enabled: true - image: - repository: rancher/mirrored-neuvector-manager - tag: 5.1.0 - hash: - priorityClassName: - env: - ssl: true - svc: - type: NodePort - loadBalancerIP: - annotations: {} - # azure - # service.beta.kubernetes.io/azure-load-balancer-internal: "true" - # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" - # OpenShift Route configuration - # Make sure manager env ssl is false for edge termination - route: - enabled: true - termination: passthrough - host: - tls: - #certificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #caCertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #destinationCACertificate: | - # -----BEGIN CERTIFICATE----- - # -----END CERTIFICATE----- - #key: | - # -----BEGIN PRIVATE KEY----- - # -----END PRIVATE KEY----- - certificate: - secret: - keyFile: tls.key - pemFile: tls.pem - ingress: - enabled: false - host: # MUST be set, if ingress is enabled - ingressClassName: "" - path: "/" - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # kubernetes.io/ingress.class: my-nginx - # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" - # nginx.ingress.kubernetes.io/rewrite-target: / - # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" - # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert - tls: false - secretName: # my-tls-secret - resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi - affinity: {} - podLabels: {} - podAnnotations: {} - tolerations: [] - nodeSelector: {} - # key1: value1 - # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster -cve: - updater: - # If false, cve updater will not be installed - enabled: true - secure: false - image: - repository: rancher/mirrored-neuvector-updater - tag: latest - hash: - schedule: "0 0 * * *" - priorityClassName: - podLabels: {} - podAnnotations: {} - nodeSelector: {} - # key1: value1 - # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster - scanner: - enabled: true - replicas: 3 - dockerPath: "" - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - image: - repository: rancher/mirrored-neuvector-scanner - tag: latest - hash: - priorityClassName: - resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi - affinity: {} - podLabels: {} - podAnnotations: {} - tolerations: [] - nodeSelector: {} - # key1: value1 - # key2: value2 - runAsUser: # MUST be set for Rancher hardened cluster -docker: - path: /var/run/docker.sock - -resources: {} - # limits: - # cpu: 400m - # memory: 2792Mi - # requests: - # cpu: 100m - # memory: 2280Mi - -k3s: - enabled: false - runtimePath: /run/k3s/containerd/containerd.sock - -bottlerocket: - enabled: false - runtimePath: /run/dockershim.sock - -containerd: - enabled: false - path: /var/run/containerd/containerd.sock - -crio: - enabled: false - path: /var/run/crio/crio.sock - -admissionwebhook: - type: ClusterIP - -crdwebhook: - enabled: true - type: ClusterIP diff --git a/index.yaml b/index.yaml index dd12d1414..8659021e6 100755 --- a/index.yaml +++ b/index.yaml @@ -2773,38 +2773,6 @@ entries: - assets/longhorn-crd/longhorn-crd-1.0.200.tgz version: 1.0.200 neuvector: - - annotations: - catalog.cattle.io/auto-install: neuvector-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: NeuVector - catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0' - catalog.cattle.io/namespace: cattle-neuvector-system - catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux - catalog.cattle.io/provides-gvr: neuvector.com/v1 - catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' - catalog.cattle.io/release-name: neuvector - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: neuvector - catalog.cattle.io/upstream-version: 2.4.0 - apiVersion: v1 - appVersion: 5.1.0 - created: "2023-01-05T10:19:50.424878644-08:00" - description: Helm feature chart for NeuVector's core services - digest: b456b26ac1cae42adb2edd082dbc1e5a90868d64b33ca7ea0b936af97c7d3162 - home: https://neuvector.com - icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 - keywords: - - security - maintainers: - - email: support@neuvector.com - name: becitsthere - name: neuvector - sources: - - https://github.com/neuvector/neuvector - urls: - - assets/neuvector/neuvector-101.0.2+up2.4.0.tgz - version: 101.0.2+up2.4.0 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher From 72d34af507a5111ed5c183a88e35afcece9c464d Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Wed, 8 Feb 2023 12:13:46 -0800 Subject: [PATCH 2/5] Remove charts/assets for neuvector-crd 101.0.2+up2.4.0 --- .../neuvector-crd-101.0.2+up2.4.0.tgz | Bin 3726 -> 0 bytes .../neuvector-crd/101.0.2+up2.4.0/Chart.yaml | 16 - .../neuvector-crd/101.0.2+up2.4.0/README.md | 19 - .../101.0.2+up2.4.0/templates/_helpers.tpl | 32 - .../101.0.2+up2.4.0/templates/crd.yaml | 1104 ----------------- .../neuvector-crd/101.0.2+up2.4.0/values.yaml | 11 - index.yaml | 20 - 7 files changed, 1202 deletions(-) delete mode 100644 assets/neuvector-crd/neuvector-crd-101.0.2+up2.4.0.tgz delete mode 100644 charts/neuvector-crd/101.0.2+up2.4.0/Chart.yaml delete mode 100644 charts/neuvector-crd/101.0.2+up2.4.0/README.md delete mode 100644 charts/neuvector-crd/101.0.2+up2.4.0/templates/_helpers.tpl delete mode 100644 charts/neuvector-crd/101.0.2+up2.4.0/templates/crd.yaml delete mode 100644 charts/neuvector-crd/101.0.2+up2.4.0/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-101.0.2+up2.4.0.tgz b/assets/neuvector-crd/neuvector-crd-101.0.2+up2.4.0.tgz deleted file mode 100644 index 95f26c1428a15db897f69b2223a385ab3100e167..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3726 zcmV;94sr1xiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PJ1sbKJO**Ju6}ee&hJPL>qsVL6$Kb8)1-tSec^Wp8cjKFJuc zX9g#bU;uDrW$pj{3IOLt@io%O@&o-vBcj;=8vXbI>=|ZQERkv|R=?yEYv zFN8>z2~9K;nVJLulxV`mJfcKvju8_l6s2Y}hRFmZ$>;)QE!%=631$;G*0R9kT9%BY zsB%Ja0`6kCF+O#zG^Vw;N#sZrhUWGO?AU8Sa`p>K#Y8rNGCLK}99Y zwY~Hs@)W2sahM4Sudw*Vih8Wz?9DkSluJfY1q)$%T4G z1XPjdLh3*7_6Fc)Jw?j2(hHOr)agNA=Qsh9=bTZyn89+The14u;%NB0A|FQMC=M#? zzw7@?!V6S~4gg*LKN=1z{y!cL2HyWa1wDduoRNZSaBFWpV`GHDBlvm26fgw@{`bXC ze-CFurbKH@V8%EahI6ExNQ5Pkj7&Ky&;q6iIZ+A|V3`)67YG{DoD+>I3IdU1rWS0b zCom&iVGxww_kvPUWO~cMgMiB93a1MpE=`DXwtmJ7rBS|o9ROfvx=kivVo%k;J+;!V z|F4(m~o*^Ir1<8UJkv&4ROBRrExGy+-oF)KK~hJO`= zTL@z^q#b({{1csY%dbrzW**99T2d$kB~paH6;qTMYE*8e?P&v{kQSfpGC4_N83_u_(Qza6y*O-PY#<_`_g^8KOgj+NCa&X4_V{pl`WCCY}(jt9>N)(dfxydTb9u1_ZNkTN4 ztdAG6r9xUrrmtneO}efeLf8~#&xgPztqJ`4>v}&|ld2*!48vU_AIra+c}s=`N~X!Y z!tvH^1`U%zQKsj)6h*$ZE!;XEDM#j}{c8EPoXeYnqix_!>A%%9{+%gp8FF4o!f)uo zwkej)3r=LUH2_dln62om)wx#EWHo=hqtO5?w@$gXR(joFRS=fTxg5BWqg<|c#rA?0 z(yH2Cxi1U1J<$cG#4QVe@z@uyU;Z+ByK@;Jmm)`LByO$&tX6zO^?ZhKE>YdM3cxg` zHJ95&IU>}a71p)^U{<6}Z6OfO#Z_Z#g4uOLqdU@2TC!|jKdQ~iUc$UV(IlbEFbq+VrkLqwhF)q0ppt2n zjI;^rSkAsfc65o2n%i^ejzoS?arWr(fD$GCt6&n7c9Ee`O9zL@I~eTHTY225#q|G> z>Q2LHc0TBEK zH7dM)^2ri(nq6c=R4nge8e?n_0+w2&8cL9%(%iia@ef?i$_N>QoX=7JgH8XJe% zdAl?qPO)W2Dw_(ykSlj4^emMJMna4jX^7zN&pCIC<`1G5x4ik5mUK6pxX7ibhsW(EFeM5(%Ni8bYyj&A%MGn+ z!H_2njZ>l+ZD{*9N)aZK&FUq$>b^yVn#eiUq|$cnfZ`Z;Hcie&>l2;nD( z;2T)Y9=4nR#=&N#5M< z!`$j;83_kr2%z?+h0?`L0OC5T6a*xQ&WCWryR?&U4>A?v?)d? z`|*_sz7pYnPD1=iyg!M*)sP+ellU6)C-MFyzSmfMB?99PvCZ3+2Necib@1R-2MRM)w`*z760N(H zj*#0NvAg#E#-#2k;T_~SE+<-}Y(CcS9BKdYI#I^%fM|+$?_c|o+tCVtC4>`U*hwgocCvlGNd+^N$XVFQiYpjO@o<1&E>6S+UGc}VW04oJ;&{MVAOqo$HStIjY_{w zO4qikH#F=5%ss`ZVtUc1VyD+WZJ(W5A5}Qo1AX_~N9-xGC#2s?YCl-t0dY4>9oW7f zy6=tL`_=RGQd}>Ubt|hwO|1&*QcVw~bg3g@%Dqmb_5QZ%64r5Vb8+CUD~(oBp{DUx z#UpK%a?wv(2;vfXBB|i%PviS z4)AX4drYDIX9DB#sMMFMhk0$Uj^fSrTna6y;1l@y>~(p~DP>m;PTOV#H{Xn6+T3V& z%Z5pw@4T4P9XWH9VJ;H8PLEb-?~UNN`w~*n!hjuV)OYsgdlv>TCALZjWGbZ<$PbsLY3N?L7o%CdxI^N`w&iYzxO$!4SSux43e zw9st3{%Up}C9ba9g$1TVH~x~VX;RAJ^l8cFzW8B3UJ*?f?q2)SG5c|j`lg}%#VO9) z+YNgwHS>sxVK7AO3|czwQQ59N$Y4T8Mh;nrz9hDlwgJvI{!={ zLwzOWU27cUbUEI$tlZyZK6{&oRbVkC-aK{pKXX<{x|7iuT-{Glh^KM~!<# zc5i=&4gQ~*89rRhuPVZa`dU{@c>b-sS5LpHDLVfmBYe#~_KD;@?P^`m1m*71TUjqF z>#7?2B2BJqQul`>ycymJOMGrI?;+vD4PAU|h{Ai`C-l6}IuAUg8@4OvTl2}D&Ui&; z-@5zt^t+n!m@g7?)y(7mP?k5ZJ)`^QW@Qf<&~NDCE05t@ACElsrme@-GC6tk!;ABu zeu&cKpnb$~9G{NI_HP`=)xX1dG&~xNM^B%g4u+%n^e7&TM)A`lhz~l71}c;$@+iJ@ zU)9NdA@pb~5B-Qdg)3ZbB$`e%dz*g1;aog+j|?W|0fZ>m*KbCM51mnwkr_ z6iGp~85mQbFemm|`(mS5rpib6Nd*66aKHj#O6cVkkqJ~<$|Slb zDL40;bRsboOH5YUcx-xp?8Ha#at7C;05=Jy;4zg++4w!=Hr9edZLhCtTilntlE(&= z%!ow|HKGFu9zB9H`|Z6#T9pOC&kKW_ITu$3;%FnsA|ka?vtu@wjV@BuC>4mAZQe34 zs~ckudVx%?eoWC-t(k>+y}B7bz&R=^S#B-G{O4Fdz$>9q8T{o4K0p}O{I~iPyjz2& zcksa|&MmK*2+QCfIc9H7xj7?Jwe^f=D3#tFS18o0f2jG7C s+|1)#&`Xr?V=;AJD5z2MLq{f0o;-Q-bf5J90RRC1|DUXNn*gE!0JZ!_bN~PV diff --git a/charts/neuvector-crd/101.0.2+up2.4.0/Chart.yaml b/charts/neuvector-crd/101.0.2+up2.4.0/Chart.yaml deleted file mode 100644 index ae1c97b5a..000000000 --- a/charts/neuvector-crd/101.0.2+up2.4.0/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-neuvector-system - catalog.cattle.io/release-name: neuvector-crd -apiVersion: v1 -appVersion: 5.1.0 -description: Helm chart for NeuVector's CRD services -home: https://neuvector.com -icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 -maintainers: -- email: support@neuvector.com - name: becitsthere -name: neuvector-crd -type: application -version: 101.0.2+up2.4.0 diff --git a/charts/neuvector-crd/101.0.2+up2.4.0/README.md b/charts/neuvector-crd/101.0.2+up2.4.0/README.md deleted file mode 100644 index aff9c71bc..000000000 --- a/charts/neuvector-crd/101.0.2+up2.4.0/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# NeuVector Helm Chart - -Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the contaier applications. - -Because the CRD poclies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set 'crdwebhook.enabled' to false in the 'core' chart. - -## Configuration - -The following table lists the configurable parameters of the NeuVector chart and their default values. - -Parameter | Description | Default | Notes ---------- | ----------- | ------- | ----- -`openshift` | If deploying in OpenShift, set this to true | `false` | -`serviceAccount` | Service account name for NeuVector components | `default` | -`crdwebhook.type` | crd webhook type | `ClusterIP` | - ---- -Contact for access to Docker Hub and docs. - diff --git a/charts/neuvector-crd/101.0.2+up2.4.0/templates/_helpers.tpl b/charts/neuvector-crd/101.0.2+up2.4.0/templates/_helpers.tpl deleted file mode 100644 index c0cc49294..000000000 --- a/charts/neuvector-crd/101.0.2+up2.4.0/templates/_helpers.tpl +++ /dev/null @@ -1,32 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "neuvector.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "neuvector.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "neuvector.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/charts/neuvector-crd/101.0.2+up2.4.0/templates/crd.yaml b/charts/neuvector-crd/101.0.2+up2.4.0/templates/crd.yaml deleted file mode 100644 index 7a969b61b..000000000 --- a/charts/neuvector-crd/101.0.2+up2.4.0/templates/crd.yaml +++ /dev/null @@ -1,1104 +0,0 @@ -{{- if .Values.crdwebhook.enabled -}} -{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apiextensions.k8s.io/v1 -{{- else }} -apiVersion: apiextensions.k8s.io/v1beta1 -{{- end }} -kind: CustomResourceDefinition -metadata: - name: nvsecurityrules.neuvector.com - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - group: neuvector.com - names: - kind: NvSecurityRule - listKind: NvSecurityRuleList - plural: nvsecurityrules - singular: nvsecurityrule - scope: Namespaced -{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - version: v1 -{{- end }} - versions: - - name: v1 - served: true - storage: true -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - schema: - openAPIV3Schema: - properties: - spec: - properties: - egress: - items: - properties: - action: - enum: - - allow - - deny - type: string - applications: - items: - type: string - type: array - name: - type: string - ports: - type: string - priority: - type: integer - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - action - - name - - selector - type: object - type: array - file: - items: - properties: - app: - items: - type: string - type: array - behavior: - enum: - - monitor_change - - block_access - type: string - filter: - type: string - recursive: - type: boolean - required: - - behavior - - filter - type: object - type: array - ingress: - items: - properties: - action: - enum: - - allow - - deny - type: string - applications: - items: - type: string - type: array - name: - type: string - ports: - type: string - priority: - type: integer - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - action - - name - - selector - type: object - type: array - process: - items: - properties: - action: - enum: - - allow - - deny - type: string - allow_update: - type: boolean - name: - type: string - path: - type: string - required: - - action - type: object - type: array - process_profile: - properties: - baseline: - enum: - - default - - shield - - basic - - zero-drift - type: string - type: object - target: - properties: - policymode: - enum: - - Discover - - Monitor - - Protect - - N/A - type: string - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - selector - type: object - dlp: - properties: - settings: - items: - properties: - action: - enum: - - allow - - deny - type: string - name: - type: string - required: - - name - - action - type: object - type: array - status: - type: boolean - type: object - waf: - properties: - settings: - items: - properties: - action: - enum: - - allow - - deny - type: string - name: - type: string - required: - - name - - action - type: object - type: array - status: - type: boolean - type: object - required: - - target - type: object - type: object -{{- end }} ---- -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apiextensions.k8s.io/v1 -{{- else }} -apiVersion: apiextensions.k8s.io/v1beta1 -{{- end }} -kind: CustomResourceDefinition -metadata: - name: nvclustersecurityrules.neuvector.com - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - group: neuvector.com - names: - kind: NvClusterSecurityRule - listKind: NvClusterSecurityRuleList - plural: nvclustersecurityrules - singular: nvclustersecurityrule - scope: Cluster -{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - version: v1 -{{- end }} - versions: - - name: v1 - served: true - storage: true -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - schema: - openAPIV3Schema: - properties: - spec: - properties: - egress: - items: - properties: - action: - enum: - - allow - - deny - type: string - applications: - items: - type: string - type: array - name: - type: string - ports: - type: string - priority: - type: integer - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - action - - name - - selector - type: object - type: array - file: - items: - properties: - app: - items: - type: string - type: array - behavior: - enum: - - monitor_change - - block_access - type: string - filter: - type: string - recursive: - type: boolean - required: - - behavior - - filter - type: object - type: array - ingress: - items: - properties: - action: - enum: - - allow - - deny - type: string - applications: - items: - type: string - type: array - name: - type: string - ports: - type: string - priority: - type: integer - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - action - - name - - selector - type: object - type: array - process: - items: - properties: - action: - enum: - - allow - - deny - type: string - allow_update: - type: boolean - name: - type: string - path: - type: string - required: - - action - type: object - type: array - process_profile: - properties: - baseline: - enum: - - default - - shield - - basic - - zero-drift - type: string - type: object - target: - properties: - policymode: - enum: - - Discover - - Monitor - - Protect - - N/A - type: string - selector: - properties: - comment: - type: string - criteria: - items: - properties: - key: - type: string - op: - type: string - value: - type: string - required: - - key - - op - - value - type: object - type: array - name: - type: string - original_name: - type: string - required: - - name - type: object - required: - - selector - type: object - dlp: - properties: - settings: - items: - properties: - action: - enum: - - allow - - deny - type: string - name: - type: string - required: - - name - - action - type: object - type: array - status: - type: boolean - type: object - waf: - properties: - settings: - items: - properties: - action: - enum: - - allow - - deny - type: string - name: - type: string - required: - - name - - action - type: object - type: array - status: - type: boolean - type: object - required: - - target - type: object - type: object -{{- end }} ---- -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apiextensions.k8s.io/v1 -{{- else }} -apiVersion: apiextensions.k8s.io/v1beta1 -{{- end }} -kind: CustomResourceDefinition -metadata: - name: nvdlpsecurityrules.neuvector.com - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - group: neuvector.com - names: - kind: NvDlpSecurityRule - listKind: NvDlpSecurityRuleList - plural: nvdlpsecurityrules - singular: nvdlpsecurityrule - scope: Cluster -{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - version: v1 -{{- end }} - versions: - - name: v1 - served: true - storage: true -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - schema: - openAPIV3Schema: - properties: - spec: - properties: - sensor: - properties: - comment: - type: string - name: - type: string - rules: - items: - properties: - name: - type: string - patterns: - items: - properties: - context: - enum: - - url - - header - - body - - packet - type: string - key: - enum: - - pattern - type: string - op: - enum: - - regex - - '!regex' - type: string - value: - type: string - required: - - key - - op - - value - - context - type: object - type: array - required: - - name - - patterns - type: object - type: array - required: - - name - type: object - required: - - sensor - type: object - type: object -{{- end }} ---- -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apiextensions.k8s.io/v1 -{{- else }} -apiVersion: apiextensions.k8s.io/v1beta1 -{{- end }} -kind: CustomResourceDefinition -metadata: - name: nvadmissioncontrolsecurityrules.neuvector.com - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - group: neuvector.com - names: - kind: NvAdmissionControlSecurityRule - listKind: NvAdmissionControlSecurityRuleList - plural: nvadmissioncontrolsecurityrules - singular: nvadmissioncontrolsecurityrule - scope: Cluster -{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - version: v1 -{{- end }} - versions: - - name: v1 - served: true - storage: true -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - schema: - openAPIV3Schema: - properties: - spec: - properties: - config: - properties: - client_mode: - enum: - - service - - url - type: string - enable: - type: boolean - mode: - enum: - - monitor - - protect - type: string - required: - - enable - - mode - - client_mode - type: object - rules: - items: - properties: - action: - enum: - - allow - - deny - type: string - comment: - type: string - criteria: - items: - properties: - name: - type: string - op: - type: string - sub_criteria: - items: - properties: - name: - type: string - op: - type: string - value: - type: string - required: - - name - - op - - value - type: object - type: array - value: - type: string - required: - - name - - op - - value - type: object - type: array - disabled: - type: boolean - id: - type: integer - required: - - action - - criteria - type: object - type: array - type: object - type: object -{{- end }} ---- -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: apiextensions.k8s.io/v1 -{{- else }} -apiVersion: apiextensions.k8s.io/v1beta1 -{{- end }} -kind: CustomResourceDefinition -metadata: - name: nvwafsecurityrules.neuvector.com - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - group: neuvector.com - names: - kind: NvWafSecurityRule - listKind: NvWafSecurityRuleList - plural: nvwafsecurityrules - singular: nvwafsecurityrule - scope: Cluster -{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - version: v1 -{{- end }} - versions: - - name: v1 - served: true - storage: true -{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} - schema: - openAPIV3Schema: - properties: - spec: - properties: - sensor: - properties: - comment: - type: string - name: - type: string - rules: - items: - properties: - name: - type: string - patterns: - items: - properties: - context: - enum: - - url - - header - - body - - packet - type: string - key: - enum: - - pattern - type: string - op: - enum: - - regex - - '!regex' - type: string - value: - type: string - required: - - key - - op - - value - - context - type: object - type: array - required: - - name - - patterns - type: object - type: array - required: - - name - type: object - required: - - sensor - type: object - type: object -{{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - name: neuvector-svc-crd-webhook - namespace: {{ .Release.Namespace }} - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: 443 - targetPort: 30443 - protocol: TCP - name: crd-webhook - type: {{ .Values.crdwebhook.type }} - selector: - app: neuvector-controller-pod ---- -# ClusterRole for NeuVector to operate CRD -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-customresourcedefinition - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - update - - watch - - create - - get ---- -# ClusterRoleBinding for NeuVector to operate CRD -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-customresourcedefinition - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-customresourcedefinition -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRole for NeuVector to manager user-created network/process CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvsecurityrules - - nvclustersecurityrules - verbs: - - list - - delete ---- -# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRole for NeuVector to manager user-created dlp CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvdlpsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvdlpsecurityrules - verbs: - - list - - delete ---- -# ClusterRole for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvadmissioncontrolsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvadmissioncontrolsecurityrules - verbs: - - list - - delete ---- -# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvdlpsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvdlpsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvadmissioncontrolsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvadmissioncontrolsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} ---- -# ClusterRole for NeuVector to manager user-created waf CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRole -metadata: - name: neuvector-binding-nvwafsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -rules: -- apiGroups: - - neuvector.com - resources: - - nvwafsecurityrules - verbs: - - list - - delete ---- -# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules -{{- if $oc3 }} -apiVersion: authorization.openshift.io/v1 -{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} -apiVersion: rbac.authorization.k8s.io/v1 -{{- else }} -apiVersion: v1 -{{- end }} -kind: ClusterRoleBinding -metadata: - name: neuvector-binding-nvwafsecurityrules - labels: - chart: {{ template "neuvector.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -roleRef: -{{- if not $oc3 }} - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole -{{- end }} - name: neuvector-binding-nvwafsecurityrules -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount }} - namespace: {{ .Release.Namespace }} -{{- if $oc3 }} -userNames: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} -{{- end }} -{{- end }} diff --git a/charts/neuvector-crd/101.0.2+up2.4.0/values.yaml b/charts/neuvector-crd/101.0.2+up2.4.0/values.yaml deleted file mode 100644 index a7bc9a908..000000000 --- a/charts/neuvector-crd/101.0.2+up2.4.0/values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# Default values for neuvector. -# This is a YAML-formatted file. -# Declare variables to be passed into the templates. - -openshift: false - -serviceAccount: neuvector - -crdwebhook: - type: ClusterIP - enabled: true diff --git a/index.yaml b/index.yaml index 8659021e6..9c077dfff 100755 --- a/index.yaml +++ b/index.yaml @@ -2934,26 +2934,6 @@ entries: - assets/neuvector/neuvector-100.0.0+up2.2.0.tgz version: 100.0.0+up2.2.0 neuvector-crd: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-neuvector-system - catalog.cattle.io/release-name: neuvector-crd - apiVersion: v1 - appVersion: 5.1.0 - created: "2023-01-05T10:19:50.428803712-08:00" - description: Helm chart for NeuVector's CRD services - digest: a2bdb942be1730240229c9f8616a09b887ed1ad3f7459186473ab2f703ede7ab - home: https://neuvector.com - icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 - maintainers: - - email: support@neuvector.com - name: becitsthere - name: neuvector-crd - type: application - urls: - - assets/neuvector-crd/neuvector-crd-101.0.2+up2.4.0.tgz - version: 101.0.2+up2.4.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From aa5ca49867c618a276b7811d01b4973954438553 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Wed, 8 Feb 2023 12:13:57 -0800 Subject: [PATCH 3/5] Add NeuVector chart version 2.4.2 --- .../generated-changes/overlay/app-readme.md | 19 +++++++++- .../generated-changes/overlay/questions.yaml | 17 +++++---- .../templates/validate-psp-install.yaml | 7 ++++ .../generated-changes/patch/Chart.yaml.patch | 11 +++--- .../generated-changes/patch/README.md.patch | 38 ++++++++----------- .../patch/templates/psp.yaml.patch | 8 ++++ .../generated-changes/patch/values.yaml.patch | 26 +++++++------ packages/neuvector/package.yaml | 4 +- .../templates/crd-template/Chart.yaml | 4 +- .../templates/crd-template/README.md | 8 +--- release.yaml | 2 + 11 files changed, 85 insertions(+), 59 deletions(-) create mode 100644 packages/neuvector/generated-changes/overlay/templates/validate-psp-install.yaml create mode 100644 packages/neuvector/generated-changes/patch/templates/psp.yaml.patch diff --git a/packages/neuvector/generated-changes/overlay/app-readme.md b/packages/neuvector/generated-changes/overlay/app-readme.md index 32da7fb2c..a3e31c5e1 100644 --- a/packages/neuvector/generated-changes/overlay/app-readme.md +++ b/packages/neuvector/generated-changes/overlay/app-readme.md @@ -15,4 +15,21 @@ Additional Notes: + Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. + Configure correct container runtime and runtime path under container runtime. Enable only one runtime. + For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. -+ For deploying on hardened RKE cluster, enable PSP from other configuration. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/packages/neuvector/generated-changes/overlay/questions.yaml b/packages/neuvector/generated-changes/overlay/questions.yaml index 45a15c2ca..5be1d23f5 100644 --- a/packages/neuvector/generated-changes/overlay/questions.yaml +++ b/packages/neuvector/generated-changes/overlay/questions.yaml @@ -308,28 +308,29 @@ questions: - "NodePort" - "ClusterIP" - "LoadBalancer" -#Other Configuration -- variable: psp +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" default: "false" - description: NeuVector Pod Security Policy when psp policy is enabled type: boolean - label: Pod Security Policy - group: "Other Configuration" + group: "Security Settings" - variable: manager.runAsUser default: "" description: Specify the run as User ID type: int label: Manager runAsUser ID - group: "Other Configuration" + group: "Security Settings" - variable: cve.scanner.runAsUser default: "" description: Specify the run as User ID type: int label: Scanner runAsUser ID - group: "Other Configuration" + group: "Security Settings" - variable: cve.updater.runAsUser default: "" description: Specify the run as User ID type: int label: Updater runAsUser ID - group: "Other Configuration" + group: "Security Settings" diff --git a/packages/neuvector/generated-changes/overlay/templates/validate-psp-install.yaml b/packages/neuvector/generated-changes/overlay/templates/validate-psp-install.yaml new file mode 100644 index 000000000..da62c4d18 --- /dev/null +++ b/packages/neuvector/generated-changes/overlay/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch index 31b349e29..31f3c0c95 100644 --- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch @@ -1,11 +1,11 @@ --- charts-original/Chart.yaml +++ charts/Chart.yaml -@@ -1,10 +1,28 @@ +@@ -1,10 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector -+ catalog.cattle.io/kube-version: '>=1.18.0-0 <= 1.25.0-0' ++ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux @@ -13,10 +13,9 @@ + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool -+ catalog.cattle.io/ui-component: neuvector -+ catalog.cattle.io/upstream-version: 2.4.0 ++ catalog.cattle.io/upstream-version: 2.4.2 apiVersion: v1 - appVersion: 5.1.0 + appVersion: 5.1.1 -description: Helm chart for NeuVector's core services +description: Helm feature chart for NeuVector's core services home: https://neuvector.com @@ -30,4 +29,4 @@ +name: neuvector +sources: +- https://github.com/neuvector/neuvector - version: 2.4.0 + version: 2.4.2 diff --git a/packages/neuvector/generated-changes/patch/README.md.patch b/packages/neuvector/generated-changes/patch/README.md.patch index 69e6f6c6b..b0664869a 100644 --- a/packages/neuvector/generated-changes/patch/README.md.patch +++ b/packages/neuvector/generated-changes/patch/README.md.patch @@ -1,29 +1,29 @@ --- charts-original/README.md +++ charts/README.md -@@ -72,7 +72,7 @@ +@@ -29,7 +29,7 @@ `controller.schedulerName` | kubernetes scheduler name | `nil` | `controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | `controller.tolerations` | List of node taints to tolerate | `nil` | -`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml) -+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | `controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -@@ -114,7 +114,7 @@ +@@ -71,7 +71,7 @@ `controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | `controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | `controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | -@@ -130,14 +130,14 @@ +@@ -87,14 +87,14 @@ `controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed `controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. `controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | @@ -31,53 +31,47 @@ `controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` `controller.configmap.data` | NeuVector configuration in YAML format | `{}` `controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` -@@ -150,7 +150,7 @@ +@@ -107,7 +107,7 @@ `enforcer.podLabels` | Specify the pod labels. | `{}` | `enforcer.podAnnotations` | Specify the pod annotations. | `{}` | `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default -`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml) -+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -@@ -160,7 +160,7 @@ +@@ -117,7 +117,7 @@ `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | -`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) -+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | `manager.route.host` | Set OpenShift route host for management console service | `nil` | `manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | -@@ -175,10 +175,10 @@ +@@ -132,10 +132,10 @@ `manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | `manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` -`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml) -+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) ++`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) `manager.affinity` | manager affinity rules | `{}` | `manager.tolerations` | List of node taints to tolerate | `nil` | `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -203,7 +203,7 @@ +@@ -160,7 +160,7 @@ `cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | `cve.scanner.replicas` | external scanner replicas | `3` | `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | -`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) | -+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.0/charts/core/values.yaml) | ++`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) | `cve.scanner.affinity` | scanner affinity rules | `{}` | `cve.scanner.tolerations` | List of node taints to tolerate | `nil` | `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -234,5 +234,4 @@ - ``` - - --- --Contact for access to container registry and docs. - diff --git a/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch b/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch new file mode 100644 index 000000000..404330169 --- /dev/null +++ b/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch @@ -0,0 +1,8 @@ +--- charts-original/templates/psp.yaml ++++ charts/templates/psp.yaml +@@ -1,4 +1,4 @@ +-{{- if .Values.psp -}} ++{{- if .Values.global.cattle.psp.enabled -}} + apiVersion: policy/v1beta1 + kind: PodSecurityPolicy + metadata: diff --git a/packages/neuvector/generated-changes/patch/values.yaml.patch b/packages/neuvector/generated-changes/patch/values.yaml.patch index 08b3243d7..227c6d4c3 100644 --- a/packages/neuvector/generated-changes/patch/values.yaml.patch +++ b/packages/neuvector/generated-changes/patch/values.yaml.patch @@ -1,37 +1,39 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -2,15 +2,17 @@ +@@ -2,15 +2,18 @@ # This is a YAML-formatted file. # Declare variables to be passed into the templates. +global: + cattle: + systemDefaultRegistry: "" ++ psp: ++ enabled: false # PSP enablement should default to false + openshift: false registry: docker.io --tag: 5.1.0 +-tag: 5.1.1 oem: -imagePullSecrets: - psp: false +-psp: false rbac: true -serviceAccount: default +serviceAccount: neuvector controller: # If false, controller will not be installed -@@ -22,7 +24,8 @@ +@@ -22,7 +25,8 @@ maxSurge: 1 maxUnavailable: 0 image: - repository: neuvector/controller + repository: rancher/mirrored-neuvector-controller -+ tag: 5.1.0 ++ tag: 5.1.1 hash: replicas: 3 disruptionbudget: 0 -@@ -70,7 +73,7 @@ +@@ -70,7 +74,7 @@ # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- ranchersso: @@ -40,27 +42,27 @@ pvc: enabled: false existingClaim: false -@@ -209,7 +212,8 @@ +@@ -215,7 +219,8 @@ # If false, enforcer will not be installed enabled: true image: - repository: neuvector/enforcer + repository: rancher/mirrored-neuvector-enforcer -+ tag: 5.1.0 ++ tag: 5.1.1 hash: updateStrategy: type: RollingUpdate -@@ -233,7 +237,8 @@ +@@ -245,7 +250,8 @@ # If false, manager will not be installed enabled: true image: - repository: neuvector/manager + repository: rancher/mirrored-neuvector-manager -+ tag: 5.1.0 ++ tag: 5.1.1 hash: priorityClassName: env: -@@ -303,7 +308,7 @@ +@@ -316,7 +322,7 @@ enabled: true secure: false image: @@ -69,7 +71,7 @@ tag: latest hash: schedule: "0 0 * * *" -@@ -324,7 +329,7 @@ +@@ -337,7 +343,7 @@ maxSurge: 1 maxUnavailable: 0 image: diff --git a/packages/neuvector/package.yaml b/packages/neuvector/package.yaml index e3748c634..8664fb73a 100644 --- a/packages/neuvector/package.yaml +++ b/packages/neuvector/package.yaml @@ -1,5 +1,5 @@ -url: https://neuvector.github.io/neuvector-helm/core-2.4.0.tgz -version: 101.0.2 +url: https://neuvector.github.io/neuvector-helm/core-2.4.2.tgz +version: 102.0.0 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/packages/neuvector/templates/crd-template/Chart.yaml b/packages/neuvector/templates/crd-template/Chart.yaml index 94e18498e..8d06796d4 100644 --- a/packages/neuvector/templates/crd-template/Chart.yaml +++ b/packages/neuvector/templates/crd-template/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: true apiVersion: v1 -appVersion: 5.1.0 +appVersion: 5.1.1 description: Helm chart for NeuVector's CRD services home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 @@ -12,5 +12,5 @@ maintainers: - email: support@neuvector.com name: becitsthere name: neuvector-crd -version: 2.4.0 +version: 2.4.2 type: application diff --git a/packages/neuvector/templates/crd-template/README.md b/packages/neuvector/templates/crd-template/README.md index aff9c71bc..915104e14 100755 --- a/packages/neuvector/templates/crd-template/README.md +++ b/packages/neuvector/templates/crd-template/README.md @@ -1,8 +1,8 @@ # NeuVector Helm Chart -Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the contaier applications. +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. -Because the CRD poclies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set 'crdwebhook.enabled' to false in the 'core' chart. +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. ## Configuration @@ -13,7 +13,3 @@ Parameter | Description | Default | Notes `openshift` | If deploying in OpenShift, set this to true | `false` | `serviceAccount` | Service account name for NeuVector components | `default` | `crdwebhook.type` | crd webhook type | `ClusterIP` | - ---- -Contact for access to Docker Hub and docs. - diff --git a/release.yaml b/release.yaml index 56111a2fe..f21a67153 100644 --- a/release.yaml +++ b/release.yaml @@ -10,8 +10,10 @@ fleet-crd: - 101.1.0+up0.6.0-rc.2 neuvector: - 101.0.2+up2.4.0 +- 102.0.0+up2.4.2 neuvector-crd: - 101.0.2+up2.4.0 +- 102.0.0+up2.4.2 prometheus-federator: - 1.1.0+up0.2.0-rc1 rancher-aks-operator: From 981882f1f26c2f9dc4208b9547f8935d758e5ee6 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Wed, 8 Feb 2023 12:14:02 -0800 Subject: [PATCH 4/5] make chart --- .../neuvector-crd-102.0.0+up2.4.2.tgz | Bin 0 -> 3679 bytes .../neuvector/neuvector-102.0.0+up2.4.2.tgz | Bin 0 -> 16274 bytes .../neuvector-crd/102.0.0+up2.4.2/Chart.yaml | 16 + .../neuvector-crd/102.0.0+up2.4.2/README.md | 15 + .../102.0.0+up2.4.2/templates/_helpers.tpl | 32 + .../102.0.0+up2.4.2/templates/crd.yaml | 1104 +++++++++++++++++ .../neuvector-crd/102.0.0+up2.4.2/values.yaml | 11 + charts/neuvector/102.0.0+up2.4.2/.helmignore | 21 + charts/neuvector/102.0.0+up2.4.2/Chart.yaml | 27 + charts/neuvector/102.0.0+up2.4.2/README.md | 191 +++ .../neuvector/102.0.0+up2.4.2/app-readme.md | 35 + .../102.0.0+up2.4.2/crds/_helpers.tpl | 32 + .../neuvector/102.0.0+up2.4.2/questions.yaml | 336 +++++ .../102.0.0+up2.4.2/templates/NOTES.txt | 20 + .../102.0.0+up2.4.2/templates/_helpers.tpl | 40 + .../templates/admission-webhook-service.yaml | 18 + .../templates/clusterrole.yaml | 121 ++ .../templates/clusterrolebinding.yaml | 147 +++ .../templates/controller-deployment.yaml | 227 ++++ .../templates/controller-ingress.yaml | 219 ++++ .../templates/controller-route.yaml | 98 ++ .../templates/controller-service.yaml | 97 ++ .../templates/enforcer-daemonset.yaml | 136 ++ .../templates/init-configmap.yaml | 13 + .../templates/init-secret.yaml | 15 + .../templates/manager-deployment.yaml | 92 ++ .../templates/manager-ingress.yaml | 71 ++ .../templates/manager-route.yaml | 33 + .../templates/manager-service.yaml | 26 + .../102.0.0+up2.4.2/templates/psp.yaml | 77 ++ .../102.0.0+up2.4.2/templates/pvc.yaml | 27 + .../templates/rolebinding.yaml | 56 + .../templates/scanner-deployment.yaml | 94 ++ .../templates/serviceaccount.yaml | 13 + .../templates/updater-cronjob.yaml | 74 ++ .../templates/validate-psp-install.yaml | 7 + charts/neuvector/102.0.0+up2.4.2/values.yaml | 404 ++++++ index.yaml | 51 + 38 files changed, 3996 insertions(+) create mode 100644 assets/neuvector-crd/neuvector-crd-102.0.0+up2.4.2.tgz create mode 100644 assets/neuvector/neuvector-102.0.0+up2.4.2.tgz create mode 100644 charts/neuvector-crd/102.0.0+up2.4.2/Chart.yaml create mode 100644 charts/neuvector-crd/102.0.0+up2.4.2/README.md create mode 100644 charts/neuvector-crd/102.0.0+up2.4.2/templates/_helpers.tpl create mode 100644 charts/neuvector-crd/102.0.0+up2.4.2/templates/crd.yaml create mode 100644 charts/neuvector-crd/102.0.0+up2.4.2/values.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/.helmignore create mode 100644 charts/neuvector/102.0.0+up2.4.2/Chart.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/README.md create mode 100644 charts/neuvector/102.0.0+up2.4.2/app-readme.md create mode 100644 charts/neuvector/102.0.0+up2.4.2/crds/_helpers.tpl create mode 100644 charts/neuvector/102.0.0+up2.4.2/questions.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/NOTES.txt create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/_helpers.tpl create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/admission-webhook-service.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/clusterrole.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/clusterrolebinding.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/controller-deployment.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/controller-ingress.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/controller-route.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/controller-service.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/enforcer-daemonset.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/init-configmap.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/init-secret.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/manager-deployment.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/manager-ingress.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/manager-route.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/manager-service.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/psp.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/pvc.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/rolebinding.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/scanner-deployment.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/serviceaccount.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/updater-cronjob.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/templates/validate-psp-install.yaml create mode 100644 charts/neuvector/102.0.0+up2.4.2/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-102.0.0+up2.4.2.tgz b/assets/neuvector-crd/neuvector-crd-102.0.0+up2.4.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..73e6577ef7ee09582d443bf4a0e1747ac7456cd5 GIT binary patch literal 3679 zcmV-l4xsTLiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PJ0DbKAC)_iKKNJ?DB!+K{F!CvG*DyG!j}n`!H2oK8CT%7Mt0 zgfmF604T?e^WFagfO?|&Bw3D~82iRDv0MO)efR-fi7Dn&j1(7sB;viJ2@xu|BnjKu zB86cXzBo8Af5R{={|ygc^mcj&{li`u_V&ZWov_zGd>-yVxXnS-Q7#n`JK>G{Do^eU zA(EzC5k+|_2OdB~6k&WEL_{fu0p)uU3Pnd0;{gbgMiUg3Y!e#Cm=0i9i5zz;SyGaq z%t(X-uowM>@ySc6FsZyvAVVV2*S8N~#a=y<(RU~$<>>&XJ&$DB{NLw6FX(wO%1F>m znM=PQOCZuF4kIq$1oL-B)ME)pr^g^sOlgGDn{eIJM5#;;_V(sI1`$s@8fi(hHZmoO z2)Q4OshZ@&T%w40sxVcWc`x7V{m_4LxPSQkzvavQF#M0{%L6YVG*yJADCEHN0TV*m z0A!wJT&Vw9?G3=rdWaEKQcX~xSEUDanc)CPmN6Qc#q_2#J@mr;APmCq@@zji2==|w z`mg%`l&~D-wgW($|M&OzOa6b*J3Ms$|2gOp9OH=OOo3f{;~5Jh^d7;V6Dom9An<>$ ze*euMagh+EFoqFjs2PqiVniTJiJ)Z2P=ewxM97Gg7z0fe2Q@)Zm}HD7l!52*3{yFw zBQ<~#VG=#B@V-}3#Pd`w8Mx;~BEG=kg!6M9qO7eSv0N$?uitn8nCfoh0qEFMHgHFc zwCex!CE7ciAj?q5KxH=$1ug!+ANKnt|9{c%KX?BBIq2iZy>DSklL1In#-+7?y-c)P zq6rS*+r3YpJk90(^dTc@Y+PCAAmAhO*(B7!EBJhfaYR#u-9-@5+`Hf}+D*I(EZ98J zqJnoe@o3IJrYHoB5w5g9rxCp9n~yYkn~z5H1MK<>VVK6|vmN1)K%x-HypK`N*d_d( z6J{Wc&X8v8f%g|$>4snFKJ+}K&a@<#2$ClVzve>}DJqn9#v_U>mY{ z;mPpQXyf?gt>&fa7-WXg)4+Q@f&#)=AsQeMn#ux+m}^wQ1!YV}&0NP!qQk8od@lfPG>x|44stDTWx*WW)V<^Sgg&-Y#a{~T0G z7z?N!6sUR;=y`OYro0p)ws-Xeu{;~%0Ty?NyR^vOG?X*__VTq>TNqU5=V@K|RRYK{gHR3s*f z4CcoR=~QBr3#u+f&UCsi9YUBCWzL7dCanQ{{5apwRivsw4?}Yo$j9)nX5NBff`TeC zE^)lIn?cQ_QIzg^EO?$RZ3~yqM~aczX`f8r7IQhx8JY%0rTVp^@i!`!VaQl62)m{S z(fGt z7e>|Q%57P==_#6ELhP~tXpepM=JmV&+m*`zncx`;Epc%TV7B55s^-&#V}bJ8RRF3m zskq!E$`XmpSz%=x0H%3T*X9FZj9=8Y#+Y8#G}?@O-MSfTX7$Tj7R5ZB#KbVO>@DBGKICn zY`tA*5GU!hC6x_1XGp3ntl2PUYOHLuL*JhL(bVCe89Dsp@J}5%{8K>=|2X{9X)N_i zlL;O@i2S1^pXFIh)W)#krul=Y$%Z#?Xh}D-iL*@bYIxji0z)E^(X>WU^#(A1uw2tB zClpy+(>NrOMm25!px}Ni=%`w9qwX72sE8P2MJjF9PR1FHE)yPapr2zZBR;Kx2R{66 z5qwSS8^Kjw0Qcc!@74OsX~QJ#>Ae+?bO_hAZ9oCg#i5#=Nh+f9nssVMO${AikdZUD>*UPs zHq5PhwtfNPyjB@27nh#j`o90rDh(oAxcxO192B+ajdceVJQd{!Rmw3e%T)*!Op9WK zq90d@;3^Sr=Oo0P#JiLDjfQN=oy1p=JBfEE@twxvDiOd{A}kAVl?WB&@Q=ek4*zT< z&fy=2f7X(HU+|BsL?{b!l?bj9q1@;y5nLq#xJrZ>xk`jJCAmt3>*O8{m*`iEphwfd6Cvc1(I`BRIH^cdOoAdap zPy79ue>HM#?U}$0VdyOQ+y)SB+Fw@=YHjps(~v`-YoJdOCsb;=+DZjyUlSC4HJjU! zom(R=ZDOtfsf~KOhFF`p9ellW_!{waM8|8xS4J^aXPZ5HD1K+WrnL@1wWL7%TZx-& z^Z_=TM$-6jW3%2iu z?mHv*ZuLB!6xT^*?aFFVQ=@{~RMSBzZR&`rw6D`>yuYcsgtpvUUmUn`rO_-ZR5Wf> zJmPjQ&AXQiGWwb}EPs(v;~u5dUa>7HE9BZvq{QGhA9ud_aA)T&gX%Q2q9b>9zRKv% z&TGh>omZ1PJ9lU2jWU|hXX!nd7Su*NUZFaP) zWy2)PR$k0$kDM6_KjX1kr$;licgh*AzJwGM*I-9z^&Ooa&mfk014vIG_9L@V5yeI&UTjqE)+`H* z=Id?O&wA%k;OeSfn5R3m<1e`CCM7LS9~Nx(iy!9W1yRw&-fLbuWT=$ zU9-1BGhejXafYWj8q5~3cqdZd3YghqgZjMLHh9?&SN4f(YeeQIOBrui$wkH6UFR~F z;_K@BUl$#><)V_^<`Tt;-QfFR-zq&QM3dsxvUQ>cjiV`L+?Gh5kd%y3fF6!-{WFFX z)dd&ld&T#X%uA>3VZnoRzD{0u{gq7jF~*mVm`cI@`Xv1NAA4Gg_RO9$`4A&Rg=<81 zXMfub{`brb?=I$-72!gCrK`m(d+6@f(XT3s&cDbAUonq$B6&xZ%ZlWUvQ?I8(ghBv|z_buk#C7igXi-(3NoacQ;&%4)o;4a;;SuqdICp$Xh1sOeb z_v`3)73DEsB;=}?$L*mkXI^VY_xomLcNx&H>EbJo;Y%NP9CfCp$JHX&;l5}KlbS$KJDpClCCDT4)b(elKW7Q?Kz7#79F zPaz_i$^`;RV~80xqbU7zv9BE&sM};CVk{L~@CSNl&9z<`73*;L5ZkeIXM(&LgFV zMkPqhhcmoq67$6OEi1;};s_C@sfeA~{pEW!9IqE)rBIB=C`GUNSMG8*LD3 zf>g|YPSMt_>6LjiyBV(F7-b}AW^6_OXIZb{ge#O9fmwnp@coMaW}m$GbJ+AAuC(Ip z^6H7u6#mFCeXARv8GRXLDsGCQ;R@axJ-vr3@BM0y(xPU7pvZJ4e_r#cB;zTjN@`)n xbd9)D)sdDLi5QA&rbDc zVQyr3R8em|NM&qo0PMYcbK5wwD87H|Q{bn}{PGx6@+`cVn%E%-QAAU=$G!IVKV7wE*xThankte8_o-I+%1}!ik3?#$g!tK*}zjPlKN( zko#k2Egw;ihZqGtKw;#M5p@;|FpEPt^CCDwJ#dMV-z9Ko*}G(byeXm#lc)!t|JP4@ zoxLAByWTGNPq5e7KNdfqJ8KH)EQUVn0rk?$y1{0QqlvQ`VLcGyDEa988Y4Qv+?!K~ zk|_=l^F~u@5wGKuNq4&EtfI-4>nYgp9P6I$cYdtyC`BQH3~6$v%{j~RSuE%gCX6HM zaY908u_R`kA~?zL+3y^7_FFKE$j=B<{O+s4k_F3j4&T3gM=aK zlZc~;ODZSbz5h5kI^I8i{lD2y`@6gU|MaKB)*YJN6B@8y%L5Gg3B`QYnm`;aam+ z?hi?t7dmlgnw zQ^?V1raG=<_7w?39F5+`0pv)&r}i5|qY3=dEg%5(U=Pfy{q4;HZ=Sj zL?^xU0|22w{2GOla`p!?7~CJ9e~c+&%vfL9j4qF zoz1{+H#hxjK%#KA0~i4)7zrsvCpeNd<&@NgQJ`m1lFgvJl+iD(`aLP)_?VJpG}fO5 zwM=~;TBGqyo5a4DqTqA(9so}~KcD}4aS2Y(uWl}Wxi~$!IhSus#m+C!Y6|)AbOWsf zh;dDV)00g!DCa^I?Eclo?hjyR$b413@i;MxpGgiaSm zg82x1GMOZiXbO|41Nw3eBFagve|_@y9GsrWDliP?JD*Hq5}}AQ@WRrQJAnBxio_2X z1pq}uLVZNROK>A9A<997P$2D#F`Oa*!RaL+L(ona63S92bw1yHivXfzN&$-o^1UL0 z8Xf%_b|f0lz$9T(or~@;I6-z74P`nl0EQ^g5>vH3fnvRtNt+X5(| ziXD7uWepH$cVUd%J7AD-FcBJ34isopbT9bc;I5m;s0X@f9U-j?R4mRgw|;7-q1LCP3R!{%x+AyFbYLP0Z;B8zTi%2uXqWy)5j zRLPW_KyWa^qJp4O2t0@Ya7_MHCjMfRzA)kQlbs^t6V8^lA)a8a5q%~s%{b|S!`&w~8gJY4{<%au4Pt|MHg+l!ffiGUEEu0no!cg?JG^B-}btJt9N+^sqMLw4R`NJ+@G}fy#4Yp!! zFlSw`CZF=A7Z(q+D#({NP<-jp2a}m6p{J$m+PWWOjzY}1r_`WFVKfr`*z3suwHraH zazfPCQk3*e<&ca@5{E?LOwI2o@Hp{M6o}!JasqgU{;I!n|0CuMX!-$$!lB3TNLa;! zeda8ZM0=B&$3y0+w@<)2NH>&I>uND;YsGz1nnWk;Jrjm?ep1LWxl&3Ij3Et>B(e(V zY5~ylrzo>7sp+#7pfE+|W2J6($!!@ih3pZuGd26a*brBA zh&w)Hxxv*PY%sVLLs*{l#cA)F_?1(?Jo#PIzd`_%M8EQ3Ej20S(n3zm?iA84O`@(2BV)wBYqg4eZ1ZrDf1SLW=i4IBI{3A9cffir zhiOHVh~o)TVnkwkcfjOYTn4=c)=!Q6fN&lnD*D44f>fPnV?5C?GN4Wf1=`hN<5Nr; z!JwGPe{?+>+#A;hMBN6dfG4gi<$&dxvd z-(B7O^xX@wlJa>7Mu-E?OAna<(W@(U5~FjOzWwqAcm({xNF?OdPwh_~79+nSH*Ej0 z`_E3KG5FF>PeE9boBEY^j|K^TX%M;S7tjzu*iy(~jwTWh#vxBw2L^!{2PEI=Kfbg@ z%g7&-)W`pw#-sOLN}1e{WfV@O=R6XhzIlIrbADCs+|o4mP16l&o9|(UPw&UW!-I(|FeTm8R@=hLU|D=@{Ao?1cT z5D7W;lUM{ne~fzIRaZ`%?yJ`M$5@yNLd=K>E*5H1)ys3kEnUvjo8X|G9U_va2Y{D- zmxppX>cFv(3aPvlCEraErNWN*EX?o72S*3;C!Sm*|QqX02F4_?NU|@iJD3-d6Oc3~M>MK<}9%2**3_yz1 zG7bemo^8SmycoLgOu+uS01GC^T;Shc;+`XfHaaGHle*ybpSiKbTWi(FOI0|~;S`Bw=f;coG zfraDk9-I1JiBWVpoou1X_;2Zhk>===kXf>{VL^xR>!^Cb=+ZKDQ(%lJ=5SOfp}Qms z3B9c1rYKK?p~N3OAXW=z&w`E+@5{IQyV?6}L-^*@1j#AVxQL+~hnAb8=!~>hg)DbW z6vlC{^5o_k$KN&o^?F%GZmlC7z?}Jic>MaHVE-Sz-rb)6-^f!?-E;u`%(Nr^p|I?1 z=V0b{d%@6Tis&hs#KItM%Y-cZ-fkPbV99`S3ig1v2Rf%Ph65a8juGn!i(1Q@&aas3 zpD$n9Z64IL84)hgdg*NbKUQrW4;2DmzT^^|z=V$p#s5}2VktTuOuEy(oI}Wk)sM?! zRlq`wO(&1a-H)t@M4^)Tq}(4$ylYq76$$G_`~XJ*jz*q3h5nc#nrIcf?+96*kvkv2hd@xF?MCJC=C(M)Rk(idV2 zQ1LTBA#%vl!-a->xq z{@>j_e7&{*H}P!kf7AN6sR4gh6Z~sg2aph5pijos z2re=Wp29Nc@#cZ-{dOX3C&Ck27(Jp^NJ+4r65A;;@}?Nwe=D;=_VpWM`xV_3i?Gt; zdn*hhEzdQzz1uYFH1vpkTaVNKlWjH!C=SVNf}&M!2C4V|>>VHN?-l(&ueawvHuDtx zKiSZy$2+XO(Y5+qiuOYsvpOY>K5`VvOxfM(-T-mvP}*lHx7JG7QX1^1AG0F5dXM?o zHBeS+1FhrjTn7S0@^?51K?i&WI0{h2!C^rVnvj_62EB`&k2obfpkPP0E-a-$d6(ZXzH0eg5s$gr1Zpa zv4S-?ktW2C#WJbk)u5G=A~yhc_KW##7g{zvVm`U0hB+#2wVmePujPldV#*KIsMH}~ zow&}5=dxebqG4BG5fl5IcUC@k`nw*N9Do&($=$V(Rmfk#P%-N(>dtFj?wR+KFua!M zw5{PNe#vH|S2p>o!7R}IQksFRQaJ-b1sQ5!lrYKLsU@f`Gqzl?_3ptQp!*og_jy`fbYpfiiDGt#nmnB0zxlK}A zX1e(xEv^(`&E(5UrZaDEKaaC*s+3_h1z@v{>JbcZgc$2nGC+AkppTghHjh5lT6`_H zj3IZt?ea<76|Ky2ABFVAFg!yc%ryGz{5T+rN#OjLrc%q=Q9NjlPyYA2i^~ruXJ=Oh zjAUkuVqmc~4mAc@bz>)Izn@>-TwI@@RW|txC6hAE+5&!!D{cdYb&1jE9zMyA%Dgrp&|J4r9E$M z=-v_Pl+RPYbY|T)FmktQ%%j2S&DEO^{qw8qi|d;Yr|&L*x%jmSEh@3Dve-~GHMY3J z8fzplrX)-z=&eu-rCWq1;%z@mkYV2mXg^wCOg(vtNa3T974M>OR!j!&v4=I z!;GVd|1O(Rcd+F;?2A{mOL+m@zQYZCPS3Areq1kr9JWi&xT2a~%*0H~p|NY?=_=w|#VWs{ zX;y|V3O9pWW6zerin3M$zWKnLn6RZ*a+T&cHxHaPEi0(uW(9}cSIcWT1JbKA?rOoX z8S4&N(O~rE*m5x?e;}Wufw&+lUFx~*D;JXUWnx`Z3wVbc8f4xaO}ktl8Z};sU%*2!;@}02xC>(Ow&j;#S5)*o zuWloEe{W4Yxv?|}>h^Ne5*7QneG;6defU}Sq49=pFle};Yxc7yI6BF49=pe=NYSRXVQ%%4hJe zgmAN?me+VSaJY%9(3iz{(zHvHyVN6Lr<$#Aro85AqTXF~-LfA5eL~dqU>;C|x*S^0 zQzKHCu+|0S&IL~aRM8|Cf8WUTHGPVP_+$D(U+vM$89tJK@|KS)VUVR+V2txtH=!jP zHA*G}M0;RwHe={hQll{JY80ZB}hg#rEiL_dX^W|J^^<{+L0svQ(h>d!_ zf|#s@ziGo|hyu^L1htXEFe(x0+mc45?yu3tnh$#wBdY{`bwOGJxu7I1)n8eZ&Vjg2Sz6iobqUi_ z1CL{BNiT?S4fo5 z&h)3B9AKV)%?(y2{_9kTvr0}EaiTh#zcHkNQKzVynQ-<^8>M30(A0`cZiKT{-r`F_ z!3*@Sg(|lxLXl5rF>k+IyfO+#sQq%D{gRY9a)hf@&rb>YyzrAeNI4sdfJ? z2ne&(_>)P9!Wb?gA}S!PQ$`rtKZuYh;J=cTsDZVxn5cubgq$dXTTW0Egv53U{bzpW ztp8WL_)$Oe?teQx-Yu^GkB|1Y>;FwW^W(q0vYK7&mdFg|SEO2jxo_p7-vgH=}ziP+J z;1wa8j>aRdL`Lcm}5KTzL&??El=b!)FJ3J`u{~hlgZted~JOzPihW@L}{w=xndd^w#l({#P`g^V* zoGVU^q*QlkUYqRNxdhI|(aV>$5(+MvW4l1Kl`?D>V5w)h{Mu=MA27SN-NpuTYk%5k z4&?$GRl;DIoZ8OH+T+W4Z z8_ndLwmm10v!mRGvp8?_Av+P-cs}H+bHgj#Ez&De*HpGMOgak>5n6m}_ zZILFbME9d-Kdr~)Ys!6E-;=K>^J#rYo@him?;&Gt22{ycyFzdk-H$A2Dd?|+H4z zQmMPm_RU?wYqf22gX5fC^L(+=rg`;t@y*qn57*~czn@=yxTv^Rb+x@>J$e!04l7{V zVJxiLU4DCVdGf2gC-#jSu{IeF+oi@DUtn6nSC4S-p{wbqed(bKyBU`Rl)fqvM0(`fq>#XuJN~#G@G)MnUBo zu%yBY$w}v|5ueJXFZXDWtbETykp_Q~a~Kt3Y=sn~b3ru8Bw7U0JQZNEW<|!oVzI`F z{pu^aMQ?rnzAB8tf@%7Sa2`Hqrz)i8SAL_oCQav$4|b!=cAhUi&$shy_4&0xw#$l% zlS^>U2XN&9P z|5}p&G?4%MN5`f0|K2wL&qkgG`@hTQMJNb`l`Qc;ch&>DmnOkMjcY~}3keKzp)A{sRlqEKqWebc8cV5sEdteAdCceua^-aBV=EG2%#~Og{vb~H_K9B3aUw=3` zdwX#y|GGTCvHlX@`Zrf6r|0s|i~i|{H}6jWD)ISOf+-5lD2dB3Pu{#~<#xS1OIkKeJ#h5;^}%ah?4o~~uVx+j&w>FIp_35x!1F8d_9U7; zmn!28j*^en-;+2F(F8>thQCsh#H_ODkjVlS--~&n=m7d1nD8;7_}?luQE@NgiiGuM zQJ(FeegYEhRr3IhaYjr}O91&ZbJ(^D+rXk&U}mtaf#rFjDWU^iAYsU=rKYg_;3nCU zL-Ml%@#h*D5+Z#v-i%ERJz8cVFFCZn_beIwfqX89J!kOi;GeYmobaHgCjZu~d!)x{ z|4sc(+JAe8yT$eY;qm_V{-2FJj_5BdfJ|@#`iL3F(daaUcw)PS?S-i$Z*Ud3d7g#7 zc*8h~`0vu{knPrrZSnpqa@Ya@eIGIQmITNdep{fJRl4BU$U^4=)B~9@S(64+0A!p{ zI6`tSUV*XS)Lmlds-53~%ZGpo+Y-qg#CnW;7(+i7AFW%dL&UCBKCztw*!vaFxghRa zRy;2GFU$&U3~b{3-@)$d;`yJW!>#<^%u|?`!gx$&{CC7Z1ihbffpRu4@mpZl$x>R%o;J5DX?b`YJSQ zx)QSN88eWJEsjoAVtlzq%BeO*97U2%FOMv?OcOx2abgo5(}<@tsmFZ3mpRM6E}mPS!J3lek(T3I1L;ryxa>dX!zkL^`R}9GhsF4> zgeJB6Q2P$4F0vH0B0uox65f@jU3Aof9Kr=*&%X!S#8xc1+-gW z!BggWx~_D}JP%4erPvS~^9MXcUTEeq4wBm_EOwaOS#z0F)Ha}H4wYBcUlo_-4wqL# z_$m*W=QwoPL*@;EJe`B)Il;B^Ve>iAmOOCol4GkKIJfbfbLhNWv~=)1t1pFzjwHe|J=yq*#A$xklDIFLRGd|TiYw`IR^!dqq4j#UxUl?as9ww-=w!5*Zfzv zhf&X`B>IC49{T*x@&0l7{LkSw|Hnoihx*mS-_-xNzqcj_-~e)eyvhAk)1c){bod>0 zseKuJ?(jLDQWE_)8Pqx)&5Ziml1?&zi~<=GU9gG_kC*~>Iu8K;AcLEn^UwBd<=uk7 z;Ti-E_aG>{2=hd>?a~IxC_$B@&-BdcPXyI&z2YjaVxc&%O{a4axE+iOVB^5W9+L$; zTA+-N^Wl-Xz1~CLaA7YFNRl*!wfX?yfp&kWT_?nZ{@0utJToK;W-2I zE(NUi$IXH2B!|l{2b{jSDgm;(f6n0Dz(1ESTJq0#@5uz_6OX8FcLzA?vT^CX zSG=su11v-+1_!&%yipaG?yQc=1MN2ETdiSY$*m5bhzGg}qp}lzLPOw9f%iY4e{ysB z8}NPu?GrohqxUm{6jAWq3m@|AiaO;oVBP#Nw)~R2%gG&zUbZDrIb|a5$)rs%miu!8 zepm1EVc(k|IznD743!`LU?ge-F96R!wS|ap_dc}^6N}$Q*^1wmP7!|!lzbi*PS|PZ z4GK`2O$S_Y?2?;O6_^df&h8eSiJ^zi*$nzli5Kcs}MlX1%W6Nj-16 zFvhH__j~Kn*{*AEO8i5*!MK1~K&S;0Uo!>lwHaoX?V2X8i$d zjKUCz8Lol@aWvWi6oruEDUzu(t@khrTF*d)Mk>MDi&&7VLg8)<3>Wnb&%6}F5tuFHRH2$plo1$Raizx{bpYH$&B6JU) z`!skC#u?s1M^gkj3OYbo13nEhcb?SZ2s{^%o@W*AP^>yEJ_^Bb4`~2=GKnF_(m0u= zRslmC-1;=QM}sjTcgC){6@pYI^Vt!$&5R_#&>%xoHmC_TCWHw&n^9I@Ox+S#XOtI+ z4+))Q@>hkZ?Es%*kH{mF+11|wGTCMcY6tv6D1hMZfOY8|+TQ_$0{dQUV=wK9`m@wn z!W5AE$Up&1l@&t11O84Dz{VsA1E8p&E11G0mTTD^aBE!&ek(D)b=~8AE7XWsBnw3n z&NQLqrK^dG8*WMB3`rQ0dqF%dTMaSeX}48j@j8YSP7p_w0Wy@IEq<0mFECLk>*cTt z4ivoHHaE6#qvFwceOBMYLE(u4h<(UV32A=2m%lvBHrZE<`;4`=wYGxN5!4Y^D zqv%?E+>tyctxZm3loj|4ZY6Ksg3qm6s7q#?N<(SBt9F9aK=~)IGjwH`# zv6;YJplwq32?%m=$YphcCZhVg^S5TVO*+>_sR)O%NO8+2Yc5X0P)A(Z6~u}o-;t}I zPfi5_c!hL@44+4uIko39g(jL-T>aen*QfdpzupS(S_X3j&H& zOVQifeh}o&VhYoOZm?s>#!i6ZgAt%YAVDss6&u6-*GIjNA3uKVh_1vGF%)rtIUrL+ z?EV>m;P#-1v)PH3hhs&>%*B;%W786sS^&)9h(e?3 znF*N&3xLm{(-9c6m?9WhCFL9q@NkHz=ys&?b>y0`jy;H0-e4vvCyD|wWx1N?s#F!8 zX#}wVaS{Ys>~WfILyEHyPp|@L^(J%F3Fx1`2p9|@fIh-WEc%Bd@DDBeW^fYz^M&yk zjxZl5gN{!oR#l1pn%PB(L{mx-$zbnNm>k9SSwcx$Xb;aI>6_}hW-660S!XFQ3 zxm{fy6p&(`gB4DgSoNiagZFpPZ?oTVjxmL)o1R}Gn5+;_kg^2ua^q5uUZG<;u- z^zCl3t8Qkvuic8}8-w8#(;1FGpAw_kgCHj^y0g?=J^dJ;4!PGts!P0qiv6^sDph8|fa^wvb}wS|~6tWQ4M^Q+Vf9 zQwhFP>}bfjD=1vH6U?k=b$5hl4SkG>S&r5>>>hl(ZR@fCTY%oYxwh{#km90&ixG21p1sS>^O(HHedNT!hN+aN7L#~r zen}3*OzStSw8@;t_4%?zTDMs-W9G^h^r5dsT8Pmk*Fr3p&AAqaD9}rS&IB@!s4acp zCLzb3*}jS?o5agPeg{;HlCy{NHA8*hn<)!t(<`fvW}{N2L~3xdrF0Pmc|VVk z6gBNNCH`6zSR*Q|N0rreBCmv8ie{w_EJ0Sc(kft9QcjP7rAyJRS(!aTx8^CvWt88> zx>2}W*Cn2G5!rqQ11K1#%^fgF7zZ$9MEa0TB`HSK0@7ZurYk4RgdR4fZO zjm(z*ozz=zk=Y_=-nqOeOB8R=m216h!7WAy!N9EgOf6q7%ro7p5;vQRRMoN_v)p3% zGq`QH7eXz+48ANcfi1^?81tJq*Pa&rIg1yly#mF%17x=E07EgPkfU%0Uc5p4xuB!0 zy(27{L@eiDHpe!Gd~Ae)85$X@@cFiDa~9@cf=6SCNrZgFn3&vLO(+N`k}hrO7X~=W zxy+g)Gv5$0D9WG1Fp*xU0UE<8mWNkvqY;iirU3IXqWU&cFS~Q8{oBn=|GNFSj^7+f zgee+So4vZgDrT<%F;EW93?fT7qO01y4d!y%#YOGjV&|8zd(*bpZ1`4|CpNNsD*QC_WjJcfI|3JezkN{aD55 zRjog+)m!Sw3TChB&%@ijC7kCOzU~SSV)>SudP1ge3Ad+h`1oKGCo5$hOP+k&l0yZsOknJm9VWcRia}JzuLPAj zjz&yxxj`LF`xeHT%&2H7fE<r3!6(JEFJ*r0W=&U zpZCBexz=Hj^GmrF*VoM*Gyt7u05T@rkZOCoAUKDSeJ4@GxIkO=V7L=Y1ui`3<3{0(bD!8 zn`c(F<)&FS?9&cop&oX96vy;i`h-InlnF=#gjU!0G1|7ARQ68hupQOHb}?{sQE|cq zi_|H|zh+_RpTVv1DBu1sF^7dcDuXXGKTCSZhfs&DDh=l-J)?pdxJ@0=1|d%J-fBG5 z8q^O-5-5{1K$PtOmiS`;nTinH0VfmqZxZc*UkMq7DBt7If~cCpLwDCP%Qe5F7a%N+ zJz>^h3b0_Hi#})IqVM9PW{&eBHjgcQR(7{5KvIzUBw{2)cHc^jxv(d_3UZPBYjK@d zH@Skpynx~IZtV?~QqA&oAm zj(Eljs8wN%sfE+npY^~ltRh0IJA{f5AHf?`L}3FS7jT+TiXtx4F@&@1!0~POwv5m> zODgK;~GzILrCO%PGNK65gL8?G7rORxah$G_}>DL#uab{@Y3ivsAeU zpb%72lVMc=w^6BIuj^73P~C^*^Zm3A#g_r3C#cgp4}FHZE|GANG!J=7)s;xQnHQis zANB&C09T4~*?o1RL5>Vo3iI1tunS&^|COMuepK0&&Ump|SjfAZpM_Hd^mmrVy`?Es ziW9Qx{xHKL`um*Oqf1pl)w8DzPB3kG=Hx5eGbdmB;U-Sy-FHPq9(dxEZnSJZaoo35 zE;wTVsja&Q`ndVkme<|_5rtPB41rh@L0N?u5u#TlJi;_z)E_m6ZGX=Niv62mQu-H zo4$H=NjQ4-swdMa-5n?{qIW1gPp7i?SP75PBtCkXm_yC<>SAcOn0NhR214S)&@N%+ zVagx#vq_Sbw|-g_qL?g48<}`2Z=4BOc4uUfs(#3i&ALD_k^f|9=WGE7z4AsB)ij71z)?HMQ6n zPqN;?V1gOLBr%C$ zgOI3Hi%QGLAq4$#mNiU|gqQ`lo+l?Yn*Agt^*?sfpZ~lCkd6|mFE|0WQvGY^)U8Uo zrZvY-t95&OtG$k`?|@wrOlF=*spWZT?(OW>3eYKP5}{$`lmGW<|9HQc|MzI`^)~E}wOUzJRe(Y~71998BzGZ_j^xNwnITP%Jx0Pr0+W8r%z%)| zvKi~DoHX)U9r4aIEyVmZ2_r;RI`Ek?c2$bZ$v|eBk`R?^G@L1o`3BAq1;< z48xA;7+@%3SZ>P)kV6H<>VjX&ZJO@KckJ$)<%$rQcr@nWOo1}Fr$i5|eSf*F%aKYk zDf23G4@X%WLj-w3wa~RLl3+?c>#aKwpdpHwbk+wb=HpJ5%`k5_01B%-&^nc}Cgl9iN8U!H(5`w@VTg-rqiWHT^KIGJcS`AGB{>h?~8DU5s+7_?1~ z&DaSf&))Pia675}GeOezkuH^G_++FT9fZWcOM3`aB3BqowrKqz=eVR@1t-WejThHo zfFgf9f%J~GS|>pubMwMbB{=Q1egJ)nrZN+@J)T2KCWiU5uoC%}Boy=^<2W!c^|J0YU>L-7Pv6QM&~qbe~Prz)TQhm|PSSr{t7A`Sa&&`L{57KbT zQo@o5j3Et>5PVmEJ>OUI<$zf$O}$gvzwWE$IFcJk6yQJ)gUa-h3x<`4xs=hk1Fnrf zAqv2I?HRR(xTDtNI7mYXqZx>j$pBFkVK{~n*qw`fmR#6ES)!P!4ITKavi`o0M-<9g z!HF$0rhA?J*FUsc*Bnx=6XzB`?|^@llfGiaGEYr@t1%$HT)g=x=B#TF>c%AS%pab< zhvKEmi#$LmO1V*XLolC($4UR9(`ubCx#P-`knez3ue3)isq5OSSKtMqf_xARshau9 zS{5R@ObJ8SmpgLgRk~dCF-AUDo`)Dw8CV7*fFnN%h1zDUytw1mgqfLj zs0w2nL#D_PYY`F7(t>hT)@f;{N$=IG7P!b=qoK|J9m!V)02pEv21*IuLk1vY#K&?z zE6p9vB>Q9w!19>j2n^v=5ON5h$s4I7%q93Yu%^FHF$bgbN z6v>2#NRmtY%+rIKLP|^04ihS8u!KQk<0w>3M1%vWre0`-BeSI4DRf~6Antcwc3!<| z8A|Ew+6;^k2aG5FU3z!)aD65i zbvaFHO33?cqt2+Eb`27e~k4t z3Ay~TT9oN>9#F}k?fc0^>Fic4BNIFFrV({9x4A4#lzcZul;Qw^&thF4`QYe4{=}2( zWH`hhLEFn;u_b;h3{Op9wP|CR2rc@r1coZm62`H_z0>*|QqX02F4_?N5Mo_jS;EL9 zXUD1Z{=#5TmX+KtG`o$#}-Z7X9G{B|79$Mj0aias!!)rumAUt_x6s8`hV~EXsiD> z@uZ{PYduqr+MJV!wY>Buhn{_lLosr!1&jjdS)$9jW2P-jq}M0)>h7s&0l7ch1B_D~ zjaonn$)24x{X*91Lq2W+Frp-hd+JJNOE^~DkJKE&8`(rN{Ho5M zR?t=#FCkrZRJ9Um?F3wgqy?N8B&ey~5VJ*SS$Q76f|#a!3FFGM`;|zan;J{dvw-%3 z^fa}bqP7S@>%vAWXsU~skgkd@twh^6rUy`z=c=<&rt1DOHm&a`$WuIlQuJraxjV9AEg4!QwW6f!Tig<%F6>2zd z>n82WKwZ_7^+f}?O3Se^x&OeDfziJo@Gxz=+(}(e5Y(!}dMyAPy^7T^+C$+Aj%@2P zR!7@;JS9V@Vuc|}J7$+GDcgM1WsWzb_qD_zr&%o8^0c;qJTScr;hP1Tg9hQ3t}!U% zztT8Zv7Jpu;OfGAw+iuP{fDNzi7~C>@_ewUlgKuntI*d9LTy0ayMtUn@$z&QfHueI zg^1Y_qt6d~b&Y|$4~q`QGjo4dvxSRw)tfzDa=414wah(m)kD_*{S;ht$P;D_g?O2} z*tT-XQoMexUe#7z%vNp3nBv*oN*n~EleE8q*&~zdhIMJcKJ7hz}zm^b;Big9sMYtPG1PqRK~1?sddDufbgd; z4vZH)x1Mg9n%ljfp9h!&$Ygx=^EBj0@4K7L)b|$x91H>zj9>!FVtIdcgqXUv&>*r9 z;Z6!&ow?Kk>kT^NRN2_{t;jFB(HZRM_;QoDB5~)s=dlCd<)(6d!p}eJ zY<7@uJrlagRYOl{mj9AvM1QL;0y4L)Kg#@{cg0bj9}V%U$hYDhNEQcWBwUV&0+W=G z%g@lc_ai-)%$!ewm8I$2i-sOh#Ln;D%EEV{3#sN0^Fw4xS|7D8T>W_v%4L~(=F@D^ zygloq$8{dd2cg8brPb%t`~mcR)iorhNC z1fAwj8$0ssq*4N82>K*2xR|raiV@R;v068ANJofghYT-sSN_Zf!ROiYt?B1Pf$#hr6bk;O6XTSLTRIQNR%| zYo8RnD%lV@XR5mOB4{E9mq)OaPjtNqngG1!2tIZ+`}WyB+h_Z1pQg|M3jhHB|A_3G IHUR7a0E4ub=l}o! literal 0 HcmV?d00001 diff --git a/charts/neuvector-crd/102.0.0+up2.4.2/Chart.yaml b/charts/neuvector-crd/102.0.0+up2.4.2/Chart.yaml new file mode 100644 index 000000000..48cdcef5a --- /dev/null +++ b/charts/neuvector-crd/102.0.0+up2.4.2/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd +apiVersion: v1 +appVersion: 5.1.1 +description: Helm chart for NeuVector's CRD services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-crd +type: application +version: 102.0.0+up2.4.2 diff --git a/charts/neuvector-crd/102.0.0+up2.4.2/README.md b/charts/neuvector-crd/102.0.0+up2.4.2/README.md new file mode 100644 index 000000000..915104e14 --- /dev/null +++ b/charts/neuvector-crd/102.0.0+up2.4.2/README.md @@ -0,0 +1,15 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. + +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | diff --git a/charts/neuvector-crd/102.0.0+up2.4.2/templates/_helpers.tpl b/charts/neuvector-crd/102.0.0+up2.4.2/templates/_helpers.tpl new file mode 100644 index 000000000..c0cc49294 --- /dev/null +++ b/charts/neuvector-crd/102.0.0+up2.4.2/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector-crd/102.0.0+up2.4.2/templates/crd.yaml b/charts/neuvector-crd/102.0.0+up2.4.2/templates/crd.yaml new file mode 100644 index 000000000..7a969b61b --- /dev/null +++ b/charts/neuvector-crd/102.0.0+up2.4.2/templates/crd.yaml @@ -0,0 +1,1104 @@ +{{- if .Values.crdwebhook.enabled -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvSecurityRule + listKind: NvSecurityRuleList + plural: nvsecurityrules + singular: nvsecurityrule + scope: Namespaced +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvclustersecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvClusterSecurityRule + listKind: NvClusterSecurityRuleList + plural: nvclustersecurityrules + singular: nvclustersecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvdlpsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvDlpSecurityRule + listKind: NvDlpSecurityRuleList + plural: nvdlpsecurityrules + singular: nvdlpsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvadmissioncontrolsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvAdmissionControlSecurityRule + listKind: NvAdmissionControlSecurityRuleList + plural: nvadmissioncontrolsecurityrules + singular: nvadmissioncontrolsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + config: + properties: + client_mode: + enum: + - service + - url + type: string + enable: + type: boolean + mode: + enum: + - monitor + - protect + type: string + required: + - enable + - mode + - client_mode + type: object + rules: + items: + properties: + action: + enum: + - allow + - deny + type: string + comment: + type: string + criteria: + items: + properties: + name: + type: string + op: + type: string + sub_criteria: + items: + properties: + name: + type: string + op: + type: string + value: + type: string + required: + - name + - op + - value + type: object + type: array + value: + type: string + required: + - name + - op + - value + type: object + type: array + disabled: + type: boolean + id: + type: integer + required: + - action + - criteria + type: object + type: array + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvwafsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvWafSecurityRule + listKind: NvWafSecurityRuleList + plural: nvwafsecurityrules + singular: nvwafsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +--- +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get +--- +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} +--- +# ClusterRole for NeuVector to manager user-created network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - list + - delete +--- +# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} +--- +# ClusterRole for NeuVector to manager user-created dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - list + - delete +--- +# ClusterRole for NeuVector to manager user-created admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - list + - delete +--- +# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} +--- +# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} +--- +# ClusterRole for NeuVector to manager user-created waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - list + - delete +--- +# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} +{{- end }} diff --git a/charts/neuvector-crd/102.0.0+up2.4.2/values.yaml b/charts/neuvector-crd/102.0.0+up2.4.2/values.yaml new file mode 100644 index 000000000..a7bc9a908 --- /dev/null +++ b/charts/neuvector-crd/102.0.0+up2.4.2/values.yaml @@ -0,0 +1,11 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +serviceAccount: neuvector + +crdwebhook: + type: ClusterIP + enabled: true diff --git a/charts/neuvector/102.0.0+up2.4.2/.helmignore b/charts/neuvector/102.0.0+up2.4.2/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/neuvector/102.0.0+up2.4.2/Chart.yaml b/charts/neuvector/102.0.0+up2.4.2/Chart.yaml new file mode 100644 index 000000000..20aa86d93 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.4.2 +apiVersion: v1 +appVersion: 5.1.1 +description: Helm feature chart for NeuVector's core services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector +sources: +- https://github.com/neuvector/neuvector +version: 102.0.0+up2.4.2 diff --git a/charts/neuvector/102.0.0+up2.4.2/README.md b/charts/neuvector/102.0.0+up2.4.2/README.md new file mode 100644 index 000000000..1485c8d06 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/README.md @@ -0,0 +1,191 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's core services. + +## CRD +Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set `crdwebhook.enabled` to false, if you use the new 'crd' chart. + +## Choosing container runtime +The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`registry` | NeuVector container registry | `docker.io` | +`tag` | image tag for controller enforcer manager | `latest` | +`oem` | OEM release name | `nil` | +`imagePullSecrets` | image pull secret | `nil` | +`rbac` | NeuVector RBAC manifests are installed when rbac is enabled | `true` | +`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`controller.enabled` | If true, create controller | `true` | +`controller.image.repository` | controller image repository | `neuvector/controller` | +`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`controller.replicas` | controller replicas | `3` | +`controller.schedulerName` | kubernetes scheduler name | `nil` | +`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.tolerations` | List of node taints to tolerate | `nil` | +`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | +`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.podLabels` | Specify the pod labels. | `{}` | +`controller.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.env` | User-defined environment variables for controller. | `[]` | +`controller.ranchersso.enabled` | If true, enable Rancher single sign on | `false` | Rancher server address auto configured.| +`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi +`controller.pvc.existingClaim` | Boolean value to specify if there is an existing PVC claim. If true, pvc in the helm chart is not used. | `false` | +`controller.pvc.storageClass` | Storage Class to be used | `default` | +`controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | +`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | +`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | +`controller.apisvc.type` | Controller REST API service type | `nil` | +`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | +`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | +`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | +`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | +`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | +`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | +`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | +`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | +`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | +`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | +`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | +`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | +`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. +`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | +`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | +`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | +`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. +`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. +`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` +`controller.configmap.data` | NeuVector configuration in YAML format | `{}` +`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` +`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`enforcer.enabled` | If true, create enforcer | `true` | +`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | +`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | +`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`enforcer.podLabels` | Specify the pod labels. | `{}` | +`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default +`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`manager.enabled` | If true, create manager | `true` | +`manager.image.repository` | manager image repository | `neuvector/manager` | +`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`manager.podLabels` | Specify the pod labels. | `{}` | +`manager.podAnnotations` | Specify the pod annotations. | `{}` | +`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`manager.route.host` | Set OpenShift route host for management console service | `nil` | +`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | +`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | +`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | +`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. +`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) +`manager.affinity` | manager affinity rules | `{}` | +`manager.tolerations` | List of node taints to tolerate | `nil` | +`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`manager.runAsUser` | Specify the run as User ID | `nil` | +`cve.updater.enabled` | If true, create cve updater | `true` | +`cve.updater.secure` | If ture, API server's certificate is validated | `false` | +`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | +`cve.updater.image.tag` | image tag for cve updater | `latest` | +`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.podLabels` | Specify the pod labels. | `{}` | +`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | +`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.updater.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | +`cve.scanner.image.tag` | cve scanner image tag | `latest` | +`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.scanner.podLabels` | Specify the pod labels. | `{}` | +`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.replicas` | external scanner replicas | `3` | +`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | +`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.2/charts/core/values.yaml) | +`cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | +`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | +`docker.path` | docker path | `/var/run/docker.sock` | +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | +`k3s.enabled` | Set to true for k3s or rke2 | `false` | +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | +`admissionwebhook.type` | admission webhook type | `ClusterIP` | +`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml +``` diff --git a/charts/neuvector/102.0.0+up2.4.2/app-readme.md b/charts/neuvector/102.0.0+up2.4.2/app-readme.md new file mode 100644 index 000000000..a3e31c5e1 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/app-readme.md @@ -0,0 +1,35 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: + ++ Build phase vulnerability scanning with Jenkins plug-in and registry scanning ++ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks ++ Complete run-time scanning with network, process, and file system monitoring and protection ++ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation ++ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures ++ Run-time vulnerability scanning and CIS benchmarks + +Additional Notes: ++ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. ++ Configure correct container runtime and runtime path under container runtime. Enable only one runtime. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/neuvector/102.0.0+up2.4.2/crds/_helpers.tpl b/charts/neuvector/102.0.0+up2.4.2/crds/_helpers.tpl new file mode 100644 index 000000000..c0cc49294 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/crds/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/questions.yaml b/charts/neuvector/102.0.0+up2.4.2/questions.yaml new file mode 100644 index 000000000..5be1d23f5 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/questions.yaml @@ -0,0 +1,336 @@ +questions: +#image configurations +- variable: controller.image.repository + default: "neuvector/controller" + description: controller image repository + type: string + label: Controller Image Path + group: "Container Images" +- variable: controller.image.tag + default: "" + description: image tag for controller + type: string + label: Controller Image Tag + group: "Container Images" +- variable: manager.image.repository + default: "neuvector/manager" + description: manager image repository + type: string + label: Manager Image Path + group: "Container Images" +- variable: manager.image.tag + default: "" + description: image tag for manager + type: string + label: Manager Image Tag + group: "Container Images" +- variable: enforcer.image.repository + default: "neuvector/enforcer" + description: enforcer image repository + type: string + label: Enforcer Image Path + group: "Container Images" +- variable: enforcer.image.tag + default: "" + description: image tag for enforcer + type: string + label: Enforcer Image Tag + group: "Container Images" +- variable: cve.scanner.image.repository + default: "neuvector/scanner" + description: scanner image repository + type: string + label: Scanner Image Path + group: "Container Images" +- variable: cve.scanner.image.tag + default: "" + description: image tag for scanner + type: string + label: Scanner Image Tag + group: "Container Images" +- variable: cve.updater.image.repository + default: "neuvector/updater" + description: cve updater image repository + type: string + label: CVE Updater Image Path + group: "Container Images" +- variable: cve.updater.image.tag + default: "" + description: image tag for updater + type: string + label: Updater Image Tag + group: "Container Images" +#Container Runtime configurations +- variable: docker.enabled + default: true + description: Docker runtime. Enable only one runtime + type: boolean + label: Docker Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: docker.path + default: "/var/run/docker.sock" + description: "Docker Runtime Path" + type: string + label: Runtime Path +- variable: containerd.enabled + default: "false" + description: Containerd runtime. Enable only one runtime + type: boolean + label: Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: containerd.path + default: " /var/run/containerd/containerd.sock" + description: "Containerd Runtime Path" + type: string + label: Runtime Path +- variable: crio.enabled + default: "false" + description: CRI-O runtime. Enable only one runtime + type: boolean + label: CRI-O Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: crio.path + default: "/var/run/crio/crio.sock" + description: "CRI-O Runtime Path" + type: string + label: Runtime Path +- variable: k3s.enabled + default: "false" + description: k3s containerd runtime. Enable only one runtime + type: boolean + label: k3s Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: k3s.runtimePath + default: " /run/k3s/containerd/containerd.sock" + description: "k3s Containerd Runtime Path" + type: string + label: Runtime Path +#storage configurations +- variable: controller.pvc.enabled + default: false + description: If true, enable persistence for controller using PVC + type: boolean + label: PVC Status + group: "PVC Configuration" +- variable: controller.pvc.storageClass + default: "" + description: Storage Class to be used + type: string + label: Storage Class Name + group: "PVC Configuration" +#ingress configurations +- variable: manager.ingress.enabled + default: false + description: If true, create ingress, must also set ingress host value + type: boolean + label: Manager Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" +- variable: controller.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" +#service configurations +- variable: manager.svc.type + default: "NodePort" + description: Set manager service type for native Kubernetes + type: enum + label: Manager Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.mastersvc.type + default: "" + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Master Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.managedsvc.type + default: "" + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Managed Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.apisvc.type + default: "NodePort" + description: Controller REST API service type + type: enum + label: Controller REST API Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + default: "false" + type: boolean + group: "Security Settings" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Security Settings" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Security Settings" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Security Settings" diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/NOTES.txt b/charts/neuvector/102.0.0+up2.4.2/templates/NOTES.txt new file mode 100644 index 000000000..e79b2cc21 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} +From outside the cluster, the NeuVector URL is: +http://{{ .Values.manager.ingress.host }} +{{- else if not .Values.openshift }} +Get the NeuVector URL by running these commands: +{{- if contains "NodePort" .Values.manager.svc.type }} + NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) + NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if contains "ClusterIP" .Values.manager.svc.type }} + CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) + echo https://$CLUSTER_IP:8443 +{{- else if contains "LoadBalancer" .Values.manager.svc.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' + + SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + echo https://$SERVICE_IP:8443 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/_helpers.tpl b/charts/neuvector/102.0.0+up2.4.2/templates/_helpers.tpl new file mode 100644 index 000000000..5d21a1824 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/admission-webhook-service.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/admission-webhook-service.yaml new file mode 100644 index 000000000..8a0a76aaa --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/admission-webhook-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-admission-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 20443 + protocol: TCP + name: admission-webhook + type: {{ .Values.admissionwebhook.type }} + selector: + app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/clusterrole.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/clusterrole.yaml new file mode 100644 index 000000000..cce7a8254 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/clusterrole.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - namespaces + verbs: + - get + - list + - watch + - update + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +{{- if .Values.openshift }} +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - get + - list + - watch + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - delete + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + verbs: + - get + - list +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/clusterrolebinding.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..70596a2b3 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/clusterrolebinding.yaml @@ -0,0 +1,147 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/controller-deployment.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/controller-deployment.yaml new file mode 100644 index 000000000..13ac96c20 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/controller-deployment.yaml @@ -0,0 +1,227 @@ +{{- if .Values.controller.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-controller-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.controller.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + minReadySeconds: 60 + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} + selector: + matchLabels: + app: neuvector-controller-pod + template: + metadata: + labels: + app: neuvector-controller-pod + release: {{ .Release.Name }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + containers: + - name: neuvector-controller-pod + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.controller.resources }} +{{ toYaml .Values.controller.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.ranchersso.enabled }} + - name: RANCHER_SSO + value: "1" + - name: RANCHER_EP + value: "{{ .Values.global.cattle.url }}" + {{- end }} + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: CTRL_PERSIST_CONFIG + value: "1" + {{- end }} + {{- with .Values.controller.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/neuvector + name: nv-share + readOnly: false + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /etc/config + name: config-volume + readOnly: true + {{- if .Values.controller.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.controller.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.controller.certificate.pemFile }} + name: cert + readOnly: true + {{- end }} + {{- if .Values.controller.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.controller.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.controller.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.controller.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 300 + restartPolicy: Always + volumes: + - name: nv-share + {{- if .Values.controller.pvc.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} + {{- else if .Values.controller.azureFileShare.enabled }} + azureFile: + secretName: {{ .Values.controller.azureFileShare.secretName }} + shareName: {{ .Values.controller.azureFileShare.shareName }} + readOnly: false + {{- else }} + hostPath: + path: /var/neuvector + {{- end }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: config-volume + projected: + sources: + - configMap: + name: neuvector-init + optional: true + - secret: + name: neuvector-init + optional: true + {{- if .Values.controller.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.controller.certificate.secret }} + {{- end }} + {{- if .Values.controller.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.controller.internal.certificate.secret }} + {{- end }} +{{- if gt (int .Values.controller.disruptionbudget) 0 }} +--- +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: neuvector-controller-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.controller.disruptionbudget }} + selector: + matchLabels: + app: neuvector-controller-pod +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/controller-ingress.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/controller-ingress.yaml new file mode 100644 index 000000000..b36fbbdc0 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/controller-ingress.yaml @@ -0,0 +1,219 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-api + port: + number: 10443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + backend: + serviceName: neuvector-svc-controller-api + servicePort: 10443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-master + port: + number: 11443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-master + servicePort: 11443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-managed + port: + number: 10443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-managed + servicePort: 10443 +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/controller-route.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/controller-route.yaml new file mode 100644 index 000000000..686a77ec4 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/controller-route.yaml @@ -0,0 +1,98 @@ +{{- if .Values.openshift -}} +{{- if .Values.controller.apisvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-api + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.apisvc.route.host }} + host: {{ .Values.controller.apisvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-api + port: + targetPort: controller-api + tls: + termination: {{ .Values.controller.apisvc.route.termination }} +{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} +{{- with .Values.controller.apisvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + +--- +{{ end -}} +{{- if .Values.controller.federation.mastersvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-master + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.route.host }} + host: {{ .Values.controller.federation.mastersvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-master + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.mastersvc.route.termination }} +{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} +{{- with .Values.controller.federation.mastersvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +--- +{{ end -}} +{{- if .Values.controller.federation.managedsvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-managed + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.route.host }} + host: {{ .Values.controller.federation.managedsvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-managed + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.managedsvc.route.termination }} +{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} +{{- with .Values.controller.federation.managedsvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/controller-service.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/controller-service.yaml new file mode 100644 index 000000000..d4040a78a --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/controller-service.yaml @@ -0,0 +1,97 @@ +{{- if .Values.controller.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + clusterIP: None + ports: + - port: 18300 + protocol: "TCP" + name: "cluster-tcp-18300" + - port: 18301 + protocol: "TCP" + name: "cluster-tcp-18301" + - port: 18301 + protocol: "UDP" + name: "cluster-udp-18301" + selector: + app: neuvector-controller-pod +{{- if .Values.controller.apisvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-api + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.apisvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.apisvc.type }} + ports: + - port: 10443 + protocol: "TCP" + name: "controller-api" + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.mastersvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-master + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.federation.mastersvc.type }} + ports: + - port: 11443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.managedsvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-managed + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.federation.managedsvc.type }} + ports: + - port: 10443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/enforcer-daemonset.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/enforcer-daemonset.yaml new file mode 100644 index 000000000..688eeb68c --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/enforcer-daemonset.yaml @@ -0,0 +1,136 @@ +{{- if .Values.enforcer.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: neuvector-enforcer-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: neuvector-enforcer-pod + template: + metadata: + labels: + app: neuvector-enforcer-pod + release: {{ .Release.Name }} + {{- with .Values.enforcer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.enforcer.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.enforcer.tolerations }} + tolerations: +{{ toYaml .Values.enforcer.tolerations | indent 8 }} + {{- end }} + hostPID: true + {{- if .Values.enforcer.priorityClassName }} + priorityClassName: {{ .Values.enforcer.priorityClassName }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + containers: + - name: neuvector-enforcer-pod + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.enforcer.resources }} +{{ toYaml .Values.enforcer.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /lib/modules + name: modules-vol + readOnly: true + {{- if .Values.enforcer.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.enforcer.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.enforcer.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.enforcer.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 1200 + restartPolicy: Always + volumes: + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: modules-vol + hostPath: + path: /lib/modules + {{- if .Values.enforcer.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/init-configmap.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/init-configmap.yaml new file mode 100644 index 000000000..4d3b97129 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/init-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ toYaml .Values.controller.configmap.data | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/init-secret.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/init-secret.yaml new file mode 100644 index 000000000..8a5081408 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/init-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.secret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{- range $key, $val := .Values.controller.secret.data }} + {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/manager-deployment.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/manager-deployment.yaml new file mode 100644 index 000000000..f2be290b2 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/manager-deployment.yaml @@ -0,0 +1,92 @@ +{{- if .Values.manager.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-manager-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-manager-pod + template: + metadata: + labels: + app: neuvector-manager-pod + release: {{ .Release.Name }} + {{- with .Values.manager.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.manager.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.manager.affinity }} + affinity: +{{ toYaml .Values.manager.affinity | indent 8 }} + {{- end }} + {{- if .Values.manager.tolerations }} + tolerations: +{{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.manager.priorityClassName }} + priorityClassName: {{ .Values.manager.priorityClassName }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- if .Values.manager.runAsUser }} + securityContext: + runAsUser: {{ .Values.manager.runAsUser }} + {{- end }} + containers: + - name: neuvector-manager-pod + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + env: + - name: CTRL_SERVER_IP + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if not .Values.manager.env.ssl }} + - name: MANAGER_SSL + value: "off" + {{- end }} + volumeMounts: + {{- if .Values.manager.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.manager.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.manager.certificate.pemFile }} + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.manager.resources }} +{{ toYaml .Values.manager.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.manager.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.manager.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/manager-ingress.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/manager-ingress.yaml new file mode 100644 index 000000000..d6e2e3350 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/manager-ingress.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.ingress.ingressClassName }} + ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-webui + port: + number: 8443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 8443 +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/manager-route.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/manager-route.yaml new file mode 100644 index 000000000..784a4ae23 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/manager-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.openshift -}} +{{- if .Values.manager.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-webui + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.route.host }} + host: {{ .Values.manager.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-webui + port: + targetPort: manager + tls: + termination: {{ .Values.manager.route.termination }} +{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} +{{- with .Values.manager.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/manager-service.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/manager-service.yaml new file mode 100644 index 000000000..e18e55c35 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/manager-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.manager.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-webui + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.manager.svc.type }} +{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} +{{- end }} + ports: + - port: 8443 + name: manager + protocol: TCP + selector: + app: neuvector-manager-pod +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/psp.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/psp.yaml new file mode 100644 index 000000000..801d7d48a --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/psp.yaml @@ -0,0 +1,77 @@ +{{- if .Values.global.cattle.psp.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + allowedCapabilities: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - IPC_LOCK + requiredDropCapabilities: + - ALL + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/pvc.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/pvc.yaml new file mode 100644 index 000000000..3821d0485 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.controller.pvc.existingClaim -}} +{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuvector-data + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + accessModes: +{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} + volumeMode: Filesystem +{{- if .Values.controller.pvc.storageClass }} + storageClassName: {{ .Values.controller.pvc.storageClass }} +{{- end }} + resources: + requests: +{{- if .Values.controller.pvc.capacity }} + storage: {{ .Values.controller.pvc.capacity }} +{{- else }} + storage: 1Gi +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/rolebinding.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/rolebinding.yaml new file mode 100644 index 000000000..6e6af5b6a --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/rolebinding.yaml @@ -0,0 +1,56 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-admin + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: admin +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/scanner-deployment.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/scanner-deployment.yaml new file mode 100644 index 000000000..7ad5f9711 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/scanner-deployment.yaml @@ -0,0 +1,94 @@ +{{- if .Values.cve.scanner.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-scanner-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + strategy: +{{ toYaml .Values.cve.scanner.strategy | indent 4 }} + replicas: {{ .Values.cve.scanner.replicas }} + selector: + matchLabels: + app: neuvector-scanner-pod + template: + metadata: + labels: + app: neuvector-scanner-pod + {{- with .Values.cve.scanner.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cve.scanner.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.scanner.affinity }} + affinity: +{{ toYaml .Values.cve.scanner.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.tolerations }} + tolerations: +{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.scanner.priorityClassName }} + priorityClassName: {{ .Values.cve.scanner.priorityClassName }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- if .Values.cve.scanner.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.scanner.runAsUser }} + {{- end }} + containers: + - name: neuvector-scanner-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} + imagePullPolicy: Always + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if .Values.cve.scanner.dockerPath }} + - name: SCANNER_DOCKER_URL + value: {{ .Values.cve.scanner.dockerPath }} + {{- end }} + resources: +{{ toYaml .Values.cve.scanner.resources | indent 12 }} + {{- if .Values.cve.scanner.internal.certificate.secret }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + {{- if .Values.cve.scanner.internal.certificate.secret }} + volumes: + - name: internal-cert + secret: + secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/serviceaccount.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/serviceaccount.yaml new file mode 100644 index 000000000..47da190a5 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.openshift}} +{{- if ne .Values.serviceAccount "default"}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/updater-cronjob.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/updater-cronjob.yaml new file mode 100644 index 000000000..b8ad252e6 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/updater-cronjob.yaml @@ -0,0 +1,74 @@ +{{- if .Values.cve.updater.enabled -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-updater-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + schedule: {{ .Values.cve.updater.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + app: neuvector-updater-pod + release: {{ .Release.Name }} + {{- with .Values.cve.updater.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cve.updater.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.updater.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.cve.updater.priorityClassName }} + priorityClassName: {{ .Values.cve.updater.priorityClassName }} + {{- end }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- if .Values.cve.updater.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.updater.runAsUser }} + {{- end }} + containers: + - name: neuvector-updater-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} + imagePullPolicy: Always + command: + - /bin/sh + - -c + - sleep 30 + {{- if .Values.cve.scanner.enabled }} + command: + - /bin/sh + - -c + {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + {{- if .Values.cve.updater.secure }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- end }} + restartPolicy: Never +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/templates/validate-psp-install.yaml b/charts/neuvector/102.0.0+up2.4.2/templates/validate-psp-install.yaml new file mode 100644 index 000000000..da62c4d18 --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.0+up2.4.2/values.yaml b/charts/neuvector/102.0.0+up2.4.2/values.yaml new file mode 100644 index 000000000..c0194b8ab --- /dev/null +++ b/charts/neuvector/102.0.0+up2.4.2/values.yaml @@ -0,0 +1,404 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + +openshift: false + +registry: docker.io +oem: +rbac: true +serviceAccount: neuvector + +controller: + # If false, controller will not be installed + enabled: true + annotations: {} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-controller + tag: 5.1.1 + hash: + replicas: 3 + disruptionbudget: 0 + schedulerName: + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" + tolerations: [] + nodeSelector: {} + # key1: value1 + # key2: value2 + apisvc: + type: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ranchersso: + enabled: true + pvc: + enabled: false + existingClaim: false + accessModes: + - ReadWriteMany + storageClass: + capacity: + azureFileShare: + enabled: false + secretName: + shareName: + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + certificate: + secret: + keyFile: cert.key + pemFile: cert.pem + caFile: ca.cert # must be the same CA for all internal. + federation: + mastersvc: + type: + # Federation Master Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + managedsvc: + type: + # Federation Managed Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + resources: {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + configmap: + enabled: false + data: + # eulainitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + secret: + # NOTE: files defined here have preferrence over the ones defined in the configmap section + enabled: false + data: {} + # eulainitcfg.yaml: + # license_key: 0Bca63Iy2FiXGqjk... + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + # userinitcfg.yaml: + # ... + +enforcer: + # If false, enforcer will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-enforcer + tag: 5.1.1 + hash: + updateStrategy: + type: RollingUpdate + priorityClassName: + podLabels: {} + podAnnotations: {} + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + resources: {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + certificate: + secret: + keyFile: cert.key + pemFile: cert.pem + caFile: ca.cert # must be the same CA for all internal. + +manager: + # If false, manager will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-manager + tag: 5.1.1 + hash: + priorityClassName: + env: + ssl: true + svc: + type: NodePort + loadBalancerIP: + annotations: {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + # Make sure manager env ssl is false for edge termination + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + resources: {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + +cve: + updater: + # If false, cve updater will not be installed + enabled: true + secure: false + image: + repository: rancher/mirrored-neuvector-updater + tag: latest + hash: + schedule: "0 0 * * *" + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + scanner: + enabled: true + replicas: 3 + dockerPath: "" + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-scanner + tag: latest + hash: + priorityClassName: + resources: {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector" + certificate: + secret: + keyFile: cert.key + pemFile: cert.pem + caFile: ca.cert # must be the same CA for all internal. + +docker: + path: /var/run/docker.sock + +resources: {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + +k3s: + enabled: false + runtimePath: /run/k3s/containerd/containerd.sock + +bottlerocket: + enabled: false + runtimePath: /run/dockershim.sock + +containerd: + enabled: false + path: /var/run/containerd/containerd.sock + +crio: + enabled: false + path: /var/run/crio/crio.sock + +admissionwebhook: + type: ClusterIP + +crdwebhook: + enabled: true + type: ClusterIP diff --git a/index.yaml b/index.yaml index 9c077dfff..cbcf96e75 100755 --- a/index.yaml +++ b/index.yaml @@ -2773,6 +2773,37 @@ entries: - assets/longhorn-crd/longhorn-crd-1.0.200.tgz version: 1.0.200 neuvector: + - annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.4.2 + apiVersion: v1 + appVersion: 5.1.1 + created: "2023-02-08T12:13:59.783630448-08:00" + description: Helm feature chart for NeuVector's core services + digest: ca252872bbc0d42dfdcbfdfddf3b495432cf604fd9e27e765b3d0d2f87b8f764 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector/neuvector-102.0.0+up2.4.2.tgz + version: 102.0.0+up2.4.2 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher @@ -2934,6 +2965,26 @@ entries: - assets/neuvector/neuvector-100.0.0+up2.2.0.tgz version: 100.0.0+up2.2.0 neuvector-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd + apiVersion: v1 + appVersion: 5.1.1 + created: "2023-02-08T12:13:59.787272266-08:00" + description: Helm chart for NeuVector's CRD services + digest: 4cce7d3b01cf5ed6081cab869e17f7d45fe2bc73ed71c003f2eac7891115d61b + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-crd + type: application + urls: + - assets/neuvector-crd/neuvector-crd-102.0.0+up2.4.2.tgz + version: 102.0.0+up2.4.2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 25d143de841aae1941aac1ea845d68b2567c09a2 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 9 Feb 2023 10:10:21 -0800 Subject: [PATCH 5/5] removed unreleased version from release.yaml --- release.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/release.yaml b/release.yaml index 3f89ecce0..7ab6daf63 100644 --- a/release.yaml +++ b/release.yaml @@ -9,10 +9,8 @@ fleet-agent: fleet-crd: - 101.1.0+up0.6.0-rc.2 neuvector: -- 101.0.2+up2.4.0 - 102.0.0+up2.4.2 neuvector-crd: -- 101.0.2+up2.4.0 - 102.0.0+up2.4.2 prometheus-federator: - 1.1.0+up0.2.0-rc1