robot: project neuvector chart upgrades from 2.4.2 to 2.8.3

Signed-off-by: robot <[email protected]>
DaoCloud · Nov 23, 2024 · fe117fd · fe117fd
1 parent 85a380b
commit fe117fd
Show file tree

Hide file tree

Showing 56 changed files with 5,673 additions and 512 deletions.
diff --git a/charts/neuvector/config b/charts/neuvector/config
@@ -4,7 +4,7 @@ export USE_OPENSOURCE_CHART=false
 export REPO_URL=https://neuvector.github.io/neuvector-helm
 export REPO_NAME=neuvector
 export CHART_NAME=core
-export VERSION=2.4.2
+export VERSION=2.8.3
 
 # pr, issue, none
 export UPGRADE_METHOD=pr

diff --git a/charts/neuvector/neuvector/Chart.yaml b/charts/neuvector/neuvector/Chart.yaml
@@ -1,17 +1,19 @@
 apiVersion: v1
-appVersion: 5.1.1
+appVersion: 5.4.1
 description: Helm chart for NeuVector's core services
-engine: gotpl
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
 maintainers:
   - email: [email protected]
     name: becitsthere
 name: neuvector
-version: 2.4.2
+sources:
+  - https://github.com/neuvector/neuvector
+  - https://github.com/neuvector/neuvector-helm
+version: 2.8.3
 dependencies:
   - name: core
-    version: "2.4.2"
+    version: "2.8.3"
     repository: "https://neuvector.github.io/neuvector-helm"
 keywords:
   - monitoring

diff --git a/charts/neuvector/neuvector/README.md b/charts/neuvector/neuvector/README.md
diff --git a/charts/neuvector/neuvector/charts/core/Chart.yaml b/charts/neuvector/neuvector/charts/core/Chart.yaml
@@ -1,11 +1,13 @@
 apiVersion: v1
-appVersion: 5.1.1
+appVersion: 5.4.1
 description: Helm chart for NeuVector's core services
-engine: gotpl
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
 maintainers:
 - email: [email protected]
   name: becitsthere
 name: core
-version: 2.4.2
+sources:
+- https://github.com/neuvector/neuvector
+- https://github.com/neuvector/neuvector-helm
+version: 2.8.3
diff --git a/charts/neuvector/neuvector/charts/core/README.md b/charts/neuvector/neuvector/charts/core/README.md
diff --git a/charts/neuvector/neuvector/charts/core/templates/NOTES.txt b/charts/neuvector/neuvector/charts/core/templates/NOTES.txt
@@ -1,6 +1,9 @@
 {{- if and .Values.manager.enabled .Values.manager.ingress.enabled }}
 From outside the cluster, the NeuVector URL is:
 http://{{ .Values.manager.ingress.host }}
+{{- else if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.tls}}
+From outside the cluster, the NeuVector URL is:
+https://{{ .Values.manager.ingress.host }}
 {{- else if not .Values.openshift }}
 Get the NeuVector URL by running these commands:
 {{- if contains "NodePort" .Values.manager.svc.type }}
@@ -17,4 +20,15 @@ Get the NeuVector URL by running these commands:
   SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
   echo https://$SERVICE_IP:8443
 {{- end }}
-{{- end }}
+{{- end }}
+
+
+{{- if or (.Values.global.aws.enabled) (.Values.bootstrapPassword) }}
+
+NOTE: Use below command to get the password to login to NeuVector WebUi using admin account if it is a fresh install and not a restore from PVC, no admin password is set in the configmap or secret. The password is randomly generated during the deployment if AWS cloud billing is enabled.
+
+To get the bootstrap password:
+
+kubectl get secret --namespace {{ .Release.Namespace }} neuvector-bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}'
+
+{{- end }}
diff --git a/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl b/charts/neuvector/neuvector/charts/core/templates/_helpers.tpl
@@ -30,3 +30,39 @@ Create chart name and version as used by the chart label.
 {{- define "neuvector.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Lookup secret.
+*/}}
+{{- define "neuvector.secrets.lookup" -}}
+{{- $value := "" -}}
+{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data  -}}
+{{- if and $secretData (hasKey $secretData .key) -}}
+  {{- $value = index $secretData .key -}}
+{{- else if .defaultValue -}}
+  {{- $value = .defaultValue | toString | b64enc -}}
+{{- end -}}
+{{- if $value -}}
+{{- printf "%s" $value -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "neuvector.controller.image" -}}
+{{- if .Values.global.azure.enabled }}
+  {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }}
+{{- else }}
+  {{- if eq .Values.registry "registry.neuvector.com" }}
+    {{- if .Values.oem }}
+      {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }}
+    {{- else }}
+      {{- printf "%s/controller:%s" .Values.registry .Values.tag }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.controller.image.hash }}
+      {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }}
+    {{- else }}
+      {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml b/charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml
@@ -6,7 +6,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
 spec:
   ports:
     - port: 443

diff --git a/charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml
@@ -0,0 +1,19 @@
+{{/* Use the bootstrap password from values.yaml or random value*/}}
+{{- $bootstrapPassword := .Values.bootstrapPassword -}}
+{{- if and .Values.global.aws.enabled (not .Values.bootstrapPassword) -}}
+    {{- $bootstrapPassword = randAlphaNum 18 -}}
+{{- end -}}
+{{/* If a bootstrap password was found in the values or AWS is enabled */}}
+{{- if $bootstrapPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "neuvector-bootstrap-secret"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+type: Opaque
+data:
+  bootstrapPassword: {{ $bootstrapPassword | b64enc |quote }}
+{{- end }}
diff --git a/charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml b/charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.internal.certmanager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.internal.certmanager.secretname }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.internal.certmanager.secretname }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  duration: 17520h # 2 years
+  subject:
+    organizations:
+      - NeuVector
+  isCA: true
+  commonName: neuvector.internal
+  dnsNames:
+  - neuvector.internal
+  - NeuVector
+  secretName: {{ .Values.internal.certmanager.secretname }}
+  usages:
+  - digital signature
+  - key encipherment
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: {{ .Values.internal.certmanager.secretname }}
+{{- end }}
diff --git a/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml b/charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml
@@ -14,7 +14,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
 rules:
 - apiGroups:
   - ""
@@ -44,7 +43,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
 rules:
 {{- if .Values.openshift }}
 - apiGroups:
@@ -83,7 +81,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
 rules:
 - apiGroups:
   - admissionregistration.k8s.io
@@ -108,7 +105,6 @@ metadata:
   labels:
     chart: {{ template "neuvector.chart" . }}
     release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
 rules:
 - apiGroups:
   - config.openshift.io

diff --git a/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml b/charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml
@@ -0,0 +1,145 @@
+{{- if and .Values.rbac .Values.leastPrivilege -}}
+{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-app
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-app
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-rbac
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-rbac
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-admission
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-admission
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-view
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc4 }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-co
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: neuvector-binding-co
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: enforcer
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}