# Default values for neuvector. # This is a YAML-formatted file. # Declare variables to be passed into the templates. openshift: false registry: docker.io tag: 5.3.2 oem: rbac: true # required for rancher authentication serviceAccount: neuvector leastPrivilege: false global: # required for rancher authentication (https:///) cattle: url: systemDefaultRegistry: "" psp: enabled: false # PSP enablement should default to false autoGenerateCert: true defaultValidityPeriod: 365 internal: # enable when cert-manager is installed for the internal certificates certmanager: enabled: false secretname: neuvector-internal controller: # If false, controller will not be installed enabled: true annotations: {} strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 image: repository: rancher/mirrored-neuvector-controller tag: 5.3.2 hash: replicas: 3 disruptionbudget: 0 schedulerName: priorityClassName: podLabels: {} podAnnotations: {} env: [] affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - neuvector-controller-pod topologyKey: "kubernetes.io/hostname" tolerations: [] nodeSelector: {} # key1: value1 # key2: value2 apisvc: type: annotations: {} # OpenShift Route configuration # Controller supports HTTPS only, so edge termination not supported route: enabled: false termination: passthrough host: tls: #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- ranchersso: # required for rancher authentication enabled: true pvc: enabled: false existingClaim: false accessModes: - ReadWriteMany storageClass: capacity: azureFileShare: enabled: false secretName: shareName: certificate: secret: "" keyFile: tls.key pemFile: tls.pem internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. federation: mastersvc: type: loadBalancerIP: clusterIP: nodePort: # Must be a valid NodePort: 30000-32767 externalTrafficPolicy: internalTrafficPolicy: # Federation Master Ingress ingress: enabled: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / tls: false secretName: annotations: {} # OpenShift Route configuration # Controller supports HTTPS only, so edge termination not supported route: enabled: false termination: passthrough host: tls: #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- managedsvc: type: loadBalancerIP: clusterIP: nodePort: # Must be a valid NodePort: 30000-32767 externalTrafficPolicy: internalTrafficPolicy: # Federation Managed Ingress ingress: enabled: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / tls: false secretName: annotations: {} # OpenShift Route configuration # Controller supports HTTPS only, so edge termination not supported route: enabled: false termination: passthrough host: tls: #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" # or this could be "/api", but might need "rewrite-target" annotation annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # ingress.kubernetes.io/rewrite-target: / tls: false secretName: resources: {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi configmap: enabled: false data: # passwordprofileinitcfg.yaml: | # ... # roleinitcfg.yaml: | # ... # ldapinitcfg.yaml: | # ... # oidcinitcfg.yaml: | # ... # samlinitcfg.yaml: | # ... # sysinitcfg.yaml: | # ... # userinitcfg.yaml: | # ... secret: # NOTE: files defined here have preferrence over the ones defined in the configmap section enabled: false data: # passwordprofileinitcfg.yaml: # ... # roleinitcfg.yaml: # ... # ldapinitcfg.yaml: # directory: OpenLDAP # ... # oidcinitcfg.yaml: # Issuer: https://... # ... # samlinitcfg.yaml: # ... # sysinitcfg.yaml: # ... userinitcfg.yaml: users: - Fullname: admin Password: Role: admin enforcer: # If false, enforcer will not be installed enabled: true image: repository: rancher/mirrored-neuvector-enforcer tag: 5.3.2 hash: updateStrategy: type: RollingUpdate priorityClassName: podLabels: {} podAnnotations: {} env: [] tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node-role.kubernetes.io/control-plane resources: {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. manager: # If false, manager will not be installed enabled: true image: repository: rancher/mirrored-neuvector-manager tag: 5.3.2 hash: priorityClassName: env: ssl: true envs: [] # - name: CUSTOM_PAGE_HEADER_COLOR # value: "#FFFFFF" # - name: CUSTOM_PAGE_FOOTER_COLOR # value: "#FFFFFF" svc: type: NodePort # should be set to - ClusterIP loadBalancerIP: annotations: {} # azure # service.beta.kubernetes.io/azure-load-balancer-internal: "true" # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" # OpenShift Route configuration # Make sure manager env ssl is false for edge termination route: enabled: true termination: passthrough host: tls: #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- certificate: secret: "" keyFile: tls.key pemFile: tls.pem ingress: enabled: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # kubernetes.io/ingress.class: my-nginx # nginx.ingress.kubernetes.io/whitelist-source-range: "" # nginx.ingress.kubernetes.io/rewrite-target: / # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert tls: false secretName: # my-tls-secret resources: {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi affinity: {} podLabels: {} podAnnotations: {} tolerations: [] nodeSelector: {} # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster cve: adapter: enabled: false image: repository: rancher/mirrored-neuvector-registry-adapter tag: 0.1.1-s1 hash: priorityClassName: resources: {} # limits: # cpu: 400m # memory: 512Mi # requests: # cpu: 100m # memory: 1024Mi affinity: {} podLabels: {} podAnnotations: {} env: [] tolerations: [] nodeSelector: {} # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. ## ## default: (none) certificate: secret: "" keyFile: tls.key pemFile: tls.crt harbor: protocol: https secretName: svc: type: NodePort # should be set to - ClusterIP loadBalancerIP: annotations: {} # azure # service.beta.kubernetes.io/azure-load-balancer-internal: "true" # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" # OpenShift Route configuration route: enabled: true termination: passthrough host: tls: #certificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #caCertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #destinationCACertificate: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- #key: | # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- ingress: enabled: false host: # MUST be set, if ingress is enabled ingressClassName: "" path: "/" annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # kubernetes.io/ingress.class: my-nginx # nginx.ingress.kubernetes.io/whitelist-source-range: "" # nginx.ingress.kubernetes.io/rewrite-target: / # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert tls: false secretName: # my-tls-secret internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. updater: # If false, cve updater will not be installed enabled: true secure: false cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt image: registry: "" repository: rancher/mirrored-neuvector-updater tag: latest hash: schedule: "0 0 * * *" priorityClassName: podLabels: {} podAnnotations: {} nodeSelector: {} # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster scanner: enabled: true replicas: 3 dockerPath: "" strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 0 image: registry: "" repository: rancher/mirrored-neuvector-scanner tag: latest hash: priorityClassName: resources: {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi affinity: {} podLabels: {} podAnnotations: {} env: [] tolerations: [] nodeSelector: {} # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) certificate: secret: "" keyFile: tls.key pemFile: tls.crt caFile: ca.crt # must be the same CA for all internal. resources: {} # limits: # cpu: 400m # memory: 2792Mi # requests: # cpu: 100m # memory: 2280Mi runtimePath: # The following runtime type and socket location are deprecated after 5.3.0. # If the socket path is not at the default location, use above 'runtimePath' to specify the location. docker: path: /var/run/docker.sock k3s: enabled: false runtimePath: /run/k3s/containerd/containerd.sock bottlerocket: enabled: false runtimePath: /run/dockershim.sock containerd: enabled: false path: /var/run/containerd/containerd.sock crio: enabled: false path: /var/run/crio/crio.sock admissionwebhook: type: ClusterIP crdwebhook: enabled: true type: ClusterIP