diff --git a/packages/neuvector/generated-changes/exclude/templates/crd.yaml b/packages/neuvector/generated-changes/exclude/templates/crd.yaml
index 60640ce8d9..7ec09c616b 100644
--- a/packages/neuvector/generated-changes/exclude/templates/crd.yaml
+++ b/packages/neuvector/generated-changes/exclude/templates/crd.yaml
@@ -723,12 +723,6 @@ spec:
type: boolean
id:
type: integer
- rule_mode:
- enum:
- - ""
- - monitor
- - protect
- type: string
required:
- action
- criteria
@@ -842,4 +836,277 @@ spec:
type: {{ .Values.crdwebhook.type }}
selector:
app: neuvector-controller-pod
+---
+# ClusterRole for NeuVector to operate CRD
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-customresourcedefinition
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - update
+ - watch
+ - create
+ - get
+---
+# ClusterRoleBinding for NeuVector to operate CRD
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-customresourcedefinition
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-customresourcedefinition
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created network/process CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvsecurityrules
+ - nvclustersecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created dlp CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvdlpsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvdlpsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRole for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvadmissioncontrolsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvdlpsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvdlpsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created waf CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvwafsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvwafsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvwafsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvwafsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/overlay/crds/crd.yaml b/packages/neuvector/generated-changes/overlay/crds/crd.yaml
index 60640ce8d9..7ec09c616b 100644
--- a/packages/neuvector/generated-changes/overlay/crds/crd.yaml
+++ b/packages/neuvector/generated-changes/overlay/crds/crd.yaml
@@ -723,12 +723,6 @@ spec:
type: boolean
id:
type: integer
- rule_mode:
- enum:
- - ""
- - monitor
- - protect
- type: string
required:
- action
- criteria
@@ -842,4 +836,277 @@ spec:
type: {{ .Values.crdwebhook.type }}
selector:
app: neuvector-controller-pod
+---
+# ClusterRole for NeuVector to operate CRD
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-customresourcedefinition
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - update
+ - watch
+ - create
+ - get
+---
+# ClusterRoleBinding for NeuVector to operate CRD
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-customresourcedefinition
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-customresourcedefinition
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created network/process CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvsecurityrules
+ - nvclustersecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created dlp CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvdlpsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvdlpsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRole for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvadmissioncontrolsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvdlpsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvdlpsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvadmissioncontrolsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
+---
+# ClusterRole for NeuVector to manager user-created waf CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRole
+metadata:
+ name: neuvector-binding-nvwafsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+rules:
+- apiGroups:
+ - neuvector.com
+ resources:
+ - nvwafsecurityrules
+ verbs:
+ - list
+ - delete
+---
+# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+ name: neuvector-binding-nvwafsecurityrules
+ labels:
+ chart: {{ template "neuvector.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+{{- end }}
+ name: neuvector-binding-nvwafsecurityrules
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
+{{- end }}
{{- end }}
diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch
index e143272aa4..960e472b30 100644
--- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch
@@ -5,7 +5,7 @@
+ catalog.cattle.io/auto-install: neuvector-crd=match
+ catalog.cattle.io/certified: rancher
+ catalog.cattle.io/display-name: NeuVector
-+ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.28.0-0'
++ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.27.0-0'
+ catalog.cattle.io/namespace: cattle-neuvector-system
+ catalog.cattle.io/os: linux
+ catalog.cattle.io/permit-os: linux
@@ -13,9 +13,9 @@
+ catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
+ catalog.cattle.io/release-name: neuvector
+ catalog.cattle.io/type: cluster-tool
-+ catalog.cattle.io/upstream-version: 2.6.0
++ catalog.cattle.io/upstream-version: 2.4.5
apiVersion: v1
- appVersion: 5.2.0
+ appVersion: 5.1.3
-description: Helm chart for NeuVector's core services
+description: Helm feature chart for NeuVector's core services
home: https://neuvector.com
@@ -29,4 +29,4 @@
+name: neuvector
+sources:
+- https://github.com/neuvector/neuvector
- version: 2.6.0
+ version: 2.4.5
diff --git a/packages/neuvector/generated-changes/patch/README.md.patch b/packages/neuvector/generated-changes/patch/README.md.patch
index def16ee18c..35e302efac 100644
--- a/packages/neuvector/generated-changes/patch/README.md.patch
+++ b/packages/neuvector/generated-changes/patch/README.md.patch
@@ -1,29 +1,29 @@
--- charts-original/README.md
+++ charts/README.md
-@@ -31,7 +31,7 @@
+@@ -29,7 +29,7 @@
`controller.schedulerName` | kubernetes scheduler name | `nil` |
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
`controller.tolerations` | List of node taints to tolerate | `nil` |
-`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
-@@ -74,7 +74,7 @@
+@@ -72,7 +72,7 @@
`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` |
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
-@@ -90,14 +90,14 @@
+@@ -88,14 +88,14 @@
`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
@@ -31,69 +31,47 @@
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
-`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
-@@ -111,7 +111,7 @@
+@@ -109,7 +109,7 @@
`enforcer.podAnnotations` | Specify the pod annotations. | `{}` |
`enforcer.env` | User-defined environment variables for enforcers. | `[]` |
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default
-`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`manager.enabled` | If true, create manager | `true` |
`manager.image.repository` | manager image repository | `neuvector/manager` |
`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
-@@ -128,7 +128,7 @@
- ` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
+@@ -119,7 +119,7 @@
+ `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
-`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
-+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
`manager.route.host` | Set OpenShift route host for management console service | `nil` |
`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
-@@ -143,10 +143,10 @@
+@@ -134,10 +134,10 @@
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
-`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
-`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
++`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml)
`manager.affinity` | manager affinity rules | `{}` |
`manager.tolerations` | List of node taints to tolerate | `nil` |
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
-@@ -161,7 +161,7 @@
- `cve.adapter.env` | User-defined environment variables for adapter. | `[]` |
- `cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
- `cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
--`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
- `cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` |
- `cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | |
- `cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
-@@ -178,10 +178,10 @@
- `cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` |
- `cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
- `cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
--`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
- `cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`.
- `cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
--`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml)
-+`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml)
- `cve.adapter.affinity` | registry adapter affinity rules | `{}` |
- `cve.adapter.tolerations` | List of node taints to tolerate | `nil` |
- `cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
-@@ -209,7 +209,7 @@
+@@ -163,7 +163,7 @@
`cve.scanner.env` | User-defined environment variables for scanner. | `[]` |
`cve.scanner.replicas` | external scanner replicas | `3` |
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
-`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) |
-+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.0/charts/core/values.yaml) |
++`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.4.5/charts/core/values.yaml) |
`cve.scanner.affinity` | scanner affinity rules | `{}` |
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
diff --git a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
index 257b9de8a4..348f8b2394 100644
--- a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch
@@ -1,7 +1,7 @@
--- charts-original/templates/controller-deployment.yaml
+++ charts/templates/controller-deployment.yaml
-@@ -76,19 +76,7 @@
- {{- end }}
+@@ -71,19 +71,7 @@
+ serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-controller-pod
- {{- if eq .Values.registry "registry.neuvector.com" }}
diff --git a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
index 05c67ae9f4..6480b0df99 100644
--- a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch
@@ -1,7 +1,7 @@
--- charts-original/templates/enforcer-daemonset.yaml
+++ charts/templates/enforcer-daemonset.yaml
-@@ -51,19 +51,7 @@
- {{- end }}
+@@ -46,19 +46,7 @@
+ serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-enforcer-pod
- {{- if eq .Values.registry "registry.neuvector.com" }}
diff --git a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
index 43da933ada..2ffac79329 100644
--- a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch
@@ -1,6 +1,6 @@
--- charts-original/templates/manager-deployment.yaml
+++ charts/templates/manager-deployment.yaml
-@@ -62,19 +62,7 @@
+@@ -57,19 +57,7 @@
{{- end }}
containers:
- name: neuvector-manager-pod
diff --git a/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch b/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch
index 1418020e42..4043301691 100644
--- a/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/psp.yaml.patch
@@ -1,8 +1,8 @@
--- charts-original/templates/psp.yaml
+++ charts/templates/psp.yaml
@@ -1,4 +1,4 @@
--{{- if and .Values.psp (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
-+{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+-{{- if .Values.psp -}}
++{{- if .Values.global.cattle.psp.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
diff --git a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
index c64f428277..f54ff16ebd 100644
--- a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch
@@ -1,6 +1,6 @@
--- charts-original/templates/scanner-deployment.yaml
+++ charts/templates/scanner-deployment.yaml
-@@ -63,21 +63,7 @@
+@@ -58,19 +58,7 @@
{{- end }}
containers:
- name: neuvector-scanner-pod
@@ -13,8 +13,6 @@
- {{- else }}
- {{- if .Values.cve.scanner.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}@{{ .Values.cve.scanner.image.hash }}"
-- {{- else if .Values.cve.scanner.image.registry }}
-- image: "{{ .Values.cve.scanner.image.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
- {{- end }}
diff --git a/packages/neuvector/generated-changes/patch/templates/updater-cronjob.yaml.patch b/packages/neuvector/generated-changes/patch/templates/updater-cronjob.yaml.patch
index ecac7a5600..2dc31e4d84 100644
--- a/packages/neuvector/generated-changes/patch/templates/updater-cronjob.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/templates/updater-cronjob.yaml.patch
@@ -1,6 +1,6 @@
--- charts-original/templates/updater-cronjob.yaml
+++ charts/templates/updater-cronjob.yaml
-@@ -55,21 +55,7 @@
+@@ -50,19 +50,7 @@
{{- end }}
containers:
- name: neuvector-updater-pod
@@ -13,8 +13,6 @@
- {{- else }}
- {{- if .Values.cve.updater.image.hash }}
- image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}@{{ .Values.cve.updater.image.hash }}"
-- {{- else if .Values.cve.updater.image.registry }}
-- image: "{{ .Values.cve.updater.image.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}"
- {{- else }}
- image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}"
- {{- end }}
diff --git a/packages/neuvector/generated-changes/patch/values.yaml.patch b/packages/neuvector/generated-changes/patch/values.yaml.patch
index ef9e03702b..6989f032c4 100644
--- a/packages/neuvector/generated-changes/patch/values.yaml.patch
+++ b/packages/neuvector/generated-changes/patch/values.yaml.patch
@@ -13,68 +13,68 @@
openshift: false
registry: docker.io
--tag: 5.2.0
+-tag: 5.1.3
oem:
-imagePullSecrets:
-psp: false
- rbac: true # required for rancher authentication
+ rbac: true
-serviceAccount: default
+serviceAccount: neuvector
- leastPrivilege: false
- global: # required for rancher authentication (https:///)
- cattle:
-@@ -31,7 +34,8 @@
+
+ internal: # enable when cert-manager is installed for the internal certificates
+ certmanager:
+@@ -27,7 +30,8 @@
maxSurge: 1
maxUnavailable: 0
image:
- repository: neuvector/controller
+ repository: rancher/mirrored-neuvector-controller
-+ tag: 5.2.0
++ tag: 5.1.3
hash:
replicas: 3
disruptionbudget: 0
-@@ -79,7 +83,7 @@
+@@ -75,7 +79,7 @@
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
- ranchersso: # required for rancher authentication
+ ranchersso:
- enabled: false
+ enabled: true
pvc:
enabled: false
existingClaim: false
-@@ -227,7 +231,8 @@
+@@ -223,7 +227,8 @@
# If false, enforcer will not be installed
enabled: true
image:
- repository: neuvector/enforcer
+ repository: rancher/mirrored-neuvector-enforcer
-+ tag: 5.2.0
++ tag: 5.1.3
hash:
updateStrategy:
type: RollingUpdate
-@@ -258,7 +263,8 @@
+@@ -254,7 +259,8 @@
# If false, manager will not be installed
enabled: true
image:
- repository: neuvector/manager
+ repository: rancher/mirrored-neuvector-manager
-+ tag: 5.2.0
++ tag: 5.1.3
hash:
priorityClassName:
env:
-@@ -410,7 +416,7 @@
+@@ -325,7 +331,7 @@
+ enabled: true
secure: false
image:
- registry: ""
- repository: neuvector/updater
+ repository: rancher/mirrored-neuvector-updater
tag: latest
hash:
schedule: "0 0 * * *"
-@@ -432,7 +438,7 @@
+@@ -346,7 +352,7 @@
+ maxSurge: 1
maxUnavailable: 0
image:
- registry: ""
- repository: neuvector/scanner
+ repository: rancher/mirrored-neuvector-scanner
tag: latest
diff --git a/packages/neuvector/package.yaml b/packages/neuvector/package.yaml
index 685ba39e09..4180c03705 100644
--- a/packages/neuvector/package.yaml
+++ b/packages/neuvector/package.yaml
@@ -1,5 +1,5 @@
-url: https://neuvector.github.io/neuvector-helm/core-2.6.0.tgz
-version: 102.0.3
+url: https://neuvector.github.io/neuvector-helm/core-2.4.5.tgz
+version: 102.0.2
additionalCharts:
- workingDir: charts-crd
crdOptions:
diff --git a/packages/neuvector/templates/crd-template/Chart.yaml b/packages/neuvector/templates/crd-template/Chart.yaml
index 90bc60acef..7aaee8abac 100644
--- a/packages/neuvector/templates/crd-template/Chart.yaml
+++ b/packages/neuvector/templates/crd-template/Chart.yaml
@@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: true
apiVersion: v1
-appVersion: 5.2.0
+appVersion: 5.1.3
description: Helm chart for NeuVector's CRD services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
@@ -12,5 +12,5 @@ maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector-crd
-version: 2.6.0
+version: 2.4.5
type: application
diff --git a/packages/neuvector/templates/crd-template/README.md b/packages/neuvector/templates/crd-template/README.md
index a5379e6ba6..915104e140 100755
--- a/packages/neuvector/templates/crd-template/README.md
+++ b/packages/neuvector/templates/crd-template/README.md
@@ -11,4 +11,5 @@ The following table lists the configurable parameters of the NeuVector chart and
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`openshift` | If deploying in OpenShift, set this to true | `false` |
+`serviceAccount` | Service account name for NeuVector components | `default` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |
diff --git a/packages/neuvector/templates/crd-template/values.yaml b/packages/neuvector/templates/crd-template/values.yaml
index e899decf01..a7bc9a9089 100755
--- a/packages/neuvector/templates/crd-template/values.yaml
+++ b/packages/neuvector/templates/crd-template/values.yaml
@@ -4,6 +4,8 @@
openshift: false
+serviceAccount: neuvector
+
crdwebhook:
type: ClusterIP
enabled: true