make forward-port neuvector-monitor 102.0.6+up2.6.6

charts/neuvector-monitor/102.0.6+up2.6.6/Chart.yaml

@@ -0,0 +1,26 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: NeuVector Monitor
+  catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-neuvector-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux
+  catalog.cattle.io/provides-gvr: neuvector.com/v1
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+  catalog.cattle.io/release-name: neuvector-monitor
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/upstream-version: 2.6.6
+apiVersion: v1
+appVersion: 5.2.4
+description: Helm feature chart for NeuVector monitor services
+home: https://neuvector.com
+icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
+keywords:
+- security
+maintainers:
+- email: support@neuvector.com
+  name: becitsthere
+name: neuvector-monitor
+sources:
+- https://github.com/neuvector/neuvector
+version: 102.0.6+up2.6.6

charts/neuvector-monitor/102.0.6+up2.6.6/README.md

@@ -0,0 +1,22 @@
+# NeuVector Helm Chart
+
+Helm chart for NeuVector's monitoring services.
+
+## Configuration
+
+The following table lists the configurable parameters of the NeuVector chart and their default values.
+
+Parameter | Description | Default | Notes
+--------- | ----------- | ------- | -----
+`registry` | NeuVector container registry | `registry.neuvector.com` |
+`oem` | OEM release name | `nil` |
+`leastPrivilege` | Assume monitor chart is always installed after the core chart, so service accounts created by the core chart will be used. Keep this value as same as in the core chart. | `false` |
+`exporter.enabled` | If true, create Prometheus exporter | `false` |
+`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` |
+`exporter.image.tag` | exporter image tag | `latest` |
+`exporter.ctrlSercretName` | existing secret that have CTRL_USERNAME and CTRL_PASSWORD fields to login to the controller.  | `nil` | if parameter exists then `exporter.CTRL_USERNAME` & `exporter.CTRL_PASSWORD` will be skipped
+`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` |
+`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` |
+
+---
+

charts/neuvector-monitor/102.0.6+up2.6.6/app-readme.md

@@ -0,0 +1,5 @@
+### Run-Time Protection Without Compromise
+
+NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
+
+Helm chart for NeuVector's monitoring services. Please make sure REST API service for controller in core chart is enabled.

charts/neuvector-monitor/102.0.6+up2.6.6/questions.yaml

@@ -0,0 +1,27 @@
+questions:
+#monitor configurations
+- variable: exporter.image.repository
+  default: "neuvector/prometheus-exporter"
+  description: exporter image repository
+  type: string
+  label: Exporter Image Path
+  group: "Container Images"
+- variable: exporter.image.tag
+  default: ""
+  description: image tag for exporter
+  type: string
+  label: exporter Image Tag
+  group: "Container Images"
+#controller crendential configuration
+- variable: exporter.CTRL_USERNAME
+  default: "admin"
+  description: Controller Username
+  type: string
+  label: Controller Username
+  group: "Controller Crendential"
+- variable: exporter.CTRL_PASSWORD
+  default: "admin"
+  description: Controller Password
+  type: string
+  label: Controller Password
+  group: "Controller Crendential"

charts/neuvector-monitor/102.0.6+up2.6.6/templates/_helpers.tpl

@@ -0,0 +1,40 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "neuvector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "neuvector.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "neuvector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}

charts/neuvector-monitor/102.0.6+up2.6.6/templates/dashboard.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.exporter.grafanaDashboard.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nv-grafana-dashboard
+  namespace: {{ .Values.exporter.grafanaDashboard.namespace | default .Release.Namespace }}
+  labels:
+    grafana_dashboard: "1"
+{{- if .Values.exporter.grafanaDashboard.labels }}
+    {{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}}
+{{- end }}
+data:
+  nv_dashboard.json: |
+{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }}
+{{- end }}

charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-deployment.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.exporter.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: neuvector-prometheus-exporter-pod
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: neuvector-prometheus-exporter-pod
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "8068"
+        prometheus.io/scrape: "true"
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      labels:
+        app: neuvector-prometheus-exporter-pod
+        release: {{ .Release.Name }}
+    spec:
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecrets }}
+    {{- end }}
+    {{- if .Values.leastPrivilege }}
+      serviceAccountName: basic
+      serviceAccount: basic
+    {{- end }}
+      containers:
+        - name: neuvector-prometheus-exporter-pod
+          {{ if eq .Values.registry "registry.neuvector.com" }}
+          {{ if .Values.oem }}
+          image: "{{ .Values.registry }}/{{ .Values.oem }}/prometheus-exporter:{{ .Values.exporter.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.registry }}/prometheus-exporter:{{ .Values.exporter.image.tag }}"
+          {{- end }}
+          {{- else }}
+          image: {{ template "system_default_registry" . }}{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}
+          {{- end }}
+          imagePullPolicy: Always
+          env:
+            - name: CTRL_API_SERVICE
+              value: {{ .Values.exporter.apiSvc }}
+            - name: EXPORTER_PORT
+              value: "8068"
+          envFrom:
+            - secretRef:
+            {{- if .Values.exporter.ctrlSercretName }}
+                name: {{ .Values.exporter.ctrlSercretName }}
+            {{ else }}
+                name: neuvector-prometheus-exporter-pod-secret
+            {{- end }}
+      restartPolicy: Always
+{{- end }}

charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-service.yaml

@@ -0,0 +1,28 @@
+{{- if and .Values.exporter.enabled  .Values.exporter.svc.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: neuvector-prometheus-exporter
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.exporter.svc.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    app: neuvector-prometheus-exporter
+spec:
+  type: {{ .Values.exporter.svc.type }}
+  {{- if and .Values.exporter.svc.loadBalancerIP (eq .Values.exporter.svc.type "LoadBalancer") }}
+  loadBalancerIP: {{ .Values.exporter.svc.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - port: 8068
+      name: metrics
+      targetPort: 8068
+      protocol: TCP
+  selector:
+    app: neuvector-prometheus-exporter-pod
+{{- end }}

charts/neuvector-monitor/102.0.6+up2.6.6/templates/exporter-servicemonitor.yaml

@@ -0,0 +1,39 @@
+{{- if .Values.exporter.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: neuvector-prometheus-exporter
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.exporter.serviceMonitor.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- if .Values.exporter.serviceMonitor.labels }}
+    {{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4}}
+{{- end }}
+spec:
+  selector:
+    matchLabels:
+      app: neuvector-prometheus-exporter
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+    - port: metrics
+      {{- if .Values.exporter.serviceMonitor.interval }}
+      interval: {{ .Values.exporter.serviceMonitor.interval }}
+      {{- end }}
+      path: "/metrics"
+      {{- if .Values.exporter.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- toYaml .Values.exporter.serviceMonitor.metricRelabelings | nindent 6 }}
+      {{- end }}
+      {{- if .Values.exporter.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml .Values.exporter.serviceMonitor.relabelings | nindent 6 }}
+      {{- end }}
+{{- end }}

charts/neuvector-monitor/102.0.6+up2.6.6/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{- if and (.Values.exporter.enabled) (not .Values.exporter.ctrlSercretName)  -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: neuvector-prometheus-exporter-pod-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: Opaque
+data:
+  CTRL_USERNAME: {{ .Values.exporter.CTRL_USERNAME | b64enc | quote }}
+  CTRL_PASSWORD: {{ .Values.exporter.CTRL_PASSWORD | b64enc | quote }}
+{{- end }}

charts/neuvector-monitor/102.0.6+up2.6.6/values.yaml

@@ -0,0 +1,52 @@
+# Default values for neuvector.
+# This is a YAML-formatted file.
+# Declare variables to be passed into the templates.
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+
+registry: docker.io
+oem: ''
+leastPrivilege: false
+
+exporter:
+  # If false, exporter will not be installed
+  enabled: true
+  image:
+    repository: rancher/mirrored-neuvector-prometheus-exporter
+    tag: 5.2.4
+  # changes this to a readonly user !
+  CTRL_USERNAME: admin
+  CTRL_PASSWORD: admin
+  ctrlSercretName: ''
+
+  apiSvc: neuvector-svc-controller-api:10443
+
+  svc:
+    enabled: true
+    type: ClusterIP
+    loadBalancerIP: ''
+    annotations: {}
+      # service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+      # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
+
+  grafanaDashboard:
+    enabled: false
+    namespace: "" # Release namespace, if empty
+    labels: {}
+
+  serviceMonitor:
+    enabled: false
+    # labels for the ServiceMonitor.
+    labels: {}
+    # annotations for the ServiceMonitor.
+    annotations: {}
+    # Scrape interval. If not set, the Prometheus default scrape interval is used.
+    interval: ""
+    # MetricRelabelConfigs to apply to samples after scraping, but before ingestion.
+    # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
+    metricRelabelings: []
+    # RelabelConfigs to apply to samples before scraping
+    # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
+    relabelings: []

index.yaml

@@ -5497,6 +5497,36 @@ entries:
     urls:
     - assets/neuvector-monitor/neuvector-monitor-103.0.0+up2.6.4.tgz
     version: 103.0.0+up2.6.4
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: NeuVector Monitor
+      catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cattle-neuvector-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux
+      catalog.cattle.io/provides-gvr: neuvector.com/v1
+      catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+      catalog.cattle.io/release-name: neuvector-monitor
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/upstream-version: 2.6.6
+    apiVersion: v1
+    appVersion: 5.2.4
+    created: "2023-12-04T13:10:54.319704-03:00"
+    description: Helm feature chart for NeuVector monitor services
+    digest: acea2d95b773e92edfaac066a264f64e66b6e49b65d6abec5abcbc8b743c78ae
+    home: https://neuvector.com
+    icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
+    keywords:
+    - security
+    maintainers:
+    - email: support@neuvector.com
+      name: becitsthere
+    name: neuvector-monitor
+    sources:
+    - https://github.com/neuvector/neuvector
+    urls:
+    - assets/neuvector-monitor/neuvector-monitor-102.0.6+up2.6.6.tgz
+    version: 102.0.6+up2.6.6
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/display-name: NeuVector Monitor

release.yaml

@@ -4,3 +4,5 @@ neuvector:
   - 102.0.6+up2.6.6
 neuvector-crd:
   - 102.0.6+up2.6.6
+neuvector-monitor:
+  - 102.0.6+up2.6.6