diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml
index 9357a0a33..717a03dce 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml
index b2e22ca66..fa2f62273 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
@@ -21,7 +21,12 @@ roleRef:
name: neuvector-csp-adapter-cluster-role
subjects:
- kind: ServiceAccount
- name: {{ .Values.awsbilling.serviceAccount }}
+ {{- if .Values.global.aws.enabled }}
+ name: {{ .Values.global.aws.serviceAccount }}
+ {{- end }}
+ {{- if .Values.global.azure.enabled }}
+ name: {{ .Values.global.azure.serviceAccount }}
+ {{- end }}
namespace: {{ .Release.Namespace }}
---
@@ -48,7 +53,11 @@ roleRef:
name: neuvector-binding-csp-usages
subjects:
- kind: ServiceAccount
+ {{- if and .Values.rbac .Values.leastPrivilege }}
+ name: controller
+ {{- else }}
name: {{ .Values.serviceAccount }}
+ {{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml
index 87fa138fe..9263bc387 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml
index 15c939f05..eae91b16d 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -8,7 +8,7 @@ metadata:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
-{{- with .Values.awsbilling.annotations }}
+{{- with .Values.global.aws.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
@@ -22,9 +22,13 @@ spec:
app: neuvector-csp-pod
release: {{ .Release.Name }}
spec:
- {{- if .Values.awsbilling.imagePullSecrets }}
+ {{- if .Values.global.aws.imagePullSecrets }}
imagePullSecrets:
- - name: {{ .Values.awsbilling.imagePullSecrets }}
+ - name: {{ .Values.global.aws.imagePullSecrets }}
+ {{- end }}
+ {{- if .Values.global.azure.imagePullSecrets }}
+ imagePullSecrets:
+ - name: {{ .Values.global.azure.imagePullSecrets }}
{{- end }}
containers:
- env:
@@ -38,9 +42,32 @@ spec:
value: "v1"
- name: USAGE_API_GROUP
value: "susecloud.net"
- image: "{{ .Values.registry }}/{{ .Values.awsbilling.image.repository }}:{{ .Values.awsbilling.image.tag }}"
+ {{- if .Values.global.azure.enabled }}
+ - name: "CLIENT_ID"
+ value: "{{ .Values.global.azure.identity.clientId }}"
+ - name: "EXTENSION_RESOURCE_ID"
+ value: "{{ .Values.global.azure.extension.resourceId }}"
+ - name: "PLAN_ID"
+ value: "{{ .Values.global.azure.marketplace.planId }}"
+ {{- end }}
+ {{- if and .Values.global.aws.enabled .Values.global.aws.image.digest }}
+ image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}@{{ .Values.global.aws.image.digest }}"
+ {{- else if and .Values.global.aws.enabled .Values.global.aws.image.tag }}
+ image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}:{{ .Values.global.aws.image.tag }}"
+ {{- else if and .Values.global.azure.enabled }}
+ image: "{{ .Values.global.azure.images.neuvector_csp_pod.registry }}/{{ .Values.global.azure.images.neuvector_csp_pod.image }}@{{ .Values.global.azure.images.neuvector_csp_pod.digest }}"
+ {{- end }}
name: neuvector-csp-pod
- imagePullPolicy: "{{ .Values.awsbilling.image.imagePullPoliicy }}"
- serviceAccountName: {{ .Values.awsbilling.serviceAccount }}
- serviceAccount: {{ .Values.awsbilling.serviceAccount }}
+ {{- if .Values.global.aws.enabled }}
+ imagePullPolicy: "{{ .Values.global.aws.image.imagePullPolicy }}"
+ {{- else if .Values.global.azure.enabled }}
+ imagePullPolicy: "{{ .Values.global.azure.images.neuvector_csp_pod.imagePullPolicy }}"
+ {{- end }}
+ {{- if .Values.global.aws.enabled }}
+ serviceAccountName: {{ .Values.global.aws.serviceAccount }}
+ serviceAccount: {{ .Values.global.aws.serviceAccount }}
+ {{- else if .Values.global.azure.enabled }}
+ serviceAccountName: {{ .Values.global.azure.serviceAccount }}
+ serviceAccount: {{ .Values.global.azure.serviceAccount }}
+ {{- end }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml
index 25cc4edaf..f70c3adbb 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml
index 4674d7a56..be2d402d4 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
@@ -22,6 +22,11 @@ roleRef:
name: neuvector-csp-adapter-role
subjects:
- kind: ServiceAccount
- name: {{ .Values.awsbilling.serviceAccount }}
+ {{- if .Values.global.aws.enabled }}
+ name: {{ .Values.global.aws.serviceAccount }}
+ {{- end }}
+ {{- if .Values.global.azure.enabled }}
+ name: {{ .Values.global.azure.serviceAccount }}
+ {{- end }}
namespace: {{ .Release.Namespace }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml
index 5871099df..e17d02908 100644
--- a/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml
@@ -1,17 +1,24 @@
-{{- if .Values.awsbilling.enabled }}
+{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
{{- if not .Values.openshift}}
-{{- if ne .Values.awsbilling.serviceAccount "default"}}
+{{- if and (ne .Values.global.aws.serviceAccount "default") (ne .Values.global.azure.serviceAccount "default") }}
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ .Values.awsbilling.serviceAccount }}
+ {{- if .Values.global.aws.enabled }}
+ name: {{ .Values.global.aws.serviceAccount }}
+ {{- end }}
+ {{- if .Values.global.azure.enabled }}
+ name: {{ .Values.global.azure.serviceAccount }}
+ {{- end }}
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
- eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.awsbilling.accountNumber }}:role/{{ .Values.awsbilling.roleName }}
+ {{- if .Values.global.aws.enabled }}
+ eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }}
+ {{- end }}
{{- end }}
{{- end }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/overlay/crds/_helpers.tpl b/packages/neuvector/generated-changes/overlay/crds/_helpers.tpl
old mode 100755
new mode 100644
diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch
index ce67055c8..a772d4022 100644
--- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch
@@ -13,9 +13,9 @@
+ catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+ catalog.cattle.io/release-name: neuvector
+ catalog.cattle.io/type: cluster-tool
-+ catalog.cattle.io/upstream-version: 2.6.2
++ catalog.cattle.io/upstream-version: 2.6.4
apiVersion: v1
- appVersion: 5.2.1
+ appVersion: 5.2.2-s1
-description: Helm chart for NeuVector's core services
+description: Helm feature chart for NeuVector's core services
home: https://neuvector.com
@@ -29,4 +29,4 @@
+name: neuvector
+sources:
+- https://github.com/neuvector/neuvector
- version: 2.6.2
+ version: 2.6.4
diff --git a/packages/neuvector/generated-changes/patch/README.md.patch b/packages/neuvector/generated-changes/patch/README.md.patch
index 1fa5b8255..26ce7673f 100644
--- a/packages/neuvector/generated-changes/patch/README.md.patch
+++ b/packages/neuvector/generated-changes/patch/README.md.patch
@@ -10,30 +10,30 @@
## Choosing container runtime
The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively.
-@@ -31,7 +28,7 @@
+@@ -49,7 +46,7 @@
`controller.schedulerName` | kubernetes scheduler name | `nil` |
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
`controller.tolerations` | List of node taints to tolerate | `nil` |
-`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
-@@ -74,7 +71,7 @@
+@@ -92,7 +89,7 @@
`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` |
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
-@@ -90,14 +87,14 @@
+@@ -108,14 +105,14 @@
`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
@@ -41,69 +41,69 @@
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
-@@ -111,7 +108,7 @@
+@@ -129,7 +126,7 @@
`enforcer.podAnnotations` | Specify the pod annotations. | `{}` |
`enforcer.env` | User-defined environment variables for enforcers. | `[]` |
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default
-`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`manager.enabled` | If true, create manager | `true` |
`manager.image.repository` | manager image repository | `neuvector/manager` |
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
-@@ -128,7 +125,7 @@
+@@ -146,7 +143,7 @@
` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
-`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
-+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
`manager.route.host` | Set OpenShift route host for management console service | `nil` |
`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
-@@ -143,10 +140,10 @@
+@@ -161,10 +158,10 @@
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
-`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
-`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`manager.affinity` | manager affinity rules | `{}` |
`manager.tolerations` | List of node taints to tolerate | `nil` |
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
-@@ -161,7 +158,7 @@
+@@ -179,7 +176,7 @@
`cve.adapter.env` | User-defined environment variables for adapter. | `[]` |
`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
-`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` |
`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | |
`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
-@@ -178,10 +175,10 @@
+@@ -196,10 +193,10 @@
`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
-`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`.
`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
-`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml)
++`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml)
`cve.adapter.affinity` | registry adapter affinity rules | `{}` |
`cve.adapter.tolerations` | List of node taints to tolerate | `nil` |
`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
-@@ -209,7 +206,7 @@
+@@ -228,7 +225,7 @@
`cve.scanner.env` | User-defined environment variables for scanner. | `[]` |
`cve.scanner.replicas` | external scanner replicas | `3` |
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
-`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) |
-+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) |
++`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) |
`cve.scanner.affinity` | scanner affinity rules | `{}` |
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
diff --git a/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch b/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch
index 774842c17..e960b307b 100644
--- a/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch
+++ b/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch
@@ -1,10 +1,12 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
-@@ -30,3 +30,11 @@
- {{- define "neuvector.chart" -}}
- {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+@@ -45,4 +45,11 @@
+ {{- if $value -}}
+ {{- printf "%s" $value -}}
{{- end -}}
-+
+-{{- end -}}
+\ No newline at end of file
++{{- end -}}
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
diff --git a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
index dca352ef4..20a3d05e6 100644
--- a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
@@ -1,9 +1,12 @@
--- charts-original/templates/controller-deployment.yaml
+++ charts/templates/controller-deployment.yaml
-@@ -76,19 +76,7 @@
+@@ -79,23 +79,7 @@
{{- end }}
containers:
- name: neuvector-controller-pod
+- {{- if .Values.global.azure.enabled }}
+- image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}@{{ .Values.global.azure.images.controller.digest }}"
+- {{- else }}
- {{- if eq .Values.registry "registry.neuvector.com" }}
- {{- if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}"
@@ -17,19 +20,24 @@
- image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
securityContext:
privileged: true
resources:
-@@ -125,14 +113,6 @@
+@@ -132,18 +116,6 @@
- name: CTRL_PERSIST_CONFIG
value: "1"
{{- end }}
-- {{- if .Values.awsbilling.enabled }}
+- {{- if .Values.global.aws.enabled }}
- - name: CSP_ENV
- value: "aws"
- {{- end }}
-- {{- if .Values.awsbilling.enabled }}
+- {{- if .Values.global.azure.enabled }}
+- - name: CSP_ENV
+- value: "azure"
+- {{- end }}
+- {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }}
- - name: NO_DEFAULT_ADMIN
- value: "1"
- {{- end }}
diff --git a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
index 05c67ae9f..ad0ed2c54 100644
--- a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
@@ -1,9 +1,12 @@
--- charts-original/templates/enforcer-daemonset.yaml
+++ charts/templates/enforcer-daemonset.yaml
-@@ -51,19 +51,7 @@
+@@ -51,23 +51,7 @@
{{- end }}
containers:
- name: neuvector-enforcer-pod
+- {{- if .Values.global.azure.enabled }}
+- image: "{{ .Values.global.azure.images.enforcer.registry }}/{{ .Values.global.azure.images.enforcer.image }}@{{ .Values.global.azure.images.enforcer.digest }}"
+- {{- else }}
- {{- if eq .Values.registry "registry.neuvector.com" }}
- {{- if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/enforcer:{{ .Values.tag }}"
@@ -17,6 +20,7 @@
- image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }}
securityContext:
privileged: true
diff --git a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
index 43da933ad..b99829517 100644
--- a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
@@ -1,9 +1,12 @@
--- charts-original/templates/manager-deployment.yaml
+++ charts/templates/manager-deployment.yaml
-@@ -62,19 +62,7 @@
+@@ -67,23 +67,7 @@
{{- end }}
containers:
- name: neuvector-manager-pod
+- {{- if .Values.global.azure.enabled }}
+- image: "{{ .Values.global.azure.images.manager.registry }}/{{ .Values.global.azure.images.manager.image }}@{{ .Values.global.azure.images.manager.digest }}"
+- {{- else }}
- {{- if eq .Values.registry "registry.neuvector.com" }}
- {{- if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/manager:{{ .Values.tag }}"
@@ -17,6 +20,7 @@
- image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}"
- {{- end }}
- {{- end }}
+- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }}
env:
- name: CTRL_SERVER_IP
diff --git a/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch b/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch
index b59d7052e..61f4e281f 100644
--- a/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch
@@ -1,6 +1,6 @@
--- charts-original/templates/registry-adapter.yaml
+++ charts/templates/registry-adapter.yaml
-@@ -72,7 +72,7 @@
+@@ -77,7 +77,7 @@
{{- if .Values.cve.adapter.image.hash }}
image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}"
{{- else }}
diff --git a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
index c64f42827..732a8a3ad 100644
--- a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
@@ -1,9 +1,12 @@
--- charts-original/templates/scanner-deployment.yaml
+++ charts/templates/scanner-deployment.yaml
-@@ -63,21 +63,7 @@
+@@ -63,25 +63,7 @@
{{- end }}
containers:
- name: neuvector-scanner-pod
+- {{- if .Values.global.azure.enabled }}
+- image: "{{ .Values.global.azure.images.scanner.registry }}/{{ .Values.global.azure.images.scanner.image }}@{{ .Values.global.azure.images.scanner.digest }}"
+- {{- else }}
- {{- if eq .Values.registry "registry.neuvector.com" }}
- {{- if .Values.oem }}
- image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}"
@@ -19,6 +22,7 @@
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
- {{- end }}
+- {{- end }}
+ image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}
imagePullPolicy: Always
env:
diff --git a/packages/neuvector/generated-changes/patch/values.yaml.patch b/packages/neuvector/generated-changes/patch/values.yaml.patch
index 5c094689f..aef4e552f 100644
--- a/packages/neuvector/generated-changes/patch/values.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/values.yaml.patch
@@ -1,10 +1,10 @@
--- charts-original/values.yaml
+++ charts/values.yaml
-@@ -5,16 +5,17 @@
+@@ -5,62 +5,17 @@
openshift: false
registry: docker.io
--tag: 5.2.1
+-tag: 5.2.2-s1
oem:
-imagePullSecrets:
-psp: false
@@ -16,23 +16,69 @@
global: # required for rancher authentication (https:///)
cattle:
url:
+- azure:
+- enabled: false
+- identity:
+- clientId: "DONOTMODIFY" # Azure populates this value at deployment time
+- marketplace:
+- planId: "DONOTMODIFY" # Azure populates this value at deployment time
+- extension:
+- resourceId: "DONOTMODIFY" # application's Azure Resource ID, Azure populates this value at deployment time
+- serviceAccount: csp
+- imagePullSecrets:
+- images:
+- neuvector_csp_pod:
+- digest:
+- image: neuvector-billing-azure-by-suse-llc
+- registry: susellcforazuremarketplace.azurecr.io
+- imagePullPolicy: IfNotPresent
+- controller:
+- digest: ""
+- image: neuvector/controller
+- registry: docker.io
+- manager:
+- digest: ""
+- image: neuvector/manager
+- registry: docker.io
+- scanner:
+- digest: ""
+- image: neuvector/scanner
+- registry: docker.io
+- enforcer:
+- digest: ""
+- image: neuvector/enforcer
+- registry: docker.io
+-
+- aws:
+- enabled: false
+- accountNumber: ""
+- roleName: ""
+- serviceAccount: csp
+- annotations: {}
+- imagePullSecrets:
+- image:
+- digest:
+- repository: neuvector/neuvector-csp-adapter
+- tag: latest
+- imagePullPolicy: IfNotPresent
+-
+ systemDefaultRegistry: ""
+ psp:
+ enabled: false # PSP enablement should default to false
+ autoGenerateCert: true
- internal: # enable when cert-manager is installed for the internal certificates
- certmanager:
-@@ -31,7 +32,8 @@
+ defaultValidityPeriod: 365
+@@ -80,7 +35,8 @@
maxSurge: 1
maxUnavailable: 0
image:
- repository: neuvector/controller
+ repository: rancher/mirrored-neuvector-controller
-+ tag: 5.2.1
++ tag: 5.2.2-s1
hash:
replicas: 3
disruptionbudget: 0
-@@ -79,7 +81,7 @@
+@@ -129,7 +85,7 @@
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ranchersso: # required for rancher authentication
@@ -41,37 +87,37 @@
pvc:
enabled: false
existingClaim: false
-@@ -227,7 +229,8 @@
+@@ -281,7 +237,8 @@
# If false, enforcer will not be installed
enabled: true
image:
- repository: neuvector/enforcer
+ repository: rancher/mirrored-neuvector-enforcer
-+ tag: 5.2.1
++ tag: 5.2.2-s1
hash:
updateStrategy:
type: RollingUpdate
-@@ -258,7 +261,8 @@
+@@ -313,7 +270,8 @@
# If false, manager will not be installed
enabled: true
image:
- repository: neuvector/manager
+ repository: rancher/mirrored-neuvector-manager
-+ tag: 5.2.1
++ tag: 5.2.2-s1
hash:
priorityClassName:
env:
-@@ -332,7 +336,7 @@
+@@ -390,7 +348,7 @@
adapter:
enabled: false
image:
- repository: neuvector/registry-adapter
+ repository: rancher/mirrored-neuvector-registry-adapter
- tag: 0.1.0
+ tag: 0.1.1-s1
hash:
priorityClassName:
-@@ -410,7 +414,7 @@
- secure: false
+@@ -475,7 +433,7 @@
+ cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
image:
registry: ""
- repository: neuvector/updater
@@ -79,7 +125,7 @@
tag: latest
hash:
schedule: "0 0 * * *"
-@@ -432,7 +436,7 @@
+@@ -498,7 +456,7 @@
maxUnavailable: 0
image:
registry: ""
@@ -88,18 +134,3 @@
tag: latest
hash:
priorityClassName:
-@@ -493,14 +497,3 @@
- enabled: true
- type: ClusterIP
-
--awsbilling:
-- enabled: false
-- accountNumber: ""
-- roleName: ""
-- serviceAccount: csp
-- annotations: {}
-- imagePullSecrets:
-- image:
-- repository: neuvector/neuvector-csp-adapter
-- tag: 1.0.0
-- imagePullPolicy: IfNotPresent
diff --git a/packages/neuvector/package.yaml b/packages/neuvector/package.yaml
index 1c088a169..a204f729c 100644
--- a/packages/neuvector/package.yaml
+++ b/packages/neuvector/package.yaml
@@ -1,4 +1,4 @@
-url: https://neuvector.github.io/neuvector-helm/core-2.6.2.tgz
+url: https://neuvector.github.io/neuvector-helm/core-2.6.4.tgz
version: 103.0.0
additionalCharts:
- workingDir: charts-crd
diff --git a/packages/neuvector/templates/crd-template/Chart.yaml b/packages/neuvector/templates/crd-template/Chart.yaml
index e1390446a..1e1503703 100644
--- a/packages/neuvector/templates/crd-template/Chart.yaml
+++ b/packages/neuvector/templates/crd-template/Chart.yaml
@@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: true
apiVersion: v1
-appVersion: 5.2.1
+appVersion: 5.2.2-s1
description: Helm chart for NeuVector's CRD services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
@@ -12,5 +12,5 @@ maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-crd
-version: 2.6.2
+version: 2.6.4
type: application
diff --git a/packages/neuvector/templates/crd-template/README.md b/packages/neuvector/templates/crd-template/README.md
old mode 100755
new mode 100644
diff --git a/packages/neuvector/templates/crd-template/values.yaml b/packages/neuvector/templates/crd-template/values.yaml
old mode 100755
new mode 100644