From 95804e8bc276049f9eb591f0c59fd5e62871e0e6 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Tue, 9 Aug 2022 02:36:12 +0000 Subject: [PATCH] Updating NeuVector chart version to 2.2.2 --- .../generated-changes/overlay/app-readme.md | 2 + .../generated-changes/overlay/questions.yml | 200 ++++++++++++++---- .../generated-changes/patch/Chart.yaml.patch | 4 +- .../generated-changes/patch/README.md.patch | 57 ++--- packages/neuvector/package.yaml | 2 +- 5 files changed, 192 insertions(+), 73 deletions(-) diff --git a/packages/neuvector/generated-changes/overlay/app-readme.md b/packages/neuvector/generated-changes/overlay/app-readme.md index fbcc16a78..b5e2e58f7 100644 --- a/packages/neuvector/generated-changes/overlay/app-readme.md +++ b/packages/neuvector/generated-changes/overlay/app-readme.md @@ -14,3 +14,5 @@ NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in Additional Notes: + Configure correct container runtime and runtime path under container runtime. Enable only one runtime. + Neuvector deployed from Partners chart repository do not support Single Sign On from Rancher Manager. Please deploy Neuvector from Rancher charts for Single Sign On to work. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from other configuration. diff --git a/packages/neuvector/generated-changes/overlay/questions.yml b/packages/neuvector/generated-changes/overlay/questions.yml index 152116d56..3780df560 100644 --- a/packages/neuvector/generated-changes/overlay/questions.yml +++ b/packages/neuvector/generated-changes/overlay/questions.yml @@ -7,7 +7,7 @@ questions: label: Image Registry group: "Container Images" - variable: tag - default: "5.0.0" + default: "5.0.2" description: image tag for controller enforcer manager type: string label: Image Tag @@ -113,50 +113,142 @@ questions: default: false description: If true, create ingress, must also set ingress host value type: boolean - label: Manager ingress status - group: "Ingress Configuration" -- variable: manager.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Manager Ingress host - group: "Ingress Configuration" -- variable: manager.ingress.path - default: "/" - description: Set ingress path - type: string - label: Manager Ingress path - group: "Ingress Configuration" -- variable: manager.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation. - type: string - label: Manager Ingress annotations + label: Manager Ingress Status group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" - variable: controller.ingress.enabled default: false description: If true, create ingress for rest api, must also set ingress host value type: boolean - label: Controller ingress status + label: Controller Ingress Status group: "Ingress Configuration" -- variable: controller.ingress.host - default: "" - description: Must set this host value if ingress is enabled - type: string - label: Controller Ingress host + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status group: "Ingress Configuration" -- variable: controller.ingress.path - default: "/" - description: Set ingress path - type: string - label: Controller Ingress path - group: "Ingress Configuration" -- variable: controller.ingress.annotations - default: "{}" - description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation. - type: string - label: Controller Ingress annotations + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" #service configurations - variable: manager.svc.type default: "NodePort" @@ -170,23 +262,23 @@ questions: - "LoadBalancer" - variable: controller.federation.mastersvc.type default: "" - description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and Ingress + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP type: enum label: Fed Master Service Type group: "Service Configuration" options: - "NodePort" - - "Ingress" + - "ClusterIP" - "LoadBalancer" - variable: controller.federation.managedsvc.type default: "" - description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and Ingress + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP type: enum label: Fed Managed service type group: "Service Configuration" options: - "NodePort" - - "Ingress" + - "ClusterIP" - "LoadBalancer" - variable: controller.apisvc.type default: "NodePort" @@ -198,4 +290,28 @@ questions: - "NodePort" - "ClusterIP" - "LoadBalancer" - +#Other Configuration +- variable: psp + default: "false" + description: NeuVector Pod Security Policy when psp policy is enabled + type: boolean + label: Pod Security Policy + group: "Other Configuration" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Other Configuration" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Other Configuration" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Other Configuration" diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch index 57badfa2c..04fef8e50 100644 --- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch @@ -2,7 +2,7 @@ +++ charts/Chart.yaml @@ -1,11 +1,17 @@ apiVersion: v1 - appVersion: 5.0.0 + appVersion: 5.0.2 -description: Helm chart for NeuVector's core services -engine: gotpl +description: Helm partner chart for NeuVector's core services @@ -13,7 +13,7 @@ name: becitsthere -name: core +name: neuvector - version: 2.2.0 + version: 2.2.2 +annotations: + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/certified: partner diff --git a/packages/neuvector/generated-changes/patch/README.md.patch b/packages/neuvector/generated-changes/patch/README.md.patch index 4eb05997a..e4bd54094 100644 --- a/packages/neuvector/generated-changes/patch/README.md.patch +++ b/packages/neuvector/generated-changes/patch/README.md.patch @@ -1,80 +1,81 @@ --- charts-original/README.md +++ charts/README.md -@@ -71,7 +71,7 @@ +@@ -72,7 +72,7 @@ `controller.schedulerName` | kubernetes scheduler name | `nil` | `controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | `controller.tolerations` | List of node taints to tolerate | `nil` | -`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml) -+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) ++`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | `controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -@@ -100,7 +100,7 @@ - `controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +@@ -111,7 +111,7 @@ + `controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. --`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml) -+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) +-`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) ++`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | + `controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | `controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | - `controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | -@@ -110,13 +110,13 @@ - `controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +@@ -127,14 +127,14 @@ + `controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. --`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml) -+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) +-`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) ++`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed `controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. `controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | + `controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. --`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml) -+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) +-`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) ++`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` `controller.configmap.data` | NeuVector configuration in YAML format | `{}` `controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` -@@ -126,7 +126,7 @@ +@@ -144,7 +144,7 @@ `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default -`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml) -+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) ++`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -@@ -134,7 +134,7 @@ +@@ -152,7 +152,7 @@ `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | -`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) -+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) - `manager.route.enabled` | If true, create a OpenShift route to expose the management consol service | `true` | - `manager.route.host` | Set OpenShift route host for management consol service | `nil` | - `manager.route.termination` | Specify TLS termination for OpenShift route for management consol service. Possible passthrough, edge, reencrypt | `passthrough` | -@@ -144,10 +144,10 @@ - `manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed ++`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) + `manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | + `manager.route.host` | Set OpenShift route host for management console service | `nil` | + `manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +@@ -167,10 +167,10 @@ `manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | + `manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` --`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](values.yaml) -+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) +-`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) ++`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml) -+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) ++`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) `manager.affinity` | manager affinity rules | `{}` | `manager.tolerations` | List of node taints to tolerate | `nil` | `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -165,7 +165,7 @@ +@@ -190,7 +190,7 @@ `cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | `cve.scanner.replicas` | external scanner replicas | `3` | `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | -`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) | -+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/blob/5.0.0/charts/core/values.yaml) | ++`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree//charts/core/values.yaml) | `cve.scanner.affinity` | scanner affinity rules | `{}` | `cve.scanner.tolerations` | List of node taints to tolerate | `nil` | `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -195,5 +195,4 @@ +@@ -221,5 +221,4 @@ ``` --- diff --git a/packages/neuvector/package.yaml b/packages/neuvector/package.yaml index c28012363..95b5809d8 100644 --- a/packages/neuvector/package.yaml +++ b/packages/neuvector/package.yaml @@ -1,2 +1,2 @@ -url: https://neuvector.github.io/neuvector-helm/core-2.2.0.tgz +url: https://neuvector.github.io/neuvector-helm/core-2.2.2.tgz packageVersion: 00