From d29d6d0cc5fddac1b0afc46893cdcd5e5c48e5f4 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 15:37:33 -0700 Subject: [PATCH 01/11] Add NeuVector Monitor chart version 2.6.4 --- .../generated-changes/patch/Chart.yaml.patch | 8 ++++---- .../generated-changes/patch/README.md.patch | 4 ++-- .../generated-changes/patch/values.yaml.patch | 2 +- packages/neuvector-monitor/package.yaml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch b/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch index 1069a89dd4..70a183fc09 100644 --- a/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch @@ -4,7 +4,7 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor -+ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.28.0-0' ++ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux @@ -12,9 +12,9 @@ + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool -+ catalog.cattle.io/upstream-version: 2.6.2 ++ catalog.cattle.io/upstream-version: 2.6.4 apiVersion: v1 - appVersion: 5.2.1 + appVersion: 5.2.2-s1 -description: Helm chart for NeuVector monitor services +description: Helm feature chart for NeuVector monitor services home: https://neuvector.com @@ -28,4 +28,4 @@ +name: neuvector-monitor +sources: +- https://github.com/neuvector/neuvector - version: 2.6.2 + version: 2.6.4 diff --git a/packages/neuvector-monitor/generated-changes/patch/README.md.patch b/packages/neuvector-monitor/generated-changes/patch/README.md.patch index 2e665118f5..27338cc21c 100644 --- a/packages/neuvector-monitor/generated-changes/patch/README.md.patch +++ b/packages/neuvector-monitor/generated-changes/patch/README.md.patch @@ -1,7 +1,7 @@ --- charts-original/README.md +++ charts/README.md -@@ -19,5 +19,4 @@ - `exporter.CTRL_PASSWORD` | Passowrd to login to the controller. | `admin` | +@@ -18,5 +18,4 @@ + `exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` | --- -Contact for access to Docker Hub and docs. diff --git a/packages/neuvector-monitor/generated-changes/patch/values.yaml.patch b/packages/neuvector-monitor/generated-changes/patch/values.yaml.patch index 8b867eeea3..4d8a2ea43f 100644 --- a/packages/neuvector-monitor/generated-changes/patch/values.yaml.patch +++ b/packages/neuvector-monitor/generated-changes/patch/values.yaml.patch @@ -18,7 +18,7 @@ - repository: neuvector/prometheus-exporter - tag: latest + repository: rancher/mirrored-neuvector-prometheus-exporter -+ tag: 5.2.1 ++ tag: 5.2.2 # changes this to a readonly user ! CTRL_USERNAME: admin CTRL_PASSWORD: admin diff --git a/packages/neuvector-monitor/package.yaml b/packages/neuvector-monitor/package.yaml index 5a69c422be..39672f9232 100644 --- a/packages/neuvector-monitor/package.yaml +++ b/packages/neuvector-monitor/package.yaml @@ -1,2 +1,2 @@ -url: https://neuvector.github.io/neuvector-helm/monitor-2.6.2.tgz -version: 102.0.4 +url: https://neuvector.github.io/neuvector-helm/monitor-2.6.4.tgz +version: 102.0.5 From a7cb69299d116e8b2c0affdb6f2dd9f6137b1c6f Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 15:37:42 -0700 Subject: [PATCH 02/11] make chart --- .../neuvector-monitor-102.0.5+up2.6.4.tgz | Bin 0 -> 7803 bytes .../102.0.5+up2.6.4/Chart.yaml | 26 + .../102.0.5+up2.6.4/README.md | 21 + .../102.0.5+up2.6.4/app-readme.md | 5 + .../dashboards/nv_dashboard.json | 1828 +++++++++++++++++ .../102.0.5+up2.6.4/questions.yaml | 27 + .../102.0.5+up2.6.4/templates/_helpers.tpl | 40 + .../102.0.5+up2.6.4/templates/dashboard.yaml | 15 + .../templates/exporter-deployment.yaml | 56 + .../templates/exporter-service.yaml | 28 + .../templates/exporter-servicemonitor.yaml | 39 + .../102.0.5+up2.6.4/templates/secret.yaml | 15 + .../102.0.5+up2.6.4/values.yaml | 51 + index.yaml | 30 + 14 files changed, 2181 insertions(+) create mode 100644 assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/Chart.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/README.md create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/app-readme.md create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/dashboards/nv_dashboard.json create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/questions.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/_helpers.tpl create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/dashboard.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-deployment.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-service.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-servicemonitor.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/templates/secret.yaml create mode 100644 charts/neuvector-monitor/102.0.5+up2.6.4/values.yaml diff --git a/assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz b/assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..52e2ad7f4f862398da86aecd79fb32d7d2da91b5 GIT binary patch literal 7803 zcmV->9)#f^iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDFbKADoXny8jfsgL}nta!iC0UXaO?%&SY`4w3Sv&JGp{k+*~w9pTz-R!)OAHT0`DM#TUc3^)8K8(1@15s3ib9E@O(4^EFuQTkiJd z4yZn3m^G*hzNCKo$x6`OZgrZiX78U-s1biB{9l&;Q|v{+zor6MApbi%{hfmR@3p(# zwfw)0X9MlS2uGekdfgT4rtDyCppyyVh;W3_hut@?8zahmECje{L_Clc_QCNm12n~q z;GqW`35te*Ld-e1hy;QnF##mN4?Qe^H!W-I(INJX#t|OKPY7wzZ2&rgG2w#E2FSK8 zizVM&>U;*)B-End5777DTT(=dLq?{=gE0)y2zwkX3(h5P1CxDkpjRXPeiOy-(HZeP z6i^|7B>@-M^T4$bfCk^!2<@F5y*~Z*_~7X6?wf-F!mdw( z`1RrL@$ql(j`ri%7D6~A$5SUOsrb}sNSVo~=K*WrkPOzQi659QjJ&UcS!S5a`RLdMBr6h69N>M-Cqs&vTfl*)ANeX{XV^B{ zKu1~~r|&lr86ogPG1CabL+~^bBz862#ssPzWWzL5tS1@eIM=RO>{++TAboDbs>Rtr z#}31xq}56KA}#HQ-%Fri@N8UexcZKOSIrhoLua2ySRVX4Wg z-VHrE+>*w?);@J29|Db=EgX`j?`|*+t)rk-L;BfSkYLOQ==YBXm?h?B<`GZsu4cgs z@F()Wtp5`+y>&VPF9gP$BD|IOjL=*;VtsHaca^cT-@DxPUICG722j-&P-qe;kcQ#{dgJI2mIU zdEN~D6=6@gu#!C$>`m)8(7mhrLXIKlA^Fw85eLMn59r^CuF*3d5%64&q_N`>pGYG} z**1iur^A`T#{S!5S(gN3#6xhNHLX`8#4>6FNnMOdz>TY<-VvdVks&CNim)`dB=82> zImnf@@(3oQ1fOwXg44K8ZH1+f?(wvz@6-eaKQ6zn88{PM=w6yezv{*bthu)<0~j(A zh!L{?!5jbJcA+;t?kbd4_c=#_nWdF1V_ZJDtZI1;t>{`xFwb3LRnM-SP!`|%vvJtb zg|t^a>;SU=X(Rj8UX`a(XtZg5Y8Lr4HpeTeP8;`esG-uRub9l1eWea^Yi-Y8ue%nu z_wbpg|J~R=zGg6Bf&OppbUQ`;-|M&6`u{eb0_(=!YP0AfHI3tfE-#A_!p|gd2S^*i zZ*XY&Ah3%C9wdRZVA?SKH4>V#a^BUKFH3-s)JGSow#kZfU3e*-9OEx3XvC)rHU57_sXZ+d|O61Wfu)Xj*b%S$W4(=>&y`6ri{y|5%wej*<5 z=FcFIomAjkrRq|$$0MNp5cAi69{tgY%h3{uT#^fyO)u94~SKJyq5l z`mT9mCeeI}IUHg!LAI%{1cv<#HPHp)6WrMVpLC*Ep(FDd5g;Yjx?(BG8qQ`&WAhxk^ZHJXM>3dN(5vNZRkg|37?p zbaHTXD*sh?T99}O$e$SXi-2ljbp)e9p`WFdSwnYWnlq4Qg(%=^X{+q^o~7)+cmw8& zZs4N)pYBe#X#cgl>-?Wvd5mVlfm?3_mP`25skIOjSYbq(?xNE@3I)j_;sFD9(gYVehkQqqpg`6`J=vjPE>2S{n5KWAD?!q2K8 zXV-+8tpM#K)8bcu=IQ@T1n*j7EZqMqo&VTrw|i^-e;d!L@&Al!SK*E;g#FV<$^DQ1 zYj^5hi2sTp*{mz1 zgQo9(H5ywK|0(DHcRSlVYyQ8DXCre?M;+u*8AO()K35#(`JQKN{^UeY)3P=;ObS56 zls#=(Clf#;>Us1`Ruxj7Adhgtb@EeOS-uW2!#)ULJkBaiq0&H@%tOMGoquyq#j+0L z#^?g=rw5bNH(m7ty`=)U)rcQ-ff|j9Z}BJVQygUfBpau&#Jege*&et+pQ<-PKA{Wi z69xGny*qf5PXfF^p912kD*4SIS$miB$cN)^a7teofw_9uZe;d!n#s)fyg2oB)6?+PB zl<@qGhzX4Z+M~YYD#F3CQaR{?N2XF*W8_dj^gsY&QP2>wm-x&j;?#>&XDT+6%Fd8c z2RPpv5f99nFBO|LL#vG0$P0ksA@Nj44h{mTL>%f5NdT_yQIff07%5}WYdiynb~59P z2!k{1dChoYh(o}MAX7lnmeajtrjRyG<{)j%5oLaJWtE5ywY>N7XFxn+fQ}B1Ptfk+ zt3*7Hj7rgbDkW@2FcTgh7HZz0k6Pycd1+=>8)Gj2w>zC)ui*c6THW^g{O7GaUo3>| zOcc}}pfAcbvZbkJ576&%@FWSz*u#i;;#FV|P+J^hEDo0CDMtq2e}%X+46|E zve+a~rn~i*ncg)k*!qBC=KX}Y6>o_{gFWg|Ci`XMA%5E0M4fhf6LosMP1Jst0l-$L zCkDvg%>;-48|`|)1kcvfyGq5$se>RA6|GioQYw168_aBT)Gt>k@K|E{_m7*^crrX! zjf&c8+Nb?!nd&yUL=>=Qj|g|L_W>|F7MO`QG!PSefE4U<1;WV*rJf*R^3o&0=M-35 z3jVkBEITbb!~u9bA(j|FbtEyLAZo}V!GJwx#66@u-{nLtL8cc8;dbWxc|0NWT`o+k z)VCUX`+4%6hIy_~FU<`E638E1GDTd>JoxbsTfn(!V2_N0fdhd6_J{qiKLUj0-+%p{ zYR}hnOg}y?Tye0%4F}JD7&6sy{QvjdDZsRA8bZ);sl)T0N!orZ?m!x}936Yu`7Axa zAOJ7zCceNz!p56iR#LEG=1j;G_|{%)yZ=-F|LyLEKNe4E7RU{zGver@S@OhjBNXo%T`LzB_<5`gnBN| zraoO3;#Zs5b8M zTC`5~dX&8}Yozg)fkP>ysXC?kJMe;`ZMHUl?u z;9Vt0*berbGHKX8;J~h>MSZ4Jj+i%!ba>0oUKCJVS;IVEitlnWTwP)+GbcZf+%#(q zy+xuB%@v2JMB8w#V*IRR->I@tu~slW<&p1WHamr2M41CDKcuZMEKy>S_;AXB5hzqq z5jCaIOXI{_x#b0lOMb#qtK^MgN$fC&!2Ky1{L2@O*vrd&Hw;Fv6h<-vFlPRbWi@tS zCW(&pc?7gaqd=6k7#H|k&|)q)#K+3^++M4bbR|TPwP2DY}rlkJ^*lC)|-t4K6yQ?j!c&LhOMM&~QA=IdSR<#EH0|ez_xjPWYY* zsDt|-V6{!h7 z8ha!tsh$z>ymujXh?rG0A2aMq`BfwQRGkTN;U`vssf1XoF(ip2+1#lvpOU{zG76QI zwwl;0xgsI;5>YE(VpfD!zWt53YMZHDC{qdh$K-E0)m~9WJJ^GL!UZG4$P7`MZcOZE z=(#ZS2|Y_RlpVknO0e<}2U5QC8WQ6IJD*7~t^#GuXcTJpFQL`XuI5}IQ==v(qS8Qd zXLK~GHqOkV3!GdLBqc#htPaevmekOGK*B9Ql7`o65)MPlM@cnrL+DgwZoJoS~;?DWCmu zl~BT0Gp7s`C3^}7<8p4t6(R{~hSlETujp5f$565DOMEc%eAwpJdh@r~{M*)e?Q1H$ zyWd&fuF-Ry6+;rY6_L=%KkJypL(s3w#U!xn6D}un>Ow#Y{B~dB64#4HsCl8?c%l`F zQI8-LA#ETML^R@!Blm;%GrMsW*{)N5iTL)&cp@59TRUYruIRvp^9o5`p(hZsI}1mg zf#=b)`D1mK8f$yuSasSjGt~AqbibC<)||?>YSF|~YE@47+pu>Qm?IA|*R7ZfP-BtY zSA%4o>h?(NkR%BpacLj*7D>i)H|cJV(=1u106Y-gw)W+(n_f_(IomI8PIV5k^Lfl@ z6u4`LexV}G8Pwl^CUpsSXb^xSz&-dD63F*66Gr73FQHZ)>P3DqXRTvhuop1~fvBKS z#Z;zr4$zNEf!Ag?cw`(@N*N7Nez&bEBVj~50nD8AtlG9Ffz+#_ru58g&TqF`wZK2{ z4dfNoBo~YX<0TZORR^;+r=UzSvBI;5v$xnU2YfR6%=YMbezHKwXb4P@5-??eG9zn3 zZ0cp7XKb`e=Ef4HOm2)U@y;1ZuWlnfd3mKF6@|FW%p1e zkG-7Dx9U`4S$P^LPb+m&a^7+;asOJ^NuAfhw3YU+G6mRTFXH$Yl-Dxt%$HN}M zJh4aei>EBHir9v_h^N!-ZK7UR|FxPgo)w(}U2A)16SX@pHc_`Ft39u&*K2K}_D*LL z$zEH{7dy}DsYB|H)SdqD;lqcUU9ee}yO1HX`=n2EM_@?JR!K387pV?3l2?V9FY z`49^MOf9SaQT#%_Bm)j?ngUnuo#TKAEe%RMl=Hx9t`ssJO|`dEd+4Zo#ijnOSn#@? zsyPI)anO3%ZMANX0_tMunFXp0S}cR&Ao7O=_dP*zjoDHWrnx_HwB<8T%jB8~w0U%V z3Q|Vg&!}2;%4vB#cGunczzUx5ReGUpi~}jX>N?6(DV(dHmwXv((~@ndBv6$a zR#u1p8Hl=aWk&P5QsUN@C}MPK$NiHI>xzrCCMc~TsX2q+id$f_~4Zos12ECH0WNAp55BybX|Faq~JgMPkUSn`z{?lX?$T)o;uJQn^*F+>4)06f{@x72_xEP6>_)aa{g8E6v|D9K1(D~e&}$Ob&YpCwHngw@Oq|5w$+~1Yb0;7!=Z-8? z>MHmw2`$Ryn(6mt8ekB(z?6q!k35!y4gIb~n;7XZU z5B~&544(IUbtIC#3pBsdbo>(Yaw2F3;Dts+H7xx)SacTW)uAYn*Q~q_@lnN`bgnc5 z9!#k6ZclD5cQ7-55bsfKs^z{fG_r3qoN9h@-93#HxN>zL>#4KY(>gZ4Q2n-awB`!O ztYRu(adP#vv3avg|L`N}8Qz~WNM#UqfoL$b>I6g`T&CF)*TSI%B11nFm(eXZaNYhu zZrJigd#ECwj0$8~UF$B+Oy4!<+{oU=9ULjYt?iOEyVec7a1#jK7~kF*6WyZavG4%& zcKHDGs`5-*$@AEU$wj_-E?vsDS;8P)Wsk7P_TF=x7{suuJ5|;&x>q*3x{%7 zKQeodB2^31s8-ugD@usl-|V^eP1H3(j|a9S*^Rdcx+u%-z`f7RngEv*Hez(W6_F5!nk0Rg)CA&W%MBK54>{obquF&;M)(m-Zfu8=-lnc z$JuMvtQ+_a!>iYn%S#xg*NM~h3URufW#e?)-%y;cgn|bYk;{j7h_n&wqHWU4cp&N2 z_bS4+5XIT(*#koIauKs57!xko3@QJEqe2929X886_a|(&PG4U>ef@a}j>YNg+r3mj zuG81iI(CR&M`a`)n;kNSEYwlB6r?BVK#$R+>byT8nlF2Xg4JEI?=(g`^ z^15Z3O2U;iDM4!YG+J!#Ou)yf2;AP$ujA{rT+BY}ngVC`cx<8ATVyY4(nqV!s$S|^ zBx5S6TL^WC<*d<*&sf`nns;`tSxB7E8OPCR-@L?&XLK5~c9wGNUd9YRA(i86nTXCviOs;z!s*jqcpS^doCb|>?t)6ITK1CI8Nn}y3<6OhOM z-&83I``42_vyic%c?;2dP_j_HH_|I?`JB%n9koJjGpD5R-RImf2w_7cQ z)a}*-bP%^tzBM|;Vqzhr?!GhkEvZ}`<9gfkW+3o52YLxQ4V1uRG@>kNT?-oIK|4|1 z*F(0EUWE@=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.4 +apiVersion: v1 +appVersion: 5.2.2-s1 +description: Helm feature chart for NeuVector monitor services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-monitor +sources: +- https://github.com/neuvector/neuvector +version: 102.0.5+up2.6.4 diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/README.md b/charts/neuvector-monitor/102.0.5+up2.6.4/README.md new file mode 100644 index 0000000000..723b7d2c9f --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/README.md @@ -0,0 +1,21 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector's monitoring services. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`registry` | NeuVector container registry | `registry.neuvector.com` | +`oem` | OEM release name | `nil` | +`leastPrivilege` | Assume monitor chart is always installed after the core chart, so service accounts created by the core chart will be used. Keep this value as same as in the core chart. | `false` | +`exporter.enabled` | If true, create Prometheus exporter | `false` | +`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` | +`exporter.image.tag` | exporter image tag | `latest` | +`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` | +`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` | + +--- + diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/app-readme.md b/charts/neuvector-monitor/102.0.5+up2.6.4/app-readme.md new file mode 100644 index 0000000000..e0faed5b50 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/app-readme.md @@ -0,0 +1,5 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +Helm chart for NeuVector's monitoring services. Please make sure REST API service for controller in core chart is enabled. diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/dashboards/nv_dashboard.json b/charts/neuvector-monitor/102.0.5+up2.6.4/dashboards/nv_dashboard.json new file mode 100644 index 0000000000..ad7ce631be --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/dashboards/nv_dashboard.json @@ -0,0 +1,1828 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "gridPos": { + "h": 10, + "w": 3, + "x": 0, + "y": 0 + }, + "id": 38, + "options": { + "content": "
\n \n ![NeuVector Logo](https://avatars.githubusercontent.com/u/19367275?s=200&v=4)
\n
\n [Documentation](https://open-docs.neuvector.com)
\n
\n [Users Slack Channel](https://rancher-users.slack.com/archives/C036F6JDZ8C)
\n
\n [GitHub](https://github.com/neuvector)\n\n
", + "mode": "markdown" + }, + "pluginVersion": "9.1.5", + "title": "NeuVector Product Links", + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 0 + }, + "id": 25, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_enforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Enforcer Replica Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 3, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 0 + }, + "id": 8, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_cvedbVersion", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "CVE Database Version", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 0 + }, + "id": 20, + "links": [], + "maxDataPoints": 1000, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_pods", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Discovered Pod Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 34, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 3 + }, + "id": 32, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_admission_denied", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Denied Admissions", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-RdYlGr" + }, + "mappings": [ + { + "options": { + "1": { + "color": "light-orange", + "index": 1 + }, + "2": { + "color": "yellow", + "index": 2 + }, + "3": { + "color": "green", + "index": 3 + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "index": 0, + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 3 + }, + "id": 2, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_controllers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Controller Replicas", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 3 + }, + "id": 19, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "value" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "nv_summary_disconnectedEnforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Disconnected Enforcers", + "type": "stat" + }, + { + "columns": [ + { + "text": "Current", + "value": "current" + } + ], + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "filterable": false, + "inspect": false, + "width": 300 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "string" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "log" + }, + "properties": [ + { + "id": "custom.width", + "value": 101 + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + }, + { + "id": "displayName", + "value": "Event Type" + }, + { + "id": "custom.filterable", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Violation Type" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Last seen" + }, + "properties": [ + { + "id": "unit", + "value": "dateTimeAsIso" + }, + { + "id": "custom.width", + "value": 200 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fromname" + }, + "properties": [ + { + "id": "displayName", + "value": "Source Pod" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "toname" + }, + "properties": [ + { + "id": "displayName", + "value": "Destination Pod" + } + ] + } + ] + }, + "fontSize": "90%", + "gridPos": { + "h": 8, + "w": 9, + "x": 3, + "y": 6 + }, + "id": 29, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [ + { + "desc": true, + "displayName": "Last seen" + } + ] + }, + "pluginVersion": "9.1.5", + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Event", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm", + "decimals": 2, + "link": false, + "mappingType": 1, + "pattern": "Metric", + "preserveFormat": false, + "sanitize": true, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Time", + "colorMode": "value", + "colors": [ + "#E0B400", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 0, + "pattern": "Current", + "thresholds": [], + "type": "number", + "unit": "dateTimeAsIso" + } + ], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": false, + "expr": "nv_log_events", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "range": false, + "refId": "A" + } + ], + "title": "Security Event Log", + "transform": "timeseries_aggregations", + "transformations": [ + { + "id": "labelsToFields", + "options": {} + }, + { + "id": "merge", + "options": {} + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true, + "endpoint": true, + "fromns": true, + "id": true, + "instance": true, + "job": true, + "namespace": true, + "pod": true, + "service": true, + "target": true, + "tons": true + }, + "indexByName": { + "Time": 0, + "Value": 14, + "endpoint": 1, + "fromname": 7, + "fromns": 15, + "id": 2, + "instance": 3, + "job": 4, + "log": 5, + "name": 6, + "namespace": 8, + "pod": 9, + "service": 10, + "target": 11, + "toname": 12, + "tons": 13 + }, + "renameByName": {} + } + }, + { + "id": "groupBy", + "options": { + "fields": { + "Value": { + "aggregations": [ + "max" + ], + "operation": "aggregate" + }, + "fromname": { + "aggregations": [], + "operation": "groupby" + }, + "log": { + "aggregations": [], + "operation": "groupby" + }, + "name": { + "aggregations": [], + "operation": "groupby" + }, + "toname": { + "aggregations": [], + "operation": "groupby" + } + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": {}, + "indexByName": {}, + "renameByName": { + "Value (lastNotNull)": "Last seen", + "Value (max)": "Last seen" + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 6 + }, + "id": 12, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 3, + "x": 0, + "y": 10 + }, + "id": 24, + "links": [], + "options": { + "displayLabels": [ + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "none", + "sort": "none" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_container_vulnerabilityHigh) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_container_vulnerabilityMedium) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster CVE Count", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "piechart" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fill": 0, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 12 + }, + "hiddenSeries": false, + "id": 10, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.5", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "max(nv_enforcer_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "refId": "A" + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Enforcer CPU Usage", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:865", + "format": "percentunit", + "logBase": 1, + "show": true + }, + { + "$$hashKey": "object:866", + "format": "short", + "logBase": 1, + "show": true + } + ], + "yaxis": { + "align": false + } + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "inspect": false, + "width": 101 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Cluster Service Name" + }, + { + "id": "custom.inspect", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + { + "id": "custom.displayMode", + "value": "color-text" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.width", + "value": 300 + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "displayName", + "value": "Cluster Service Name" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 4, + "x": 3, + "y": 14 + }, + "id": 36, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityHigh) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityMedium) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Vulnerabilities by Service", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "displayMode": "auto", + "filterable": false, + "inspect": false, + "minWidth": 50 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "unit", + "value": "string" + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "custom.inspect", + "value": true + }, + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Repository/Image: Tag" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "color" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.displayMode", + "value": "color-text" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + }, + { + "id": "color" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 5, + "x": 7, + "y": 14 + }, + "id": 33, + "links": [], + "options": { + "footer": { + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_image_vulnerabilityHigh) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "expr": "sum(nv_image_vulnerabilityMedium) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Registry Images Vulnerabilities", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "fill": 0, + "fillGradient": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 18 + }, + "hiddenSeries": false, + "id": 35, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "options": { + "alertThreshold": true + }, + "percentage": false, + "pluginVersion": "9.1.5", + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "exemplar": true, + "expr": "max(nv_enforcer_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "refId": "A" + } + ], + "thresholds": [], + "timeRegions": [], + "title": "Enforcer Memory Usage", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "mode": "time", + "show": true, + "values": [] + }, + "yaxes": [ + { + "$$hashKey": "object:940", + "format": "bytes", + "logBase": 1, + "show": true + }, + { + "$$hashKey": "object:941", + "format": "short", + "logBase": 1, + "show": true + } + ], + "yaxis": { + "align": false + } + } + ], + "refresh": "15s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "15s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "UTC", + "title": "NeuVector", + "uid": "nv_dashboard0001", + "version": 2, + "weekStart": "" +} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/questions.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/questions.yaml new file mode 100644 index 0000000000..b8d51b3791 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/questions.yaml @@ -0,0 +1,27 @@ +questions: +#monitor configurations +- variable: exporter.image.repository + default: "neuvector/prometheus-exporter" + description: exporter image repository + type: string + label: Exporter Image Path + group: "Container Images" +- variable: exporter.image.tag + default: "" + description: image tag for exporter + type: string + label: exporter Image Tag + group: "Container Images" +#controller crendential configuration +- variable: exporter.CTRL_USERNAME + default: "admin" + description: Controller Username + type: string + label: Controller Username + group: "Controller Crendential" +- variable: exporter.CTRL_PASSWORD + default: "admin" + description: Controller Password + type: string + label: Controller Password + group: "Controller Crendential" diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/_helpers.tpl b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/_helpers.tpl new file mode 100644 index 0000000000..5d21a18241 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/dashboard.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/dashboard.yaml new file mode 100644 index 0000000000..72c5d9f709 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/dashboard.yaml @@ -0,0 +1,15 @@ +{{- if .Values.exporter.grafanaDashboard.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: nv-grafana-dashboard + namespace: {{ .Values.exporter.grafanaDashboard.namespace | default .Release.Namespace }} + labels: + grafana_dashboard: "1" +{{- if .Values.exporter.grafanaDashboard.labels }} + {{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}} +{{- end }} +data: + nv_dashboard.json: | +{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-deployment.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-deployment.yaml new file mode 100644 index 0000000000..5353c05a6a --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-deployment.yaml @@ -0,0 +1,56 @@ +{{- if .Values.exporter.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuvector-prometheus-exporter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-prometheus-exporter-pod + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8068" + prometheus.io/scrape: "true" + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + labels: + app: neuvector-prometheus-exporter-pod + release: {{ .Release.Name }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- end }} + containers: + - name: neuvector-prometheus-exporter-pod + {{ if eq .Values.registry "registry.neuvector.com" }} + {{ if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- end }} + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + {{- end }} + imagePullPolicy: Always + env: + - name: CTRL_API_SERVICE + value: {{ .Values.exporter.apiSvc }} + - name: EXPORTER_PORT + value: "8068" + envFrom: + - secretRef: + name: neuvector-prometheus-exporter-pod-secret + restartPolicy: Always +{{- end }} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-service.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-service.yaml new file mode 100644 index 0000000000..b304562709 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-service.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.svc.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app: neuvector-prometheus-exporter +spec: + type: {{ .Values.exporter.svc.type }} + {{- if and .Values.exporter.svc.loadBalancerIP (eq .Values.exporter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.exporter.svc.loadBalancerIP }} + {{- end }} + ports: + - port: 8068 + name: metrics + targetPort: 8068 + protocol: TCP + selector: + app: neuvector-prometheus-exporter-pod +{{- end }} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-servicemonitor.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-servicemonitor.yaml new file mode 100644 index 0000000000..25ca23d121 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/exporter-servicemonitor.yaml @@ -0,0 +1,39 @@ +{{- if .Values.exporter.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.serviceMonitor.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.exporter.serviceMonitor.labels }} + {{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4}} +{{- end }} +spec: + selector: + matchLabels: + app: neuvector-prometheus-exporter + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + {{- if .Values.exporter.serviceMonitor.interval }} + interval: {{ .Values.exporter.serviceMonitor.interval }} + {{- end }} + path: "/metrics" + {{- if .Values.exporter.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.exporter.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.exporter.serviceMonitor.relabelings | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/templates/secret.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/secret.yaml new file mode 100644 index 0000000000..9a04ac476d --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.exporter.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-prometheus-exporter-pod-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + CTRL_USERNAME: {{ .Values.exporter.CTRL_USERNAME | b64enc | quote }} + CTRL_PASSWORD: {{ .Values.exporter.CTRL_PASSWORD | b64enc | quote }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/values.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/values.yaml new file mode 100644 index 0000000000..c3b1392c29 --- /dev/null +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/values.yaml @@ -0,0 +1,51 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +global: + cattle: + systemDefaultRegistry: "" + +registry: docker.io +oem: '' +leastPrivilege: false + +exporter: + # If false, exporter will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-prometheus-exporter + tag: 5.2.2 + # changes this to a readonly user ! + CTRL_USERNAME: admin + CTRL_PASSWORD: admin + + apiSvc: neuvector-svc-controller-api:10443 + + svc: + enabled: true + type: ClusterIP + loadBalancerIP: '' + annotations: {} + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + + grafanaDashboard: + enabled: false + namespace: "" # Release namespace, if empty + labels: {} + + serviceMonitor: + enabled: false + # labels for the ServiceMonitor. + labels: {} + # annotations for the ServiceMonitor. + annotations: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + metricRelabelings: [] + # RelabelConfigs to apply to samples before scraping + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + relabelings: [] diff --git a/index.yaml b/index.yaml index 003f3a540e..eaa4f5d357 100755 --- a/index.yaml +++ b/index.yaml @@ -4598,6 +4598,36 @@ entries: - assets/neuvector-crd/neuvector-crd-100.0.0+up2.2.0.tgz version: 100.0.0+up2.2.0 neuvector-monitor: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.4 + apiVersion: v1 + appVersion: 5.2.2-s1 + created: "2023-10-12T15:37:37.954541908-07:00" + description: Helm feature chart for NeuVector monitor services + digest: 766d65d2d65ec7a6da04e5271d544d69803c8ab501de4be3407d25dd6c36c80a + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-monitor + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz + version: 102.0.5+up2.6.4 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: NeuVector Monitor From 43d53550403966891eb67c8f0d58eb2c883c6f98 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 15:37:48 -0700 Subject: [PATCH 03/11] Update release.yaml --- release.yaml | 50 ++------------------------------------------------ 1 file changed, 2 insertions(+), 48 deletions(-) diff --git a/release.yaml b/release.yaml index e6e92b058d..ea0a2ee4c1 100644 --- a/release.yaml +++ b/release.yaml @@ -1,48 +1,2 @@ -epinio: - - 102.0.4+up1.9.0 -epinio-crd: - - 102.0.4+up1.9.0 -fleet: - - 102.2.0+up0.8.0 -fleet-agent: - - 102.2.0+up0.8.0 -fleet-crd: - - 102.2.0+up0.8.0 -prometheus-federator: - - 0.3.0+up0.3.3 -rancher-aks-operator: - - 102.3.2+up1.1.3 -rancher-aks-operator-crd: - - 102.3.2+up1.1.3 -rancher-backup: - - 102.0.2+up3.1.2 -rancher-backup-crd: - - 102.0.2+up3.1.2 -rancher-cis-benchmark: - - 4.2.0 -rancher-cis-benchmark-crd: - - 4.2.0 -rancher-eks-operator: - - 102.1.4+up1.2.2 -rancher-eks-operator-crd: - - 102.1.4+up1.2.2 -rancher-gke-operator: - - 102.0.2+up1.1.6 -rancher-gke-operator-crd: - - 102.0.2+up1.1.6 -rancher-istio: - - 102.3.0+up1.18.2 -rancher-monitoring: - - 102.0.2+up40.1.2 -rancher-monitoring-crd: - - 102.0.2+up40.1.2 -rancher-project-monitoring: - - 0.3.0+up0.3.3 -rancher-provisioning-capi: - - 100.0.0+up0.0.1 -rancher-webhook: - - 2.0.6+up0.3.6 -ui-plugin-operator: - - 102.0.2+up0.2.1 -ui-plugin-operator-crd: - - 102.0.2+up0.2.1 +neuvector-monitor: + - 102.0.5+up2.6.4 From 2edc7b6fe69c8c6edc3624269be590fc59dc0232 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 13:49:18 -0700 Subject: [PATCH 04/11] Add NeuVector chart version 2.6.4 --- .../exclude/templates/csp-clusterrole.yaml | 2 +- .../templates/csp-clusterrolebinding.yaml | 13 ++- .../exclude/templates/csp-crd.yaml | 2 +- .../exclude/templates/csp-deployment.yaml | 43 +++++++-- .../exclude/templates/csp-role.yaml | 2 +- .../exclude/templates/csp-rolebinding.yaml | 9 +- .../exclude/templates/csp-serviceaccount.yaml | 15 ++- .../overlay/crds/_helpers.tpl | 0 .../generated-changes/patch/Chart.yaml.patch | 8 +- .../generated-changes/patch/README.md.patch | 42 ++++----- .../patch/templates/_helpers.tpl.patch | 10 +- .../controller-deployment.yaml.patch | 16 +++- .../templates/enforcer-daemonset.yaml.patch | 6 +- .../templates/manager-deployment.yaml.patch | 6 +- .../templates/registry-adapter.yaml.patch | 2 +- .../templates/scanner-deployment.yaml.patch | 6 +- .../generated-changes/patch/values.yaml.patch | 93 ++++++++++++------- packages/neuvector/package.yaml | 4 +- .../templates/crd-template/Chart.yaml | 4 +- .../templates/crd-template/README.md | 0 .../templates/crd-template/values.yaml | 0 21 files changed, 192 insertions(+), 91 deletions(-) mode change 100755 => 100644 packages/neuvector/generated-changes/overlay/crds/_helpers.tpl mode change 100755 => 100644 packages/neuvector/templates/crd-template/README.md mode change 100755 => 100644 packages/neuvector/templates/crd-template/values.yaml diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml index 9357a0a337..717a03dce4 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if $oc3 }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml index b2e22ca668..fa2f62273a 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if $oc3 }} @@ -21,7 +21,12 @@ roleRef: name: neuvector-csp-adapter-cluster-role subjects: - kind: ServiceAccount - name: {{ .Values.awsbilling.serviceAccount }} + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} namespace: {{ .Release.Namespace }} --- @@ -48,7 +53,11 @@ roleRef: name: neuvector-binding-csp-usages subjects: - kind: ServiceAccount + {{- if and .Values.rbac .Values.leastPrivilege }} + name: controller + {{- else }} name: {{ .Values.serviceAccount }} + {{- end }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml index 87fa138fe8..9263bc3871 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-crd.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml index 15c939f05a..eae91b16d2 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -8,7 +8,7 @@ metadata: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- with .Values.awsbilling.annotations }} +{{- with .Values.global.aws.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} @@ -22,9 +22,13 @@ spec: app: neuvector-csp-pod release: {{ .Release.Name }} spec: - {{- if .Values.awsbilling.imagePullSecrets }} + {{- if .Values.global.aws.imagePullSecrets }} imagePullSecrets: - - name: {{ .Values.awsbilling.imagePullSecrets }} + - name: {{ .Values.global.aws.imagePullSecrets }} + {{- end }} + {{- if .Values.global.azure.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.global.azure.imagePullSecrets }} {{- end }} containers: - env: @@ -38,9 +42,32 @@ spec: value: "v1" - name: USAGE_API_GROUP value: "susecloud.net" - image: "{{ .Values.registry }}/{{ .Values.awsbilling.image.repository }}:{{ .Values.awsbilling.image.tag }}" + {{- if .Values.global.azure.enabled }} + - name: "CLIENT_ID" + value: "{{ .Values.global.azure.identity.clientId }}" + - name: "EXTENSION_RESOURCE_ID" + value: "{{ .Values.global.azure.extension.resourceId }}" + - name: "PLAN_ID" + value: "{{ .Values.global.azure.marketplace.planId }}" + {{- end }} + {{- if and .Values.global.aws.enabled .Values.global.aws.image.digest }} + image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}@{{ .Values.global.aws.image.digest }}" + {{- else if and .Values.global.aws.enabled .Values.global.aws.image.tag }} + image: "{{ .Values.registry }}/{{ .Values.global.aws.image.repository }}:{{ .Values.global.aws.image.tag }}" + {{- else if and .Values.global.azure.enabled }} + image: "{{ .Values.global.azure.images.neuvector_csp_pod.registry }}/{{ .Values.global.azure.images.neuvector_csp_pod.image }}@{{ .Values.global.azure.images.neuvector_csp_pod.digest }}" + {{- end }} name: neuvector-csp-pod - imagePullPolicy: "{{ .Values.awsbilling.image.imagePullPoliicy }}" - serviceAccountName: {{ .Values.awsbilling.serviceAccount }} - serviceAccount: {{ .Values.awsbilling.serviceAccount }} + {{- if .Values.global.aws.enabled }} + imagePullPolicy: "{{ .Values.global.aws.image.imagePullPolicy }}" + {{- else if .Values.global.azure.enabled }} + imagePullPolicy: "{{ .Values.global.azure.images.neuvector_csp_pod.imagePullPolicy }}" + {{- end }} + {{- if .Values.global.aws.enabled }} + serviceAccountName: {{ .Values.global.aws.serviceAccount }} + serviceAccount: {{ .Values.global.aws.serviceAccount }} + {{- else if .Values.global.azure.enabled }} + serviceAccountName: {{ .Values.global.azure.serviceAccount }} + serviceAccount: {{ .Values.global.azure.serviceAccount }} + {{- end }} {{- end }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml index 25cc4edafd..f70c3adbbc 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if $oc3 }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml index 4674d7a566..be2d402d40 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if $oc3 }} @@ -22,6 +22,11 @@ roleRef: name: neuvector-csp-adapter-role subjects: - kind: ServiceAccount - name: {{ .Values.awsbilling.serviceAccount }} + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} namespace: {{ .Release.Namespace }} {{- end }} diff --git a/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml b/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml index 5871099df8..e17d02908e 100644 --- a/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml +++ b/packages/neuvector/generated-changes/exclude/templates/csp-serviceaccount.yaml @@ -1,17 +1,24 @@ -{{- if .Values.awsbilling.enabled }} +{{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} {{- if not .Values.openshift}} -{{- if ne .Values.awsbilling.serviceAccount "default"}} +{{- if and (ne .Values.global.aws.serviceAccount "default") (ne .Values.global.azure.serviceAccount "default") }} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.awsbilling.serviceAccount }} + {{- if .Values.global.aws.enabled }} + name: {{ .Values.global.aws.serviceAccount }} + {{- end }} + {{- if .Values.global.azure.enabled }} + name: {{ .Values.global.azure.serviceAccount }} + {{- end }} namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.awsbilling.accountNumber }}:role/{{ .Values.awsbilling.roleName }} + {{- if .Values.global.aws.enabled }} + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.accountNumber }}:role/{{ .Values.global.aws.roleName }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/packages/neuvector/generated-changes/overlay/crds/_helpers.tpl b/packages/neuvector/generated-changes/overlay/crds/_helpers.tpl old mode 100755 new mode 100644 diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch index 59481f8ea0..2d497c299f 100644 --- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector -+ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.28.0-0' ++ catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux @@ -13,9 +13,9 @@ + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool -+ catalog.cattle.io/upstream-version: 2.6.2 ++ catalog.cattle.io/upstream-version: 2.6.4 apiVersion: v1 - appVersion: 5.2.1 + appVersion: 5.2.2-s1 -description: Helm chart for NeuVector's core services +description: Helm feature chart for NeuVector's core services home: https://neuvector.com @@ -29,4 +29,4 @@ +name: neuvector +sources: +- https://github.com/neuvector/neuvector - version: 2.6.2 + version: 2.6.4 diff --git a/packages/neuvector/generated-changes/patch/README.md.patch b/packages/neuvector/generated-changes/patch/README.md.patch index 1fa5b82551..26ce7673fa 100644 --- a/packages/neuvector/generated-changes/patch/README.md.patch +++ b/packages/neuvector/generated-changes/patch/README.md.patch @@ -10,30 +10,30 @@ ## Choosing container runtime The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. -@@ -31,7 +28,7 @@ +@@ -49,7 +46,7 @@ `controller.schedulerName` | kubernetes scheduler name | `nil` | `controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | `controller.tolerations` | List of node taints to tolerate | `nil` | -`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml) -+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | `controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | `controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | -@@ -74,7 +71,7 @@ +@@ -92,7 +89,7 @@ `controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | `controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | `controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | -@@ -90,14 +87,14 @@ +@@ -108,14 +105,14 @@ `controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed `controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. `controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | @@ -41,69 +41,69 @@ `controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) `controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. -`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` `controller.configmap.data` | NeuVector configuration in YAML format | `{}` `controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` -@@ -111,7 +108,7 @@ +@@ -129,7 +126,7 @@ `enforcer.podAnnotations` | Specify the pod annotations. | `{}` | `enforcer.env` | User-defined environment variables for enforcers. | `[]` | `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default -`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml) -+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `manager.enabled` | If true, create manager | `true` | `manager.image.repository` | manager image repository | `neuvector/manager` | `manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | -@@ -128,7 +125,7 @@ +@@ -146,7 +143,7 @@ ` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | -`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml) -+`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | `manager.route.host` | Set OpenShift route host for management console service | `nil` | `manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | -@@ -143,10 +140,10 @@ +@@ -161,10 +158,10 @@ `manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | `manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` -`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml) -+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `manager.affinity` | manager affinity rules | `{}` | `manager.tolerations` | List of node taints to tolerate | `nil` | `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -161,7 +158,7 @@ +@@ -179,7 +176,7 @@ `cve.adapter.env` | User-defined environment variables for adapter. | `[]` | `cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google `cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | -`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml) -+`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | `cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | `cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | -@@ -178,10 +175,10 @@ +@@ -196,10 +193,10 @@ `cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | `cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | `cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` -`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml) -+`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. `cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) -`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml) -+`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) ++`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) `cve.adapter.affinity` | registry adapter affinity rules | `{}` | `cve.adapter.tolerations` | List of node taints to tolerate | `nil` | `cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | -@@ -209,7 +206,7 @@ +@@ -228,7 +225,7 @@ `cve.scanner.env` | User-defined environment variables for scanner. | `[]` | `cve.scanner.replicas` | external scanner replicas | `3` | `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | -`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) | -+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.2/charts/core/values.yaml) | ++`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) | `cve.scanner.affinity` | scanner affinity rules | `{}` | `cve.scanner.tolerations` | List of node taints to tolerate | `nil` | `cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | diff --git a/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch b/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch index 774842c172..e960b307bc 100644 --- a/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/neuvector/generated-changes/patch/templates/_helpers.tpl.patch @@ -1,10 +1,12 @@ --- charts-original/templates/_helpers.tpl +++ charts/templates/_helpers.tpl -@@ -30,3 +30,11 @@ - {{- define "neuvector.chart" -}} - {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +@@ -45,4 +45,11 @@ + {{- if $value -}} + {{- printf "%s" $value -}} {{- end -}} -+ +-{{- end -}} +\ No newline at end of file ++{{- end -}} +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} diff --git a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch index dca352ef41..20a3d05e6c 100644 --- a/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch +++ b/packages/neuvector/generated-changes/patch/templates/controller-deployment.yaml.patch @@ -1,9 +1,12 @@ --- charts-original/templates/controller-deployment.yaml +++ charts/templates/controller-deployment.yaml -@@ -76,19 +76,7 @@ +@@ -79,23 +79,7 @@ {{- end }} containers: - name: neuvector-controller-pod +- {{- if .Values.global.azure.enabled }} +- image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}@{{ .Values.global.azure.images.controller.digest }}" +- {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}" @@ -17,19 +20,24 @@ - image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}" - {{- end }} - {{- end }} +- {{- end }} + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} securityContext: privileged: true resources: -@@ -125,14 +113,6 @@ +@@ -132,18 +116,6 @@ - name: CTRL_PERSIST_CONFIG value: "1" {{- end }} -- {{- if .Values.awsbilling.enabled }} +- {{- if .Values.global.aws.enabled }} - - name: CSP_ENV - value: "aws" - {{- end }} -- {{- if .Values.awsbilling.enabled }} +- {{- if .Values.global.azure.enabled }} +- - name: CSP_ENV +- value: "azure" +- {{- end }} +- {{- if or .Values.global.aws.enabled .Values.global.azure.enabled }} - - name: NO_DEFAULT_ADMIN - value: "1" - {{- end }} diff --git a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch index 05c67ae9f4..ad0ed2c54d 100644 --- a/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch +++ b/packages/neuvector/generated-changes/patch/templates/enforcer-daemonset.yaml.patch @@ -1,9 +1,12 @@ --- charts-original/templates/enforcer-daemonset.yaml +++ charts/templates/enforcer-daemonset.yaml -@@ -51,19 +51,7 @@ +@@ -51,23 +51,7 @@ {{- end }} containers: - name: neuvector-enforcer-pod +- {{- if .Values.global.azure.enabled }} +- image: "{{ .Values.global.azure.images.enforcer.registry }}/{{ .Values.global.azure.images.enforcer.image }}@{{ .Values.global.azure.images.enforcer.digest }}" +- {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/enforcer:{{ .Values.tag }}" @@ -17,6 +20,7 @@ - image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}" - {{- end }} - {{- end }} +- {{- end }} + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} securityContext: privileged: true diff --git a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch index 43da933ada..b998295170 100644 --- a/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch +++ b/packages/neuvector/generated-changes/patch/templates/manager-deployment.yaml.patch @@ -1,9 +1,12 @@ --- charts-original/templates/manager-deployment.yaml +++ charts/templates/manager-deployment.yaml -@@ -62,19 +62,7 @@ +@@ -67,23 +67,7 @@ {{- end }} containers: - name: neuvector-manager-pod +- {{- if .Values.global.azure.enabled }} +- image: "{{ .Values.global.azure.images.manager.registry }}/{{ .Values.global.azure.images.manager.image }}@{{ .Values.global.azure.images.manager.digest }}" +- {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/manager:{{ .Values.tag }}" @@ -17,6 +20,7 @@ - image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}" - {{- end }} - {{- end }} +- {{- end }} + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} env: - name: CTRL_SERVER_IP diff --git a/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch b/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch index b59d7052ec..61f4e281fa 100644 --- a/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch +++ b/packages/neuvector/generated-changes/patch/templates/registry-adapter.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/registry-adapter.yaml +++ charts/templates/registry-adapter.yaml -@@ -72,7 +72,7 @@ +@@ -77,7 +77,7 @@ {{- if .Values.cve.adapter.image.hash }} image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" {{- else }} diff --git a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch index c64f428277..732a8a3ad8 100644 --- a/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch +++ b/packages/neuvector/generated-changes/patch/templates/scanner-deployment.yaml.patch @@ -1,9 +1,12 @@ --- charts-original/templates/scanner-deployment.yaml +++ charts/templates/scanner-deployment.yaml -@@ -63,21 +63,7 @@ +@@ -63,25 +63,7 @@ {{- end }} containers: - name: neuvector-scanner-pod +- {{- if .Values.global.azure.enabled }} +- image: "{{ .Values.global.azure.images.scanner.registry }}/{{ .Values.global.azure.images.scanner.image }}@{{ .Values.global.azure.images.scanner.digest }}" +- {{- else }} - {{- if eq .Values.registry "registry.neuvector.com" }} - {{- if .Values.oem }} - image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}" @@ -19,6 +22,7 @@ - image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}" - {{- end }} - {{- end }} +- {{- end }} + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} imagePullPolicy: Always env: diff --git a/packages/neuvector/generated-changes/patch/values.yaml.patch b/packages/neuvector/generated-changes/patch/values.yaml.patch index 5c094689f5..aef4e552f7 100644 --- a/packages/neuvector/generated-changes/patch/values.yaml.patch +++ b/packages/neuvector/generated-changes/patch/values.yaml.patch @@ -1,10 +1,10 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -5,16 +5,17 @@ +@@ -5,62 +5,17 @@ openshift: false registry: docker.io --tag: 5.2.1 +-tag: 5.2.2-s1 oem: -imagePullSecrets: -psp: false @@ -16,23 +16,69 @@ global: # required for rancher authentication (https:///) cattle: url: +- azure: +- enabled: false +- identity: +- clientId: "DONOTMODIFY" # Azure populates this value at deployment time +- marketplace: +- planId: "DONOTMODIFY" # Azure populates this value at deployment time +- extension: +- resourceId: "DONOTMODIFY" # application's Azure Resource ID, Azure populates this value at deployment time +- serviceAccount: csp +- imagePullSecrets: +- images: +- neuvector_csp_pod: +- digest: +- image: neuvector-billing-azure-by-suse-llc +- registry: susellcforazuremarketplace.azurecr.io +- imagePullPolicy: IfNotPresent +- controller: +- digest: "" +- image: neuvector/controller +- registry: docker.io +- manager: +- digest: "" +- image: neuvector/manager +- registry: docker.io +- scanner: +- digest: "" +- image: neuvector/scanner +- registry: docker.io +- enforcer: +- digest: "" +- image: neuvector/enforcer +- registry: docker.io +- +- aws: +- enabled: false +- accountNumber: "" +- roleName: "" +- serviceAccount: csp +- annotations: {} +- imagePullSecrets: +- image: +- digest: +- repository: neuvector/neuvector-csp-adapter +- tag: latest +- imagePullPolicy: IfNotPresent +- + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + autoGenerateCert: true - internal: # enable when cert-manager is installed for the internal certificates - certmanager: -@@ -31,7 +32,8 @@ + defaultValidityPeriod: 365 +@@ -80,7 +35,8 @@ maxSurge: 1 maxUnavailable: 0 image: - repository: neuvector/controller + repository: rancher/mirrored-neuvector-controller -+ tag: 5.2.1 ++ tag: 5.2.2-s1 hash: replicas: 3 disruptionbudget: 0 -@@ -79,7 +81,7 @@ +@@ -129,7 +85,7 @@ # -----BEGIN PRIVATE KEY----- # -----END PRIVATE KEY----- ranchersso: # required for rancher authentication @@ -41,37 +87,37 @@ pvc: enabled: false existingClaim: false -@@ -227,7 +229,8 @@ +@@ -281,7 +237,8 @@ # If false, enforcer will not be installed enabled: true image: - repository: neuvector/enforcer + repository: rancher/mirrored-neuvector-enforcer -+ tag: 5.2.1 ++ tag: 5.2.2-s1 hash: updateStrategy: type: RollingUpdate -@@ -258,7 +261,8 @@ +@@ -313,7 +270,8 @@ # If false, manager will not be installed enabled: true image: - repository: neuvector/manager + repository: rancher/mirrored-neuvector-manager -+ tag: 5.2.1 ++ tag: 5.2.2-s1 hash: priorityClassName: env: -@@ -332,7 +336,7 @@ +@@ -390,7 +348,7 @@ adapter: enabled: false image: - repository: neuvector/registry-adapter + repository: rancher/mirrored-neuvector-registry-adapter - tag: 0.1.0 + tag: 0.1.1-s1 hash: priorityClassName: -@@ -410,7 +414,7 @@ - secure: false +@@ -475,7 +433,7 @@ + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt image: registry: "" - repository: neuvector/updater @@ -79,7 +125,7 @@ tag: latest hash: schedule: "0 0 * * *" -@@ -432,7 +436,7 @@ +@@ -498,7 +456,7 @@ maxUnavailable: 0 image: registry: "" @@ -88,18 +134,3 @@ tag: latest hash: priorityClassName: -@@ -493,14 +497,3 @@ - enabled: true - type: ClusterIP - --awsbilling: -- enabled: false -- accountNumber: "" -- roleName: "" -- serviceAccount: csp -- annotations: {} -- imagePullSecrets: -- image: -- repository: neuvector/neuvector-csp-adapter -- tag: 1.0.0 -- imagePullPolicy: IfNotPresent diff --git a/packages/neuvector/package.yaml b/packages/neuvector/package.yaml index 1102f4f352..5e8a80447f 100644 --- a/packages/neuvector/package.yaml +++ b/packages/neuvector/package.yaml @@ -1,5 +1,5 @@ -url: https://neuvector.github.io/neuvector-helm/core-2.6.2.tgz -version: 102.0.4 +url: https://neuvector.github.io/neuvector-helm/core-2.6.4.tgz +version: 102.0.5 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/packages/neuvector/templates/crd-template/Chart.yaml b/packages/neuvector/templates/crd-template/Chart.yaml index e1390446ae..1e1503703f 100644 --- a/packages/neuvector/templates/crd-template/Chart.yaml +++ b/packages/neuvector/templates/crd-template/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: true apiVersion: v1 -appVersion: 5.2.1 +appVersion: 5.2.2-s1 description: Helm chart for NeuVector's CRD services home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 @@ -12,5 +12,5 @@ maintainers: - email: support@neuvector.com name: becitsthere name: neuvector-crd -version: 2.6.2 +version: 2.6.4 type: application diff --git a/packages/neuvector/templates/crd-template/README.md b/packages/neuvector/templates/crd-template/README.md old mode 100755 new mode 100644 diff --git a/packages/neuvector/templates/crd-template/values.yaml b/packages/neuvector/templates/crd-template/values.yaml old mode 100755 new mode 100644 From bd83ac90f7090bcf6be175a588bb1c38675a320e Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 13:49:25 -0700 Subject: [PATCH 05/11] make chart --- .../neuvector-crd-102.0.5+up2.6.4.tgz | Bin 0 -> 3193 bytes .../neuvector/neuvector-102.0.5+up2.6.4.tgz | Bin 0 -> 21641 bytes .../neuvector-crd/102.0.5+up2.6.4/Chart.yaml | 16 + .../neuvector-crd/102.0.5+up2.6.4/README.md | 14 + .../102.0.5+up2.6.4/templates/_helpers.tpl | 32 + .../102.0.5+up2.6.4/templates/crd.yaml | 845 ++++++++++++++++++ .../neuvector-crd/102.0.5+up2.6.4/values.yaml | 9 + charts/neuvector/102.0.5+up2.6.4/.helmignore | 21 + charts/neuvector/102.0.5+up2.6.4/Chart.yaml | 27 + charts/neuvector/102.0.5+up2.6.4/README.md | 256 ++++++ .../neuvector/102.0.5+up2.6.4/app-readme.md | 35 + .../102.0.5+up2.6.4/crds/_helpers.tpl | 32 + .../neuvector/102.0.5+up2.6.4/questions.yaml | 336 +++++++ .../102.0.5+up2.6.4/templates/NOTES.txt | 20 + .../102.0.5+up2.6.4/templates/_helpers.tpl | 55 ++ .../templates/admission-webhook-service.yaml | 18 + .../templates/cert-manager-secret.yaml | 33 + .../templates/clusterrole.yaml | 121 +++ .../templates/clusterrolebinding-least.yaml | 150 ++++ .../templates/clusterrolebinding.yaml | 147 +++ .../templates/controller-deployment.yaml | 264 ++++++ .../templates/controller-ingress.yaml | 219 +++++ .../templates/controller-route.yaml | 98 ++ .../templates/controller-secret.yaml | 15 + .../templates/controller-service.yaml | 97 ++ .../templates/crd-role-least.yaml | 295 ++++++ .../102.0.5+up2.6.4/templates/crd-role.yaml | 295 ++++++ .../templates/enforcer-daemonset.yaml | 150 ++++ .../templates/init-configmap.yaml | 13 + .../templates/init-secret.yaml | 15 + .../templates/manager-deployment.yaml | 118 +++ .../templates/manager-ingress.yaml | 71 ++ .../templates/manager-route.yaml | 33 + .../templates/manager-secret.yaml | 15 + .../templates/manager-service.yaml | 26 + .../102.0.5+up2.6.4/templates/psp.yaml | 86 ++ .../102.0.5+up2.6.4/templates/pvc.yaml | 27 + .../templates/registry-adapter-ingress.yaml | 109 +++ .../templates/registry-adapter-secret.yaml | 15 + .../templates/registry-adapter.yaml | 192 ++++ .../102.0.5+up2.6.4/templates/role-least.yaml | 29 + .../templates/rolebinding-least.yaml | 62 ++ .../templates/rolebinding.yaml | 56 ++ .../templates/scanner-deployment.yaml | 102 +++ .../templates/serviceaccount-least.yaml | 47 + .../templates/serviceaccount.yaml | 13 + .../templates/updater-cronjob.yaml | 79 ++ .../templates/validate-psp-install.yaml | 7 + charts/neuvector/102.0.5+up2.6.4/values.yaml | 521 +++++++++++ index.yaml | 51 ++ 50 files changed, 5287 insertions(+) create mode 100644 assets/neuvector-crd/neuvector-crd-102.0.5+up2.6.4.tgz create mode 100644 assets/neuvector/neuvector-102.0.5+up2.6.4.tgz create mode 100644 charts/neuvector-crd/102.0.5+up2.6.4/Chart.yaml create mode 100644 charts/neuvector-crd/102.0.5+up2.6.4/README.md create mode 100644 charts/neuvector-crd/102.0.5+up2.6.4/templates/_helpers.tpl create mode 100644 charts/neuvector-crd/102.0.5+up2.6.4/templates/crd.yaml create mode 100644 charts/neuvector-crd/102.0.5+up2.6.4/values.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/.helmignore create mode 100644 charts/neuvector/102.0.5+up2.6.4/Chart.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/README.md create mode 100644 charts/neuvector/102.0.5+up2.6.4/app-readme.md create mode 100644 charts/neuvector/102.0.5+up2.6.4/crds/_helpers.tpl create mode 100644 charts/neuvector/102.0.5+up2.6.4/questions.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/NOTES.txt create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/_helpers.tpl create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/admission-webhook-service.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/cert-manager-secret.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/clusterrole.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding-least.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/controller-deployment.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/controller-ingress.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/controller-route.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/controller-secret.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/controller-service.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/crd-role-least.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/crd-role.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/enforcer-daemonset.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/init-configmap.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/init-secret.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/manager-deployment.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/manager-ingress.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/manager-route.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/manager-secret.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/manager-service.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/psp.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/pvc.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-ingress.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-secret.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/role-least.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/rolebinding-least.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/rolebinding.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/scanner-deployment.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount-least.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/updater-cronjob.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/templates/validate-psp-install.yaml create mode 100644 charts/neuvector/102.0.5+up2.6.4/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-102.0.5+up2.6.4.tgz b/assets/neuvector-crd/neuvector-crd-102.0.5+up2.6.4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..187745aab6598d5068575e77fb6fde68422ab39b GIT binary patch literal 3193 zcmV-<42JU`iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI~~ciT3y&oe*8T;=vAX+v6)W#?As=I&;(zRSkPRVr+-J5Lab*wjJbd}SbQ+jo=7-(cM1~4jK(N~Dc6-vmCEJt;9yZ{6!SEo zv6eJ1BQv6iko{;v)wCED5=G22g_+XK2gO0}`@`cG{TD}nk}vz+?*GhQ4uX`>Oc9!) zki#GZObKN}kVT$zq5iyH8-VTj2xF?Gnxep4r+>^FwGfJ zD5D_YIc9Q7$7%>;!XySkERstcO*y~N`;eW@C#;YP#p|~L0A^ZtG6cQB1oy4B2Se-Y ze=$S{XH#T33K^;V)>}ct`tNrS4>#8T@!??L*Z-HGPoECHg&9qUAW@kmt(V@*RI4SP z;t;+)`20E0T)__?bCM-yDQg1+d~7}&YZ?V5UkC|~X@<~QZX%ky1L3mV>^G4Gn{TwJ z=z}#pn)8<#3PBTuYrWL77>*CkN1DDb#$);sI^j|nW{LT1TX-UnC}^!S z)6tdD#_5~)nwMr1kU7TBqTuxyN(f_xXmmhmCQBG%o>2vtlrg<)7JAPldb`z)FI($S zuI5@-FdZ-SIWJu3bk0-D&`Rk{E+zf9>A>)1`*B@q=Ry}&O7zYu%D%j4>)O+;8<-24 zsWEiEk>NM8vmwpayUk3i`@A*-SB6$EnG%WVVKu{B&K1kW$OxHphz(z-wnMA>wx3H7 z4A&qqXCy}GeAj`_S!b)B-uKqz=?hSu{f|YmH#fj-|Bnxk2E7gYe>8Z}^Y;Hs(1yWS zqVT8$+{=xg#{<33>kVzrzJT%YRAM?qal+GFo5#-ozwAZ5e%S56Q(26p63~ON2hj=1 z$%rzlD9T9N*K)6l{zg^#@!7N0Iu9LnW?Y$OJ*%w#``gw|$JO21S@7r2YbO>Yr}$A} zroYMP;(ujC`N6EWG-2)dN2o||v2%a^99+;W8Nx{+6;I!x*Iw$I`MFk7H*5aymXiixwsOj~GSZ6zqk^y;&RNg49K~$mFq;R8 z3!`fD{xKx|7GYnved8 zv1*(+^@|T079g}$5EpbpGs4dHAgxK!)*?CAY^`Ekvcqzpt}LplGF)r{6@|{W)DO*= zvI-UMZhZ3Eb#?c<`v|9GM(a07x9v-LMim!l@swnfx)Bdy#CUvhM&cNy+|?G0DN|V6 z%*NM+262+k8cf-UbB3g9hPfx^T#c25w(0wue>C&>XHFjfc>GgG9{*I3$3Gtbv}#NJ z(By*0UxoeAlFy1fA!=vXa9jI9)O5#}cbrMLn-gcb;MMThJq1QYBBNQ2qUtBW;$pd` zR8A?fq^590B#mpz{)K{viJ;?Z$xhunRH%rUV1+4lYbWQ7##bp%cF@l$l`)^yz=IHe zwg|qa^sV5kZUYbD&B3efmD7Ytn$3G79%-?KH)D}TB+?d#v_K)PO?)!~X)UT1`e-Sw z4f1Hh9Sx|X8FREk9L;#cjSpHVq$Sd5;jy}u>cALIMbt}mAO(lSgjGyQ_tKE46wM|z z%f`9x+N?P@mVgF40gadfns5cQT{!m*MI9&r+AJvdVv>reqGp`jsL4_BB^mqac9Z;c zyNl^o-P^DPaY3VuwTCPBw_zB5ZIK4Cjp=?!0S9H6x-;&ef~O+Z(BZIe>yAYSohh!HizzQny8P?PMs1Bgtr_y@a|`rIl9WmR~jBn?VY$>v(Z?KircK$&FR$ekS zI0^0Cgw`%VyTBk=fU+}#hW0UA4ck5hwHVWFB%ST4Va?N`VL~{kLenH@G5k#fpHOL& zlQ`dZ1?13%cU|$6+F&}sP?L@8bZU!SAfpLp+*K@4xG;Scg*ycbc~8~tsa}%tLvl`k zBV(sOx=~)?f^I70hS#~l;2q6-cQpMyNkgMrHLa}3-;=B}`g@WZ^7kaw z3w>_nJhiZ0x*IT)QVc=4=SRp1dueS*5J2!D?H#;AR#aU1nRm9wJWid@Td3y!|I@o4UY-8@LzE_at)n6TWAC_oBmeVZ*XMuzBJ_Bf1KB1=HW}oCpe|AJ zJY^pWn7cR|xs#(CS(Tq!cN6CRCM+G!XAqNI6~gApOUg{LD?hSb)M9^dLQw(|!LER2 zCWl^5bMqse=lWY#CeKTj%rVJegpgp)_?5}mI6*Z<0hd%wZ5F;ohgN^v8wJ5%%2be= zNq3`G<_O1J;99q1{U8@SDPr~9W{8xS6QMWE=~A^+LToYyCK3FV3scpI#21%DB-;DP ziK51tx&nbj^6WXx6SL`eGp;~j%4a6cu6g^3uK7usloMW$;ffbvdqE{UiA7QtK8M^U zrIe`P{AS*-b5Pvo=B*SRK=Al6oS6H&LfC}U!LL(&IFb zDJm3lo=0?LiW%LMxkjm2WR@(mQwPD@`O9z(r_1!-=9^``hBsWH)CSWMTtgUEe4Bp? z&KG&b&f!`s&JM5c2+iP^9JBYj@VU{KQKsU?L56EMH+njU>)?FDbZA+zNT7UXOpShF fk=aFuaoFgp@o*|>YH})Q+1r{pn)|4$I0;Bw z*gJq+bO(5Ca4vAaebg!iS2uGpaZvPjRd)qk&3bGuE1^k^dM;Sa76`zIi=r;0_k$Io zIxM`eUH9X`q!3GVYqz4gJpW{cf&T$+Y{`s0B~G19T8OqTfG0M=$HolFf=5oxIyNNVE0aML4?2@;j6^_7JqRbLR0hy zknm(7$weLdK6=D|Q?a`ck9`!f+cLW|O>N^KK5F7PlqyL4pVx&?ynaHSp4|pFUJWa2 zz}%PDMIAL^E0zZpq>4<#Wdu$$e1*Iv=<{G?sd1{~73_JKqwPG=G0Mg zvw_F$ZmS_IfmYk{&$`SBe}xix-}3_!FI&Kd{A0`*cfKM9V6aKY&|-p^yb-WbbK+ms ze)x-`7)L2KCTiQsi&Kr{jn=GO9$Bvp^nlp(^wS(9HGR%N-@C9%W0wdtsWhEO88Mb&$x(4qzjjb-rB zCV)zWkRa&kP-CNcw=5+U8bA5SU>=jhESxo{W&f})=PpTC{%PylS-ZslOd5*W_G%zUMIQIA%YX!I3}q zA0FwPq)#AR6Tp~}zP#Fga!{dm7_MuP(C8F$Fqedo?E!(t6 z$B}Z5h;4(5VY4pUs<02l{nbH&80wX14wZ>5lBt(~n!5&7M1v>*iTRRe#)wC=C5H=w zAu5eBGn#13I3h0ZQA&y0I9G9&+AjBw5n~s%`CFOi%?NczM`C5-yu1YV^sYRUFAu$yrZsyH|;us6!MN{50dc|C#p7McRekv80;28 zA70~-ASnQp$OStj%9&+Y^+8wDujv_NH3#A4LkkXM1TtEZExZslNQ)fah20kqDv6G~ z@^d6^8X~Y$u_BAjZ!NbCB~KJT#?sHY4HBfFFS$-sMIQS|9KNMMdJCp3O&MMLOlp}a z91UORPVEnl7$+t&O^n!u*fKa20|?lZH7VpdF^ptX^-;EvqzEdhFAeo37;#w^biXI2 z=*U7Qxi=&fHM@GWjI%B&MogK&%`5FC5685TOs^2ao z2t-#K%9^*mPlR%uuYoeg&lCg|Hf>CRz6_2XyVYSCXO)Ls;ixl|57Bo~G(}CBzwinc z*RyV67Y(5^T_8ZC%#7Sc$O{9*;GlM;CPgjsZ#&eEPIry9^b-i*GJLW%>Rrd$$2Q}9 ztgU1Mq+>-_yirQdx9raB#*pJjFL4c(ikp;9=2_6G(n-UAc)I=V{Xq_E#TSGU6q3CA z<{m;e%sX7Q6s}T)rI*6M3N;Gi`B{KY<1a76ihDjAVp=AMRGaK$dRtETlF|*;hc-KV z+-s;G^83CzH`a)8M$u{Ja6`56eln9I+~2!3SQBihow9%JloB`XycE_Gc(%87I?eO) z`9ZYQKoHK3Wgf?#*6c%5(&1}=)L_y9bP-zX%!BNf+8DbngL;2dsz12v4_ z9WgH-O{GYUPcqJ+!9z4Mx8jfZMOA!)gc^3ysYj%^APgi$1mZqOQ!VRBf|b=)UaTJbIZ zdkjyjxL)+JpkSJVr_=8;X7rk!);C>X>D`4N78sqO|7!I%zRnfn@7M43CtaN4J`En+ z+LC#*453_z`VF{i`&`lP#q7cwlErw=!*~X4rek2hW%sqa+JldoQ1T4H0;R2y)mVo} z22hT^oXHU$))xK1gvQ_^fL#!l!ib+1!{$Be0vz$<@aTU@CF@M24T?ch0)n27<5|%$KyPxYSeH*@pIbf8+ ztj=kME#Kgfes0&aVR{u4W;33#_6u`*{3yW8>~1f^;BVNTLb~Uccusabo_5)a$yAF& z41CGOpN00Acr}f9z06w7rpTNhj zi|J}EEghKv>N)UBs@}131Ej-DE+Tfiy_=@+znJ0<^{}I6v%YK{J%oW+c!RhNEH+YY?@D-5IZ@bUOmHU2^2U! zT{+fc*;gag9eywW0DLXmIw%~rs>Qdey0xmn*+6mf} z$+%B!vo=BX&d|7=iyMvcM;=b z=N>8VS20H<8=8k!{3P5J!7F4bu zOlU%cjj$cCg3uc?8G8C}E0%I?`VF#MG$L!K#fOe#i`!i7{@wu3fT(Pt-eooOc=^7z z`qy&#*H$>#>J<0&6P=7kN3Gtt*1o1Hudo|o0lmMsrki`l$}+9yitVUD?5X|v!g|Ki zhUW6-m86$j9?0^!6Vk%hewqw|y>NO-)dFI3NNRkOscLDZZeW+1xu7O)m_EF&;kfYA z?(1A;&-50}PlFtB0}0UO=~)g2$0FCStEz%_^wAI^PcsA6=MhbkUut|zG)W@_ZBXl7 z##n!lfp#mE8SzW4ej1Yxd9_U`2L$QCPe<2u1(ltJ&x3VOLv=U9o<3$>pN%V=C!Mnh zKR#!?5SB4rvK_=aRX$?c5cC*((gciZ)opk)t2qvv-$W6~z8tF4bH`nkFLCtqx@WR; z3tNV9&a-N3H^7(ec+~lF#POAq_83uDHoz&BG7cDe`raz%iI8W+#3d5F#geMt?c=C$ zC4Vf!6bpCr+WW`IkYS^vy(ZQ{g~DX4;0c!WXC>)@in+|&i>=<-7zZ%Ao|)dh_e8Y@ zTpf;I0m@eHJ2RaeXX^Pr(2UgZ+^&GvM0pojR{+9-3j+IVfaBil#~RwZF-aru^&*0C zfc5e`e(A%u{oT}a@0abT=r}}D7#lt{OX=`!!UtLRKEk$PH(1uAuG!4KVcYww8-;VD z304whAho$PG0hWVnZIwaI{F)iiYX20Y0#r?=SmI{+Z?B6t0xQz z=ObT;R*WY|yZ`;&M*whoXsi)sP;V@a{TPtP_u@Gw9;6heqAO8)`Q8k*Ri#++FSEgEV+ ziK+%XR5%Vi<@$jL&>}H8MwGg!cfuDhb={T5+Cef&ohO^)LoVp|`1E%4QMK9e%jP1t z3~zyRXAr({J25g63S-O90>|)JsU-KFuzlAU%qnP54}uuGB+)peH0+#i)s%OGxnIJ_ zs9N!vJ70bO9o!XAv&hHe`?LtKO-)kxj4=PumMAK(#ROS7*1Be#!AEOw0mqn=+b_2) zby()47nPUC?>aJ%$mcLsNoqoSyzk+;9`x3~1AbzMvy{{f?ze=6WRU@po}Lw9?|>)X zUUWdNJO8iE0MIh;1vNc8eA52%KvX@+lSCDyKPM9we*@-uf#`4?A`Li=eV{nBDop#5 zE$%!@ev2WVnBt<_);|oN3`UqvDuUEP=ze~vrunl;q`?a8#jaL~3vvr43Edv>;vn8q z%{{Rin=-`izz(v-5MymFHnYeNIRE&PH>M6n0mU9geO5e2`dKu2r{7HS*53#6%4`D7 z%qp_`yx3gf%RfX7j~#?w$-o2~6z33(~2LzYMbw18g7{am#b|ST$9M*J5ToeOoq5Dy-k9=I5e&z7k^&sCIH13_0t>J1`dU@Y`Ms z6;x%?8@`pYy=sT}YfBNF05A2vE* z327(@vmw*YO!>u+`I%jK-a%sAj)c9sN>;cOEjlnk61U-QJkp)@4FBVLZhz=q>^!k~ zFP@*zgh%9*0&WNh3Qn8@-u>R8HeQVId|+KZ99_^K`dVO+irqw*bK&r+c&h}FXl+- zwfo!<>1*~Hk~IN69tH?(GK~QFczD*f>VOLTki*0Rh|L2XYY~RI2CIL6hRSeR5S_^u zhx%#5^{**o5-Bo7Q~nvMv5Xk_*YW_8GP+oB%ptby>c7D}66~pc5!{_x`nkp84ffOz zFESzSmD1mvTpxf8L(mTmq`EdcI@~)n_4LdsxO_EdC7HJ1!G z$!y#oZkW0VdG03W`rv-;ZOWYF%RPsN;)?_l72p$~zW{INw{J6mPJ1*r0N$Xr?*q6; z6f@lsz@3%fC17UFD)A5}Zz_#qJsGt5zU_#|Z#Ev}0{axy2E}W|9087Rnt*ctQ2?KG zG@ft7vLaL{)V9H2VZ%nMU-G!Q_OYYsU|>H62?i+xg(gU;&bA9rz#wHW77SNSlsQ}# z6po#%NSMAsq=OPIN^vif?_-@@zWj^{*~b zgEoINm_-d)m*IvyZ5y3=10|E3QH4=P+Dv-G zHkX(OU+r;&&~GaMwp$l_zUoKwcw3;Pf=Lwkm<#&?Wz^;&4M#X7Og+PVoZZ_U{g7pm zD^!r^!S1g}ID}_c@Y7T%-jJ9+H|-?D6-r@`EpGbV8)hjW*U!}C`^+u)sd=Chq9;=9 z(@uBkXYE&S^yohz)icOZqW?sgle^uG1MFzw(mH@%4+53chH=5{SNUKtm@&2^!Y|#C zH1k-DSi#5ql_%cuEw@N&UIZCkfy~?D=#B>FXVkJgzKSV{yWN(|-iPICu%+MYt-MbN z=YUxG+sKBlj$R%{zux=)%hi!Yj2n!9Y4TgQrKjoCP{vc+70d zXD4pvRP$FHm5r{hTuirJ9TnGH#imPz1P{UK3!!QP@Y&x$d_sJz3!$zqz4uwm0^0Xk zw)ZBBZRiJoJIM7aH9fjHSxw?eKAOV1)(*TiT#Pzh`_`_Q+FvJE^b#B4HyBJ|wH!7$ zb_<>|{=;&nb}nz7<)6#69!Q#%918hP^GyfMK=aILF!V@sPLX+9uD-KNq4)PusxFE5 z+4=3|uiwe#yEM570lw#xckxEmGQTPahghmp`%loMl3!?K5s)Jhvp-n#Yg^#i0oivd zn>rWE(`;gK?h(GcSzhYB2fOxw}_;Oh;aTh`ZALt&${$WwiEtZm-5c; z;l|8el7i7-%iyD341AsSOYS&nG@8Oy-bkKc9YTQ?DuFXgtC-SK;@}OGA>IS{HLr7v zY+eu+Q5!iTvS#O)blRb4HliQe^r>eWN05YIqWS6?Z62}3?=`445tE&wukF2Smxp1g zMjnpwY~nr_ya8#DAw2;!mYdMy%ez{ei z`BoZa1!B-yI(AEFracZY5BlOOJlNYIWO=VY#xd1qvGx$rsZ@&f!T!m|n5B5Bkr=G& zA*J+ezpn8Yg!X1&o)GA!(q*0Ewe~}Or>ubq59v<8bYV8t@5wMd-kk0 zGxg&$G)guR!_XS|f8^{k&)Sufb~?DBA(tiUDTB$=a2{m{EUV;uCur9?g$HRWWZ6mu z5c)U>XU7)0`Zfg|Q^a)Ht|8r@{4-Dd)PuIL#7yzxiN-->L)wKYpc80d0TbpSKJMKA z_UwGLpj<~c7z>9C<|pW%Riwe;2Q#U|vS|a-h@ifqT^`ZjxK}reM#i1O z9)BN=KI!A!X{m?Ckzz|K^{v&@Nv~rqF07SfCc4~@@D!PBOV(yn+^hau1;~SyTVpfS zpER?ZQ6K&;9XjZ?Wjzxb{n#!viJW&@<(XE!`9|HnJ%Rg#HLdB@;~KYrj8tY#VP5AP zU=aF^04>M0@#_jw{Ez3HXspv4Ox)rtX43QgxOrRp-M%|Qy`4SnJwAY^qr1#lqujX? z)blC?oR~68w2Rdc4pVG3R7$i5-7y$V{ZO>q)+~7i#a}TR2n$Wj00N;+DohN!u3fem?Hh;6>P6D{LY)y3dw4B>njjx_m~L@mwlKt3S=?A2`+6kpWd?Hy%1L%0z381)Iti`k ztyvZ>>fNA4%!`Xy$R~!3-Jx`3GYRt7LTk#~Ka5q241bke4;(mwTe?hkX#skiiWo9_i_2T^Arszm9O!50_I;dQ8XJ%WT0E;Nl80lAf1$~T(!f%l4!L2r-vyELS1_fJIQWRP0(lb42>gJ|dLBvEE zmsG4aqFXtx+F!`{kEl>9?mfmRP)qjYdzT~#vZ2CI1C{yvKfHj#&u$K$k0I5qO1D=T zIraAU2bmkz%fZW98f4BOtbR(CDyQN~_k1?%`1)0n*l z*AA_fPl?T2(~oscLOz-$wENZzi50xJVQZoZdI2aU`LGfbaNm=3TK*0^35P zaHWzMmT%kIlYJ-I7`^GatYS}4^do@m zZ{`CH?w-a%GaviyZnI$uGRpyTvH$RF^8_GT#QGW{Ew)ozHLXw+cW>!T?V>U zV!Bnvo))H_GY-wokfl0W11SrZCQOye>!n4a65%cwPs$`0@wLUBpNmXKE;=fA)!qZwzM?`V)UcH5_W}H@VaPCRfzv| zip5Ls?3E<26THw!t3iEO!m)ul2+3j+6AZOs;^*bgg_S+j_;)Kj2gSFD9?-;`l(`eGtAH-DI2#$0n@X2pS>7c4zHX? z7r^Hyq=cAv;C^@a$iF#?2P z{6D7N!*iayYaT=DfH1uucrh+}iJI4Kv3tQ0a{pw3kw@OJd*DPn)0?4f=ZFcmTiT8T|4g0{S)o8_Lzk*3X14%@P?8+1H7!(3Qd8dt%|Qw{lp)Qcv<7v$KMZ9u`y@?IgWaL!#-t^|~q zXqLf@V@`yz2yk*X+##vjAYkeUz}KKr5fl83Z}>sm678uwVdNWr|Ks2 zk*}Lit6#?Vc1SGszo3<)xOJnnoQ^lE;6H*Dy5ILVBt-qmE_k8$odP=8^{GU#g(`kE z(Pw%-n6WtO^JFeOyjv>RTWOYNr!Od^URGyW-t)E?A{g^MYA%2h;yQIHaTJNi*2|%- z*8Su&kU`4H+&ONlqMBN18KK2mk>dVX&Qu%pctAlUT3pc4L~wmD>&}_=lw}wzCR(5B zR4UUi88$l_ELAVdm|$hTwnOhDFCLm2SU#% zq?W0FIdk_s$M<_b{f_F-u|DA0;_!(;*x1{z^&7DbYD}*%tX63N{BRG+!BRl6FidKq zny6=I;7Mn8{|+cTpQKEr!W3jJO4@1*GRN~p^!^TY_~P`w@#6H&FK&sZ=DJD%+ZI2a zut#eYn|WM4)5W*sc=YOz#lPgKyyQ7i&iv|(bLj{be&Qc0J5SRbSd*6~``V-x?wuS? zhAcgj|J#kS65A^Eb3$au~s{8?;16z#H%TY|C^*n`0@4n&QhEvsF!zm=18s;}`= z52h(n8HVSE@gSyz13kB3+*3C=WXE1g#K5k|diadZ6zH=Fv2Bc@p%kT{Gw*?5-BtUi zmVkRtviSGcE^%gS&Pt{F?=l9fSPR}HbeQq@k~Y`tIXu-^%UA(WB?9}X*;^GcoF zBw4k9`azK1a_caha<*X_12eKlwIG*;|NoNDvrpik zj&^^*+ufl?9Xg2GyrV~4mtuTPjpN0`Vb_25>iK}K zrc?}8M4thO(w>tQ(!2ZNLray43|i`(oasz4Q+C_~8kkfVUxsD3tr~?)cVjD;@l+eq zpo#+b@+40iRFB`j%d_8nyw>hb7h#*Q!IGhNaU#f>kW}_VZ-{G=rO>p=SnZp2D^Yw) zX0Um=voMuBbYg@M>C~uwm^;{(AahSYDDz2@>g5GMVbr4%bDk(#X zFK2&g8N$5h@{@!&8YdV|oT}MLMyPXokmiVScs8QS3eL@z`;a5xHR_G#iFvNUYTa!~;Pt7~ZJ0fb2S|YqystF~)u$O|HP)20%RJhqD zE`)d)H9NjmQeKq=?w5hLA}m1QZT~nYa7VJ>?6IDz@6YfK@!EE&-Ya1dGcL)^7DLWu z&~+IzM0cUBHFhEkZ zDj#=RF^uK1^a&SZ{vY+~3ln7lg&5%s7dPi61IWlIh!b6=tD1(-R>WBSON+U7GeGK* zyY_lVDQJ)nH~roYOA!3~%=N3&^YO-f-VuAW;+kGW#g=Y3o`mkQj6c**3Ilol1xpSj zw9tKgs8s*P6o5>N)$sIE_49w`!c6@()+X}uf#z)oeiNPAMj64#0IgKqN_l2^Z^8eD zCfd%`H!33{tfmI*r??vH20`f(zpS_>S=zHJH*=kjBeANNIlPAni%Fhsc!9?zfqms zaYOSDW~-&Vr04z29IB$nUt0M!^Y`pRh#OaBXmx^fm*=T4bU!t;?Z0C(T=LbaQwuaUESsD31Cu)A zsKyO;{y2k`L%~Oy9|!;w2wC)Ti)KP3?(Hl zYi<9XJO^Yi2>fI;K6Q{#Lc& zw5_3b0w^9giMoSk#J)8$%)YE}MLK>{ygQFzMrr@L$V9t7h1e9<)UBGL`lu@jqpm_) zko<$2v{V$GWm)bNg#1jvpC5eHX&gJy|A}~ns%9F|WF;#WCm|Cj=qRIFd4o*3L&uWLi&W2nVu-q z?!rE3i4|&m!+n)7FdZ%R7-#5$@T~FPf>5hd0#J{Xd&CItKL0YtjIowsjf4b?&v{r& zHbyToC({?J5Z$r_2j!XkH9dTTC9C|Tqz!V%P%F?U9_#Xu(#sUw|0FahE%ET z+V@*QN3H))K^r>Y=$amYs+Xu)mrE-apO#~maR1g>9T||n&cwu&<-V0!1?RH*OkpyMZ~LbySp#&r z1!mR$TgZHz5&-fE(%t|EQ%m<5fICC`#;pI##@&(}lbl738~+rU@4J8Qp81-m)p@d? zN1Yr5hV=I`)u+f|u^-~kQTy6V?UgvswOSU+?v7mHNAAY*70#)0(kmb%Kg1VAqb$%D%qu=aKSk`t=6i| zQ;RIG$mS4M)f8>M6PX}T27a@knbyfc6n6D*?`?0sOSLV~{+PSSAD8$dRdIZ=W z+jpjH`^AZK!3_^@wpalW@MLhYPrka6!NIQk6-%Tz1vD{X!vF z1qBHpVtLAe81pHw5N4@%@2^Yd8HcKXV%@4AGlK)cp+ZkcdKg|9F*{cn$1+pA`~xMq zO`=l~62;RV2wH|@c5=)ZaH@HR+(^e$w}K7g*SiPH+1WzX{@UBYyWbBo;_o4~%ku#| z`PmNK+1c3GC;&Pf(9})RoSmr5x|}V%wM<}q1`|c{IWLhLEh}D@jA@zHJ2F4Xc|&u7 z{T-59g{g;JB6K2j{xs9x#baA*eV&7-*Y0F_9-cD}C0zdeMu9r!HqK>(1&c+^aDs2 z4XR_RzN5)J7IRgPj?n~G=9>YBWHUS51&^X*eOxdgt_eMRbW3{P{ImonwTxUL=xwer z{0NoQjHgE*_4D@;>pYr+@FYZPO;s-~<0NEyP1p@JxZKgvUQ<5>9$0qdWE-Y2tJSPF z&)5OJHHCQ&WKIo+u}vcVeL^M3`jOTs>Zkd_k6&3k8&qwVFSsTRQF(NTO?2P|tG2?26{>5@jNDI15I+zNdmsYcPu z{psWI+WX%&uHJ5dUqGOT&)eH(cqLzTjqRZqd-WK-UJ3xtq>9kyw=8xEnD$`7gHnAx z(A(|t4)lpUA})ZOojTqsmAd8i(!t?qOAM>wm)o`O<+fPSdesq;XTv&eO&h3P?^RF> z&u5*Wb#2#4L~0F|7jOLigCz~dR$u(1 zG6#l|LV3jkt z$M*ZG5ruM?<9$)tbd+=S^8I6hs$TgHYVcmA$CaV`uTh)fwb#V+JFnWVrk<<~yFqR6 zsYsOv=}m*`J%m1P&oHd9rUJ|X*tnmZ$H9q7@B0~^tING9+(GyPs0B_!8Xr4x_q;=W ze_n*%seZjUNl9(I1MqxWKYB&Zcd|gV$(zPYQ@|-ZqcI-(;7?IOm0WWpd>+R43hlZ7 zM5oBd+Sk@b7ch%^eBdLUw5$5wBenp9F)9j{lB?vzQ)1~^Q*)m`R~VEoY35|+xhgYZajqC9(r4_L5@xVety3`f&coKfqrC4>0i%N z3D9X;V1-UCeYKbs&G^{z&JXS6XA_-;4CVy1MWixjm7QhSE_MrRwvB7HE=Iwa&)BA@ zj)l_#jGs!^I^9#KojJJNQb4{n0mg3x#ly3G^bH91oe$>*ffzeLHZ*^>m9J&2k6ag6 z9$XDWQ&uvoiSz*p%jX|(P|sy$G(|B?zKzUEE9qBgM=$O5mnpGVa;jG}+Ym*LjZ`FHEABUV&VN!k_4Ee>?`i^!W=6)TuIZx*u zo0{Mb@&UcblB5clJt4RQ^e2#bCGvXtozK)oxnN~%GqO}R{;?4 zd{T4(>}op%=K2U`-V3E$1kr?5#ZgdZSozrmH%7RPL;c1iO0Bxk1?E8d3R2AXj_)Si z_g-HTV(trF=U)&J+OGg92_qfkkN|)0d%x`f0uaP+u#xMY$%>#G8J*xJWngPW3Fn!| zQ=o$SiG;IA$en}nxVjg|3Wx*C9%wa|V0IfqZ$Ntlxp87`A1C-)qtbgd6WQg)g-F;J zQ5GbfLR;e8W{={8t(y8(W;Js!t{hOK)$GJ*TGFy!16`+sV%^NbiKu_UqO&Uww^(2s zETPnzGeX2c?ppX196=SRNR2^xHhfdX!wep;xQz>%lc=_IidVtSHrdK|rFw{ZrR*hF zFxr7@uU;!dPMBMh@S9!PixEuY*gY=lU5`5-wC+$esF>J>pd?V(<6wvDSSk0OC>)yte01a4}8B6j-c z6B;g<6D+?HRvmU7I{M8Q)`ODMOd$BSQ&E5|U*1!oWD+TCkKd6PVyBvP7khLkFOv8( zCk`<#Ny5)w$8GGn!vjo-*$vbReRh;*b5U+=xmgm>-s;c9hHC|60urU|)USU#apDfU zkh`bHt;m9x+sCchBYSNs;6qMw>(N4xvVur_K8p`)aIlI#T`PfaBFZ2iH=ja(uBo=4 z`=_6KAA0~>?_Y24K!5M`FFAgtel;A@pDQhVm0F5eBUv6TSh`$G^V)5)Qs=r{!(B7K zpUM+xlr8f$$hrx7p?CrhnN#5qE-pRIiDt(fM<1_7TP{}ou*CE$nL6|IFVH^a*r#`l zdz@mYeTgzZonXc2C6{A$F8)QiU`Kd)e|7n}H)-(#x3;!{n`5Od3n);tqUga^v@qD# zD+ar^p{*WLl?dy5z}av2Nvo<|MfwNx#sA7erkH%H!IEL2Rz4aZ&4A)1r{z}!*13d3 zUwIwzLWmXL>oQH-3|SXw7wB~^v!C}8U`8ZxU?ExdcJSrUH!NTj)Vs}q+T$Vl<GTZ{`{%8pl+i^K%B9QLTDJ$Otpz|)a4SE`XHBz(@gXPh-v9#FL0l@_ z;N&SBkg~**=waNV`I^UvkMDMh)V2bkR^Le?6mKt21TcA>YPNwtbU=-hHr`O+T;0dY zAMC`=J)(Q6T*)o?Igq!ILj;#7?Q@C9fH*xSUU2UX-}!&3?T>pvI|0yZ;$d==-MvE| zI}cOYuXz9Mvt5w>I$EjmUZRN{!-Mf<;L_{qT!rRqRFL2 zpxQ;HxK1Pa;6hjI%SN`V&G@Jl-%L`jR<<3HcPLlFxq)1nd&m4P`V{bkTA7Jv858M1 z{ueA&mWw)qFH+`>3{zxnE%D#>3Q}s6GB1immjoeBP3eMY0S_cW7k2jR>wLhxyao~N z4}z`@h4rq)Z6G_FRV4sX6Bd;G0c%`Uvui+bgOmcoNhyO3@~im-wv0LYFwh3dzg@ss zvi_Br<;$2WKM-|O#eN6^0B@C}Opd#!Qc@?@Lhcel4nHm>!q2FOz_M@CreSi+8-cEf zER_bznpRkAk|IXMtU`UxklE=#98uv!8_KjxVJbM>#CFG|@c`FOj^CJJMR)`0U9it| zU;RkZUHAp+4~iv5AgAIEA+@UzS7LYT0>wO(jyfFu(D1{kFOmcv=MAK%Sr8ko6=W~R z+eWdFX*V>7jzHdA0a2fs9|=RGUOX*r_Ru8NEa+qYoZi;T7(M zxPrV-zgP%OUWM4t6Os%NN6oG9f-Rws2hLlvmNopU`A!ZZxdN%XmL5M$|3kKekv$th z`U_jKkHczsUAlNo-5fnNOWYK|I4Yw+3&RMIr0DCmfF5fjj?j29GFREso&{ueAyJ9@b(*(h8#L%C}$l?aFKp)&K zsAAi4677SOr_Rw4%r91 z1y2Jy*MFQk8NGMivwP1hFubj_N4jO%q$8*i19L>Ev?5iFDPq6YZ(34X4L=Sd!@Z-* zsS>D2{6e#-n4bscjQCvT7=Vw-77F?%h@#6Hwpdzo=W`4F4qKB|7wGUhwZ0um81A72 zVw|2}X_frHB(xa!VGc~`e%+Zr3kJMBRFZX~(tUdppxLBv$)*X5f%Irtu4YRpZ@P5> zXv)9ld~vNLDk3EE;?*cPawI+7Gknb#7G{RPjQ9M}aTNvuV?i$<{-F5@@^FM|5a886 zH!~r{ z0ENDVpbOG;Vr^w80({B!8AF3Uz$lu|3*iR?&MvRu6$bzUY`Ay-)hAD0%ojW=G0o5w zJM%~vx32NM5W8IIraJ|TEA0CH3eICLRj8SHw4T6%yH{`a|Ir^8Reb8HO}RDv*Nn?t z|F0Q`715{^l4%oNXc3LLsv$-hZV9DNQYcSJ4XbRt2X_&h{MDdmUwz=HZC&%w4Q@yk z2mSz4y@i`Bsxdc(`EwT|L=9q&{OC8nDJE1f$iPdHy%wrK zNT+SAulcI}{p?XlsWe(~j-wuoD;<-PxR)kH@ci_$VnlC>(Kk}fJgw|oA_8`m9`R7A zI}dgnxxf&eyhk;zgd~r(Fajaa#qGSQ!K$)9kD^N-k? z)aTheXyo!io4G00zJanT#bL{YIfVt$r$>f3H6Pw3Ob;zd4Q0pDu?2`CRtD`L}_MsOpQ7NE!&{_iK8mG|24thbaC#7|~!gWW! zmep_|S{V*@FE0-*#usZ~_>jKKx0VwjFEg-}+INx6I!T`tE@5|~CZCl<>_JeC@89K+ zZ~`IKM8z4}V$$;+hcK*RE`;lbS;e;ac;?vI zfmwyXsgmsv{V~Hw6rCCYIf{8Ri&{dT-Y&yL;kuXdf z63JA3xJLe%@s{sK-nOgze;E~rt9M=)o~O8SCHY&31)Z~3vwIVocQxPfzrub@CUD-9 z`r_@%f7tmgZwXq+K)CM)$%S`QAS#rocR)Sgq9m7n5+S_q*!w& z((XLi%&}M#aJMVa*Oz>9sKNV>(r-fLFaa+hOHC&x>k z5@^FwFph>*x2IOe+kq1Bq$3>VU&J$f4+@7uxkBRMSvXF_z7qz-}rDVxfV zau`ojQXZ9L&7)(KX<%p}kPGI`Y4VFncQq1FW{rI@e-_d1M?SWfm1N~kgL^{fAcu_22!)k;qHvHonX(QPcaVniYz`1sszlTGv6S&& zW(nO}=ji&$iHqy={ONN&-HjY2$6C4e@eHimy8FkF@R|}^6#c&_N8w9_uJ(#;y^9Z2 zU#In_9E_bR7n`3im`S!jU#oO8;Fd_kdcpJCLO{HV?lJuu8Gp4|LSs=}=+}D5#CuIs z3u32xb$@mW<$Do)YD=7I)b7+T>z$3k+SZ@VZk=~i!WT>YN_&l5203U{LUmYRA% zs&5ImhpqdT(7jjXw}j2Nsr@dsGeUXIjza@tM}B z_xCi#TmX%)X93jRczUL7tN2^jI`Lj=ph=NX-_s0!+9vY_e7GXg9r>;Np6`#-H!p>F zhn{&E28;RS+4Yw5%ClzGB0hPh8na#UQdo=os(JtohsftWa7nJU$L)u|59oh?xJ9#` ztSK)Q6nLRBT8cK*aj^#O!$>f57z8K)a40r^JiA+FA-cFfY&shrfH!O*rHzXrSl2F7 zeqgG(*nufu&kb}b2Q>nSBjsJG@`V|oB>iPfP z6cIQ+bb{-j{(AoYxAW7N=U4B~-dx_CU*3E$;3n`>2kh3;1A;Nk05PLYRn678esHGajbF5D0Z_z~nTG(i?M_fe-2F zib05z{1FTuYPHZ0NfH=GXF))g_+v3crPu2YIGw=%kZ1?|O2{Zg`5uQBMAZ}?y1R~9 zuK69kt7fS`6|=aC01F1X=u-wR`Ywjn>@=u|&3#M3mCukAAj#i+5-}1YyKf~9x$yB& z733oM*K!_I-Q)^~Km`n!KkHeFAnQBFS-SaqJfm3_=S}uS*9 zuUpY#m7A^$s>4UO0&10OZmMcGHqzd)UABnO>Q>Go#CtGt7E#!M84;W%l%j~sXl&su z3(WMP`=N}`H)LNdcD;esKizq*&C>6j<()Ee55o|iN`Qq;8-{WZ$g*MIt2XGBFI5*e z#>-!oHV{_6T%3-A$yZU_-_s-#TLGEM;^JlQpl6CYI&MH6hfhO6SV1tdYyK7tmzk$j zx!&Gmidz9-Ty5y+E)~F4h!PO%c}Fn=EHs=Zq!KoFc{STcX2HAJ`Kn7^&dyD` zMJ&OlmVGtb0#@99EF4eG!}a+CwF3_ZIcR>cSY(0TByUDJKG( z-{h+dZ7tq_DFgl~F#00V`j_a0{8b{3hMbq;McBIVQ>GFw1DFd8kVPXbz}}Q?qTJ>h z?Gt6-579>9!1Au`6z(QBYOAO~;lbN0+;~4On}ywndb>r5v#xyMxT0x?1*5j@%In4z z@Ex{{TKJWhjcrx%p;$FsNUgzt%K`O19Jm~4+`EOth154><#2Vsfu*CoTUwuUW7QJq zxUqd0rjML3S=jthBIg6JgV;T?Z6PIGtBoQyh!tYUSx{Dwyk?Knat4w@%50ag@TbV6 zQZ4Do`P7lQ+D4a?_FiSOw02Hp0mGVK_Yc640`1nu>L0c!OY)-VWSl%)pc6`c9 z2pRj26<5@vOd+l)Czfb4 zC{-pEE|TVsZAqo1+RbfA?%dc5+LDUt%4PQ{iT+InIWk!3%s=dcUGPHuuLNZ+9H*2* zcrlJsNTZwQI8y}lcb4AlRil@P=K?z*{&g3Tw63%i_FR=ch4yT0NK4 zcGl9UbTKi<(u++h;gQYZuhrH?$J-ye6CnxB(8`zO4!Zvfq2TsF%_4e>(!gdaHIJ3e zD9zBLcmFxmOs_76c8mFQ4$MGEd>Gm#tRzeMcxyIEvhvnXi$WBWGGXl3U<;d%)(A+nLU) z(1G-bN+y!AQ*Y(Ek^@!lQ?B9~I;WNv8{nP zvOF(M-V9Rd0XjuV0u)Y#y8}Ow;ZQWwYMq8scB?#TI{@m7b8@>nhCDStD`iUuqcMS` z;ebqY+0pa`924Xjd>rF2O}b^sBqiG2_IU^_Q7Jom-|7FX{Esk>J&Is3LF>)|IVb{=j@p5)RJDB&KA78EUoclsO@u zij@Urnzs;1JA34*6pALx93x>Ofk`WFCX8jWWX8HG(DsaRG?Ay{x@o~Or%4zgs?tHv zl;WszNlpfGgP^0bBW1pq(&rVNAqq~cc7~Xuk1z~7relDih+*l^5kL+V6srqV-T4wI3G75&p4 ziYeOq0i33?QJ+QyBKsx_W%uwW#54Rw2`!4yV53Jlt&$7bvVk}qHNGjKbpE-^vUCXsGC<)!dQ zH#!K3f1CCYs*I;FmeZp3gIwd1b`>*0Mrymb1_KoN;|Zj^xdvn{c3oRJ5}APImgD=Rr7=JM*c! z07qz`@_OkT)_RK_p^w=z4a@>DLjD>d;Mn-;%pK`}F=Gj0-Gh_E!;_AjiRKQzPbd`( zrM$zCt4IHqN@)@a1WN@wMq4B%>$UmN`avooS?*L4fia{35{&Qa_w#+lUk;eHYtx6y z{p-Hk+9IwqsReo%RQT%L6@M9`N-1DF;M(lXqX4|s)=+DRJ8Ex>gY+_UGy{>!rl{{a zk6{FM=OUkF;k8hfC}v_qhci&=ao@%x3gxQc#AX@Oz0Us853SZUhm`9Kv&GLl;GgBR zrx>x!>XARe2#7B?LOzN)>l%c*F$p~Lho=%|b)TyQ!UKe&bT-Ovh{bmyg1$aiNARh!ns#dc%Vj6eFLjU3`qF z^hksez>%lCBoqevbQGHfst#TAnMz}3MbgmziDply{2#}VDRRV`MTE1opxohfTG{~7 zd-0+LE+V^0txE66d1U~AAx2@Kgy2WW0A!5#SgvO!xucn!KG|lfJSI2-LpT+LlnGx{ z(j9HEmf(AJJ?*seI1j;$Bq`Nqg1MP+Zm!vB%zzRZnNa4s&%hKz0QFu=gZcoT2{9@t zDHKiv?T2? zp>hRF7$i1EH`PQ$IFMrMnMOD=+ryng7j^*Re&>1T#fz4qlukpodk6SEJm8ixOg%6j@iQe67N} zQZ=jl+~hS+QyKN=jD%Eth*U#4#9?k|Qn8qgc`kvr+!{+gSWcx>d6(IloV`>!R2+x1 ze1U5YqX5!?b?$%b{8cXZpLlYe42Sp=XnPqjv8fin z6^3WVd)>4#OoSBuGl8MP-YS)lbjx>68#E=L1|X< z=*^tyVFsS*h}kbMuSHquI~ybad8c(T%<)3A6EK>Oa;Pojosn@v1o9f&8sdslc>?2M zN>B4KrKu@XS)dWoLzY4MPIjR8Q}c1P@Jwl;pmeSjp;YA**WBBM5sWF0_z<+eXWsX$ zU4Zso)EK6oX;r^-Gte4ZY0W}Z2{nCVM$Z*hN}f2@4zVoPuI!LaZ}t0~ZtsgxEkOH+ zHfXn`M-a%f3#PW|NFZ~Tlv3xnYd z=8QzF<)scdJv;Sn(WR>ei~#6atjkKw-IgWNB;vig8?wQtaj^K@Kq8WZwk?<;LtBaSAt_qr0 ziL^EXE<@4+&I=OM)NY8`BDAcGGFm}QQ@(_8Wkk|Sq|Z%_CFof|dqH}d+D%bggrIf) zoE0?H#Y;$6xqVimZH&{)ta+Ei=pr=Ll^f!=C`GGW*DENhi%ds)}_?{&LBY)rHVcK@Nle(TDs8xscS^zkD6{}&ihr;D(*w$sNj<)l7$_b&0 z6^1D7m|e0YZ1WzBxw#>&ucZlcmicupPiqUv9n-tu3R$2zXyD4|8iO+aD~*HYC)s2K zt}eVcs}Nt-ziYZ1f6b~{o_D--64}Oc75Z8Zoeju)dysR^oqHAx&c=k83tJ>k&uy(^ z;A<6xHa!fk9vjj4<`zf6W3{w6<~yFc#?9S_MF;Q+AySch=0t9jJ}Hut`H3VpqQiAFq%EP`s06}SC6cye$63Im^EVJ z<(b{T%H5FYpQebsY*H`9uQlz|)$Z&nZMBM&t8fV?s2y!qgWp`Q6a$PXnQ@yTe>@^!(z7+|XHoAfx9baw{S7bU` z_d0gqyWCQ)&ye)Bu4V`M*0Z3Sruu z(s*kIWh7jVhys(8kjt;oxe4X(i)YTKz{=coZf5p7WU=$Rw=(lxD1-m}VZMtvRqLbH zg{wbzLb)vT(R`XM8W?GP^tjGrc_)$}jchg|KV&9pRdQ)=W-NE$={<#UvACcsD)9da;e@%k*2O|3` z*zFw%|GIqX-hjO?53K&#hfEc z<&DG!t^@5~LO4=6pG}wr9okPTJMvnl5&~oh`Xn&8m}}2!BBpn4wQS;$ju6l8FJ26D z_e3!RG*K}Etm`oHdh3q5tSVG(bNPO(!qO%vy3R_~zJ1LRyl+SO?X!Kh W&-VGsp8r1p0RR7&+5S`j*a84aBsAjy literal 0 HcmV?d00001 diff --git a/charts/neuvector-crd/102.0.5+up2.6.4/Chart.yaml b/charts/neuvector-crd/102.0.5+up2.6.4/Chart.yaml new file mode 100644 index 0000000000..a37a73c762 --- /dev/null +++ b/charts/neuvector-crd/102.0.5+up2.6.4/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd +apiVersion: v1 +appVersion: 5.2.2-s1 +description: Helm chart for NeuVector's CRD services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-crd +type: application +version: 102.0.5+up2.6.4 diff --git a/charts/neuvector-crd/102.0.5+up2.6.4/README.md b/charts/neuvector-crd/102.0.5+up2.6.4/README.md new file mode 100644 index 0000000000..a5379e6ba6 --- /dev/null +++ b/charts/neuvector-crd/102.0.5+up2.6.4/README.md @@ -0,0 +1,14 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. + +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | diff --git a/charts/neuvector-crd/102.0.5+up2.6.4/templates/_helpers.tpl b/charts/neuvector-crd/102.0.5+up2.6.4/templates/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector-crd/102.0.5+up2.6.4/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector-crd/102.0.5+up2.6.4/templates/crd.yaml b/charts/neuvector-crd/102.0.5+up2.6.4/templates/crd.yaml new file mode 100644 index 0000000000..60640ce8d9 --- /dev/null +++ b/charts/neuvector-crd/102.0.5+up2.6.4/templates/crd.yaml @@ -0,0 +1,845 @@ +{{- if .Values.crdwebhook.enabled -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvSecurityRule + listKind: NvSecurityRuleList + plural: nvsecurityrules + singular: nvsecurityrule + scope: Namespaced +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvclustersecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvClusterSecurityRule + listKind: NvClusterSecurityRuleList + plural: nvclustersecurityrules + singular: nvclustersecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvdlpsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvDlpSecurityRule + listKind: NvDlpSecurityRuleList + plural: nvdlpsecurityrules + singular: nvdlpsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvadmissioncontrolsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvAdmissionControlSecurityRule + listKind: NvAdmissionControlSecurityRuleList + plural: nvadmissioncontrolsecurityrules + singular: nvadmissioncontrolsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + config: + properties: + client_mode: + enum: + - service + - url + type: string + enable: + type: boolean + mode: + enum: + - monitor + - protect + type: string + required: + - enable + - mode + - client_mode + type: object + rules: + items: + properties: + action: + enum: + - allow + - deny + type: string + comment: + type: string + criteria: + items: + properties: + name: + type: string + op: + type: string + path: + type: string + sub_criteria: + items: + properties: + name: + type: string + op: + type: string + value: + type: string + required: + - name + - op + - value + type: object + type: array + template_kind: + type: string + type: + type: string + value: + type: string + value_type: + type: string + required: + - name + - op + - value + type: object + type: array + disabled: + type: boolean + id: + type: integer + rule_mode: + enum: + - "" + - monitor + - protect + type: string + required: + - action + - criteria + type: object + type: array + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvwafsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: neuvector.com + names: + kind: NvWafSecurityRule + listKind: NvWafSecurityRuleList + plural: nvwafsecurityrules + singular: nvwafsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +{{- end }} diff --git a/charts/neuvector-crd/102.0.5+up2.6.4/values.yaml b/charts/neuvector-crd/102.0.5+up2.6.4/values.yaml new file mode 100644 index 0000000000..e899decf01 --- /dev/null +++ b/charts/neuvector-crd/102.0.5+up2.6.4/values.yaml @@ -0,0 +1,9 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +crdwebhook: + type: ClusterIP + enabled: true diff --git a/charts/neuvector/102.0.5+up2.6.4/.helmignore b/charts/neuvector/102.0.5+up2.6.4/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/neuvector/102.0.5+up2.6.4/Chart.yaml b/charts/neuvector/102.0.5+up2.6.4/Chart.yaml new file mode 100644 index 0000000000..7786efa2b3 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.4 +apiVersion: v1 +appVersion: 5.2.2-s1 +description: Helm feature chart for NeuVector's core services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector +sources: +- https://github.com/neuvector/neuvector +version: 102.0.5+up2.6.4 diff --git a/charts/neuvector/102.0.5+up2.6.4/README.md b/charts/neuvector/102.0.5+up2.6.4/README.md new file mode 100644 index 0000000000..413cca9138 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/README.md @@ -0,0 +1,256 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's core services. + +## Choosing container runtime +The NeuVector platform supports docker, cri-o and containerd as the container runtime. For a k3s/rke2, or bottlerocket cluster, they have their own runtime socket path. You should enable their runtime options, `k3s.enabled` and `bottlerocket.enabled`, respectively. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`registry` | NeuVector container registry | `docker.io` | +`tag` | image tag for controller enforcer manager | `latest` | +`oem` | OEM release name | `nil` | +`imagePullSecrets` | image pull secret | `nil` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | +`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction +`controller.enabled` | If true, create controller | `true` | +`controller.image.repository` | controller image repository | `neuvector/controller` | +`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`controller.replicas` | controller replicas | `3` | +`controller.schedulerName` | kubernetes scheduler name | `nil` | +`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.tolerations` | List of node taints to tolerate | `nil` | +`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | +`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.podLabels` | Specify the pod labels. | `{}` | +`controller.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.env` | User-defined environment variables for controller. | `[]` | +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | +`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | +`controller.pvc.storageClass` | Storage Class to be used | `default` | +`controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | +`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | +`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | +`controller.apisvc.type` | Controller REST API service type | `nil` | +`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | +`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | +`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | +`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | +`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | +`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | +`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | +`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | +`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | +`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | +`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | +`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | +`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. +`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | +`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | +`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | +`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. +`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. +`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` +`controller.configmap.data` | NeuVector configuration in YAML format | `{}` +`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` +`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`enforcer.enabled` | If true, create enforcer | `true` | +`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | +`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | +`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`enforcer.podLabels` | Specify the pod labels. | `{}` | +`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | +`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default +`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`manager.enabled` | If true, create manager | `true` | +`manager.image.repository` | manager image repository | `neuvector/manager` | +`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`manager.podLabels` | Specify the pod labels. | `{}` | +`manager.podAnnotations` | Specify the pod annotations. | `{}` | +`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | +`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`manager.route.host` | Set OpenShift route host for management console service | `nil` | +`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | +`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | +`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | +`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. +`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`manager.affinity` | manager affinity rules | `{}` | +`manager.tolerations` | List of node taints to tolerate | `nil` | +`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`manager.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate pem file | `tls.pem` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.updater.enabled` | If true, create cve updater | `true` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | +`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | +`cve.updater.image.tag` | image tag for cve updater | `latest` | +`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.podLabels` | Specify the pod labels. | `{}` | +`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | +`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.updater.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | +`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | +`cve.scanner.image.tag` | cve scanner image tag | `latest` | +`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.scanner.podLabels` | Specify the pod labels. | `{}` | +`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | +`cve.scanner.replicas` | external scanner replicas | `3` | +`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | +`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.6.4/charts/core/values.yaml) | +`cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | +`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | +`docker.path` | docker path | `/var/run/docker.sock` | +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | **Note**: For k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | +`k3s.enabled` | Set to true for k3s or rke2 | `false` | +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | +`admissionwebhook.type` | admission webhook type | `ClusterIP` | +`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml +``` diff --git a/charts/neuvector/102.0.5+up2.6.4/app-readme.md b/charts/neuvector/102.0.5+up2.6.4/app-readme.md new file mode 100644 index 0000000000..a3e31c5e11 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/app-readme.md @@ -0,0 +1,35 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: + ++ Build phase vulnerability scanning with Jenkins plug-in and registry scanning ++ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks ++ Complete run-time scanning with network, process, and file system monitoring and protection ++ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation ++ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures ++ Run-time vulnerability scanning and CIS benchmarks + +Additional Notes: ++ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. ++ Configure correct container runtime and runtime path under container runtime. Enable only one runtime. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/neuvector/102.0.5+up2.6.4/crds/_helpers.tpl b/charts/neuvector/102.0.5+up2.6.4/crds/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/crds/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/questions.yaml b/charts/neuvector/102.0.5+up2.6.4/questions.yaml new file mode 100644 index 0000000000..ab478103ff --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/questions.yaml @@ -0,0 +1,336 @@ +questions: +#image configurations +- variable: controller.image.repository + default: "neuvector/controller" + description: controller image repository + type: string + label: Controller Image Path + group: "Container Images" +- variable: controller.image.tag + default: "" + description: image tag for controller + type: string + label: Controller Image Tag + group: "Container Images" +- variable: manager.image.repository + default: "neuvector/manager" + description: manager image repository + type: string + label: Manager Image Path + group: "Container Images" +- variable: manager.image.tag + default: "" + description: image tag for manager + type: string + label: Manager Image Tag + group: "Container Images" +- variable: enforcer.image.repository + default: "neuvector/enforcer" + description: enforcer image repository + type: string + label: Enforcer Image Path + group: "Container Images" +- variable: enforcer.image.tag + default: "" + description: image tag for enforcer + type: string + label: Enforcer Image Tag + group: "Container Images" +- variable: cve.scanner.image.repository + default: "neuvector/scanner" + description: scanner image repository + type: string + label: Scanner Image Path + group: "Container Images" +- variable: cve.scanner.image.tag + default: "" + description: image tag for scanner + type: string + label: Scanner Image Tag + group: "Container Images" +- variable: cve.updater.image.repository + default: "neuvector/updater" + description: cve updater image repository + type: string + label: CVE Updater Image Path + group: "Container Images" +- variable: cve.updater.image.tag + default: "" + description: image tag for updater + type: string + label: Updater Image Tag + group: "Container Images" +#Container Runtime configurations +- variable: docker.enabled + default: true + description: Docker runtime. Enable only one runtime + type: boolean + label: Docker Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: docker.path + default: "/var/run/docker.sock" + description: "Docker Runtime Path" + type: string + label: Runtime Path +- variable: containerd.enabled + default: "false" + description: Containerd runtime. Enable only one runtime + type: boolean + label: Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: containerd.path + default: " /var/run/containerd/containerd.sock" + description: "Containerd Runtime Path" + type: string + label: Runtime Path +- variable: crio.enabled + default: "false" + description: CRI-O runtime. Enable only one runtime + type: boolean + label: CRI-O Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: crio.path + default: "/var/run/crio/crio.sock" + description: "CRI-O Runtime Path" + type: string + label: Runtime Path +- variable: k3s.enabled + default: "false" + description: k3s containerd runtime. Enable only one runtime. Choose this option for RKE2 and K3S based clusters + type: boolean + label: k3s Containerd Runtime + show_subquestion_if: true + group: "Container Runtime" + subquestions: + - variable: k3s.runtimePath + default: " /run/k3s/containerd/containerd.sock" + description: "k3s Containerd Runtime Path" + type: string + label: Runtime Path +#storage configurations +- variable: controller.pvc.enabled + default: false + description: If true, enable persistence for controller using PVC. PVC should support ReadWriteMany(RWX) + type: boolean + label: PVC Status + group: "PVC Configuration" +- variable: controller.pvc.storageClass + default: "" + description: Storage Class to be used + type: string + label: Storage Class Name + group: "PVC Configuration" +#ingress configurations +- variable: manager.ingress.enabled + default: false + description: If true, create ingress, must also set ingress host value + type: boolean + label: Manager Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" +- variable: controller.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" +#service configurations +- variable: manager.svc.type + default: "NodePort" + description: Set manager service type for native Kubernetes + type: enum + label: Manager Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.mastersvc.type + default: "" + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Master Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.managedsvc.type + default: "" + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Managed Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.apisvc.type + default: "NodePort" + description: Controller REST API service type + type: enum + label: Controller REST API Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + default: "false" + type: boolean + group: "Security Settings" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Security Settings" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Security Settings" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Security Settings" diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/NOTES.txt b/charts/neuvector/102.0.5+up2.6.4/templates/NOTES.txt new file mode 100644 index 0000000000..014493f43b --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} +From outside the cluster, the NeuVector URL is: +http://{{ .Values.manager.ingress.host }} +{{- else if not .Values.openshift }} +Get the NeuVector URL by running these commands: +{{- if contains "NodePort" .Values.manager.svc.type }} + NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) + NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if contains "ClusterIP" .Values.manager.svc.type }} + CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) + echo https://$CLUSTER_IP:8443 +{{- else if contains "LoadBalancer" .Values.manager.svc.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' + + SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + echo https://$SERVICE_IP:8443 +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/_helpers.tpl b/charts/neuvector/102.0.5+up2.6.4/templates/_helpers.tpl new file mode 100644 index 0000000000..53e17b863c --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Lookup secret. +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/admission-webhook-service.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/admission-webhook-service.yaml new file mode 100644 index 0000000000..8a0a76aaac --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/admission-webhook-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-admission-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 443 + targetPort: 20443 + protocol: TCP + name: admission-webhook + type: {{ .Values.admissionwebhook.type }} + selector: + app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/cert-manager-secret.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/cert-manager-secret.yaml new file mode 100644 index 0000000000..3692886b4c --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/cert-manager-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.internal.certmanager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + duration: 17520h # 2 years + subject: + organizations: + - NeuVector + isCA: true + commonName: neuvector.internal + dnsNames: + - neuvector.internal + - NeuVector + secretName: {{ .Values.internal.certmanager.secretname }} + usages: + - digital signature + - key encipherment + issuerRef: + group: cert-manager.io + kind: Issuer + name: {{ .Values.internal.certmanager.secretname }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/clusterrole.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrole.yaml new file mode 100644 index 0000000000..cce7a8254b --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrole.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - namespaces + verbs: + - get + - list + - watch + - update + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +{{- if .Values.openshift }} +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - get + - list + - watch + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - delete + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + verbs: + - get + - list +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding-least.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding-least.yaml new file mode 100644 index 0000000000..915c99b971 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding-least.yaml @@ -0,0 +1,150 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..598151b0a1 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/clusterrolebinding.yaml @@ -0,0 +1,147 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/controller-deployment.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/controller-deployment.yaml new file mode 100644 index 0000000000..933a5e93da --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/controller-deployment.yaml @@ -0,0 +1,264 @@ +{{- if .Values.controller.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-controller-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- with .Values.controller.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + minReadySeconds: 60 + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} + selector: + matchLabels: + app: neuvector-controller-pod + template: + metadata: + labels: + app: neuvector-controller-pod + release: {{ .Release.Name }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.controller.secret.enabled }} + checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.configmap.enabled }} + checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.autoGenerateCert }} + checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: controller + serviceAccount: controller + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-controller-pod + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.controller.resources }} +{{ toYaml .Values.controller.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.ranchersso.enabled }} + - name: RANCHER_SSO + value: "1" + - name: RANCHER_EP + value: "{{ .Values.global.cattle.url }}" + {{- end }} + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: CTRL_PERSIST_CONFIG + value: "1" + {{- end }} + {{- with .Values.controller.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /var/neuvector + name: nv-share + readOnly: false + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /etc/config + name: config-volume + readOnly: true + {{- if .Values.controller.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.controller.certificate.keyFile }} + name: usercert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.controller.certificate.pemFile }} + name: usercert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- else }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.controller.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.controller.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.controller.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 300 + restartPolicy: Always + volumes: + - name: nv-share + {{- if .Values.controller.pvc.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} + {{- else if .Values.controller.azureFileShare.enabled }} + azureFile: + secretName: {{ .Values.controller.azureFileShare.secretName }} + shareName: {{ .Values.controller.azureFileShare.shareName }} + readOnly: false + {{- else }} + hostPath: + path: /var/neuvector + {{- end }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: config-volume + projected: + sources: + - configMap: + name: neuvector-init + optional: true + - secret: + name: neuvector-init + optional: true + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-controller-secret + {{- end }} + {{- if .Values.controller.certificate.secret }} + - name: usercert + secret: + secretName: {{ .Values.controller.certificate.secret }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.controller.internal.certificate.secret }} + {{- end }} +{{- if gt (int .Values.controller.disruptionbudget) 0 }} +--- +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: neuvector-controller-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.controller.disruptionbudget }} + selector: + matchLabels: + app: neuvector-controller-pod +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/controller-ingress.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/controller-ingress.yaml new file mode 100644 index 0000000000..b36fbbdc09 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/controller-ingress.yaml @@ -0,0 +1,219 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-api + port: + number: 10443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + backend: + serviceName: neuvector-svc-controller-api + servicePort: 10443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-master + port: + number: 11443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-master + servicePort: 11443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-managed + port: + number: 10443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-managed + servicePort: 10443 +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/controller-route.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/controller-route.yaml new file mode 100644 index 0000000000..686a77ec48 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/controller-route.yaml @@ -0,0 +1,98 @@ +{{- if .Values.openshift -}} +{{- if .Values.controller.apisvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-api + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.apisvc.route.host }} + host: {{ .Values.controller.apisvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-api + port: + targetPort: controller-api + tls: + termination: {{ .Values.controller.apisvc.route.termination }} +{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} +{{- with .Values.controller.apisvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + +--- +{{ end -}} +{{- if .Values.controller.federation.mastersvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-master + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.mastersvc.route.host }} + host: {{ .Values.controller.federation.mastersvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-master + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.mastersvc.route.termination }} +{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} +{{- with .Values.controller.federation.mastersvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +--- +{{ end -}} +{{- if .Values.controller.federation.managedsvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-managed + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.controller.federation.managedsvc.route.host }} + host: {{ .Values.controller.federation.managedsvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-managed + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.managedsvc.route.termination }} +{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} +{{- with .Values.controller.federation.managedsvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/controller-secret.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/controller-secret.yaml new file mode 100644 index 0000000000..0db1d946b4 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/controller-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-controller-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end}} +{{- end}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/controller-service.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/controller-service.yaml new file mode 100644 index 0000000000..d4040a78af --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/controller-service.yaml @@ -0,0 +1,97 @@ +{{- if .Values.controller.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + clusterIP: None + ports: + - port: 18300 + protocol: "TCP" + name: "cluster-tcp-18300" + - port: 18301 + protocol: "TCP" + name: "cluster-tcp-18301" + - port: 18301 + protocol: "UDP" + name: "cluster-udp-18301" + selector: + app: neuvector-controller-pod +{{- if .Values.controller.apisvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-api + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.apisvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.apisvc.type }} + ports: + - port: 10443 + protocol: "TCP" + name: "controller-api" + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.mastersvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-master + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.federation.mastersvc.type }} + ports: + - port: 11443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.managedsvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-managed + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.controller.federation.managedsvc.type }} + ports: + - port: 10443 + name: fed + protocol: TCP + selector: + app: neuvector-controller-pod +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/crd-role-least.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/crd-role-least.yaml new file mode 100644 index 0000000000..01e44acf4e --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/crd-role-least.yaml @@ -0,0 +1,295 @@ +{{- if .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/crd-role.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/crd-role.yaml new file mode 100644 index 0000000000..76e8e3e14d --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/crd-role.yaml @@ -0,0 +1,295 @@ +{{- if not .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/enforcer-daemonset.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/enforcer-daemonset.yaml new file mode 100644 index 0000000000..720557fe65 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/enforcer-daemonset.yaml @@ -0,0 +1,150 @@ +{{- if .Values.enforcer.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: neuvector-enforcer-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: neuvector-enforcer-pod + template: + metadata: + labels: + app: neuvector-enforcer-pod + release: {{ .Release.Name }} + {{- with .Values.enforcer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.enforcer.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.enforcer.tolerations }} + tolerations: +{{ toYaml .Values.enforcer.tolerations | indent 8 }} + {{- end }} + hostPID: true + {{- if .Values.enforcer.priorityClassName }} + priorityClassName: {{ .Values.enforcer.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: enforcer + serviceAccount: enforcer + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-enforcer-pod + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.enforcer.resources }} +{{ toYaml .Values.enforcer.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- with .Values.enforcer.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + - mountPath: /lib/modules + name: modules-vol + readOnly: true + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if .Values.internal.certmanager.enabled }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.enforcer.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.enforcer.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.enforcer.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 1200 + restartPolicy: Always + volumes: + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + - name: modules-vol + hostPath: + path: /lib/modules + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/init-configmap.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/init-configmap.yaml new file mode 100644 index 0000000000..5cc1bb5c34 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/init-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ toYaml .Values.controller.configmap.data | indent 2 }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/init-secret.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/init-secret.yaml new file mode 100644 index 0000000000..8a50814081 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/init-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.secret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{- range $key, $val := .Values.controller.secret.data }} + {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/manager-deployment.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/manager-deployment.yaml new file mode 100644 index 0000000000..efa9d09629 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/manager-deployment.yaml @@ -0,0 +1,118 @@ +{{- if .Values.manager.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-manager-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-manager-pod + template: + metadata: + labels: + app: neuvector-manager-pod + release: {{ .Release.Name }} + {{- with .Values.manager.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.manager.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.autoGenerateCert }} + checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.manager.podAnnotations }} + {{- toYaml .Values.manager.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.manager.affinity }} + affinity: +{{ toYaml .Values.manager.affinity | indent 8 }} + {{- end }} + {{- if .Values.manager.tolerations }} + tolerations: +{{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.manager.priorityClassName }} + priorityClassName: {{ .Values.manager.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.manager.runAsUser }} + securityContext: + runAsUser: {{ .Values.manager.runAsUser }} + {{- end }} + containers: + - name: neuvector-manager-pod + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + env: + - name: CTRL_SERVER_IP + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if not .Values.manager.env.ssl }} + - name: MANAGER_SSL + value: "off" + {{- end }} + {{- with .Values.manager.env.envs }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.manager.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.manager.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.manager.certificate.pemFile }} + name: cert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.manager.resources }} +{{ toYaml .Values.manager.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.manager.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.manager.certificate.secret }} + {{- else if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-manager-secret + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/manager-ingress.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/manager-ingress.yaml new file mode 100644 index 0000000000..d6e2e33504 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/manager-ingress.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.ingress.ingressClassName }} + ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-webui + port: + number: 8443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 8443 +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/manager-route.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/manager-route.yaml new file mode 100644 index 0000000000..784a4ae235 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/manager-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.openshift -}} +{{- if .Values.manager.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-webui + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.manager.route.host }} + host: {{ .Values.manager.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-webui + port: + targetPort: manager + tls: + termination: {{ .Values.manager.route.termination }} +{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} +{{- with .Values.manager.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/manager-secret.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/manager-secret.yaml new file mode 100644 index 0000000000..aeb0331486 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/manager-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.manager.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-manager-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/manager-service.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/manager-service.yaml new file mode 100644 index 0000000000..e18e55c357 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/manager-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.manager.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-webui + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.manager.svc.type }} +{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} +{{- end }} + ports: + - port: 8443 + name: manager + protocol: TCP + selector: + app: neuvector-manager-pod +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/psp.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/psp.yaml new file mode 100644 index 0000000000..782b62926d --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/psp.yaml @@ -0,0 +1,86 @@ +{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + allowedCapabilities: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - IPC_LOCK + requiredDropCapabilities: + - ALL + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp +subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- else }} +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/pvc.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/pvc.yaml new file mode 100644 index 0000000000..3821d04853 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.controller.pvc.existingClaim -}} +{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuvector-data + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + accessModes: +{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} + volumeMode: Filesystem +{{- if .Values.controller.pvc.storageClass }} + storageClassName: {{ .Values.controller.pvc.storageClass }} +{{- end }} + resources: + requests: +{{- if .Values.controller.pvc.capacity }} + storage: {{ .Values.controller.pvc.capacity }} +{{- else }} + storage: 1Gi +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-ingress.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-ingress.yaml new file mode 100644 index 0000000000..22c7244af8 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-ingress.yaml @@ -0,0 +1,109 @@ +{{- if .Values.cve.adapter.enabled -}} + +{{- if .Values.cve.adapter.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.cve.adapter.ingress.ingressClassName }} + ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-registry-adapter + port: + number: 9443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 9443 +{{- end }} +{{- end }} + +--- + +{{- if and .Values.openshift .Values.cve.adapter.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: +{{- if .Values.cve.adapter.route.host }} + host: {{ .Values.cve.adapter.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-registry-adapter + port: + targetPort: registry-adapter + tls: + termination: {{ .Values.cve.adapter.route.termination }} +{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }} +{{- with .Values.cve.adapter.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-secret.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-secret.yaml new file mode 100644 index 0000000000..5f2b3efa86 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if .Values.autoGenerateCert }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-registry-adapter-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter.yaml new file mode 100644 index 0000000000..6a3926aefd --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/registry-adapter.yaml @@ -0,0 +1,192 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-registry-adapter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-registry-adapter-pod + template: + metadata: + labels: + app: neuvector-registry-adapter-pod + release: {{ .Release.Name }} + {{- with .Values.cve.adapter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.cve.adapter.podAnnotations .Values.autoGenerateCert }} + annotations: + {{- if .Values.autoGenerateCert }} + checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.cve.adapter.podAnnotations }} + {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.cve.adapter.affinity }} + affinity: +{{ toYaml .Values.cve.adapter.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.tolerations }} + tolerations: +{{ toYaml .Values.cve.adapter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.adapter.priorityClassName }} + priorityClassName: {{ .Values.cve.adapter.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.adapter.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.adapter.runAsUser }} + {{- end }} + containers: + - name: neuvector-registry-adapter-pod + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- else }} + {{- if .Values.cve.adapter.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }} + {{- end }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: HARBOR_SERVER_PROTO + value: {{ .Values.cve.adapter.harbor.protocol }} + {{- if .Values.cve.adapter.harbor.secretName }} + - name: HARBOR_BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: username + - name: HARBOR_BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: password + {{- end }} + {{- with .Values.cve.adapter.env }} +{{- toYaml . | nindent 14 }} + {{- end }} + volumeMounts: + {{- if .Values.cve.adapter.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.cve.adapter.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.cve.adapter.certificate.pemFile }} + name: cert + readOnly: true + {{- else if .Values.autoGenerateCert }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.cve.adapter.resources }} +{{ toYaml .Values.cve.adapter.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.cve.adapter.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.cve.adapter.certificate.secret }} + {{- else if .Values.autoGenerateCert }} + - name: cert + secret: + secretName: neuvector-registry-adapter-secret + {{- end }} + {{- if .Values.internal.certmanager.enabled }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-registry-adapter + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.cve.adapter.svc.type }} +{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }} +{{- end }} + ports: + - name: registry-adapter +{{- if (eq .Values.cve.adapter.harbor.protocol "https") }} + port: 9443 +{{- else }} + port: 8090 +{{- end }} + protocol: TCP + selector: + app: neuvector-registry-adapter-pod + +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/role-least.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/role-least.yaml new file mode 100644 index 0000000000..b6324d739f --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/role-least.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - patch + - update +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding-least.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding-least.yaml new file mode 100644 index 0000000000..163a05306e --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding-least.yaml @@ -0,0 +1,62 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-scanner +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: updater + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding.yaml new file mode 100644 index 0000000000..257c35c91d --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/rolebinding.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-admin + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: admin +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/scanner-deployment.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/scanner-deployment.yaml new file mode 100644 index 0000000000..ba4474f07f --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/scanner-deployment.yaml @@ -0,0 +1,102 @@ +{{- if .Values.cve.scanner.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-scanner-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + strategy: +{{ toYaml .Values.cve.scanner.strategy | indent 4 }} + replicas: {{ .Values.cve.scanner.replicas }} + selector: + matchLabels: + app: neuvector-scanner-pod + template: + metadata: + labels: + app: neuvector-scanner-pod + {{- with .Values.cve.scanner.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cve.scanner.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.scanner.affinity }} + affinity: +{{ toYaml .Values.cve.scanner.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.tolerations }} + tolerations: +{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.scanner.priorityClassName }} + priorityClassName: {{ .Values.cve.scanner.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.scanner.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.scanner.runAsUser }} + {{- end }} + containers: + - name: neuvector-scanner-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} + imagePullPolicy: Always + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if .Values.cve.scanner.dockerPath }} + - name: SCANNER_DOCKER_URL + value: {{ .Values.cve.scanner.dockerPath }} + {{- end }} + {{- with .Values.cve.scanner.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.cve.scanner.resources | indent 12 }} + {{- if .Values.internal.certmanager.enabled }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + {{- if .Values.internal.certmanager.enabled }} + volumes: + - name: internal-cert + secret: + secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount-least.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount-least.yaml new file mode 100644 index 0000000000..9d728abecb --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount-least.yaml @@ -0,0 +1,47 @@ +{{- if .Values.leastPrivilege }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: basic + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enforcer + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updater + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount.yaml new file mode 100644 index 0000000000..595914ca54 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.leastPrivilege }} +{{- if ne .Values.serviceAccount "default"}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/updater-cronjob.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/updater-cronjob.yaml new file mode 100644 index 0000000000..e944949676 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/updater-cronjob.yaml @@ -0,0 +1,79 @@ +{{- if .Values.cve.updater.enabled -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-updater-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + schedule: {{ .Values.cve.updater.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + app: neuvector-updater-pod + release: {{ .Release.Name }} + {{- with .Values.cve.updater.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cve.updater.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.updater.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.cve.updater.priorityClassName }} + priorityClassName: {{ .Values.cve.updater.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: updater + serviceAccount: updater + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.updater.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.updater.runAsUser }} + {{- end }} + containers: + - name: neuvector-updater-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} + imagePullPolicy: Always + {{- if .Values.cve.scanner.enabled }} + command: + - /bin/sh + - -c + {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + {{- if .Values.cve.updater.secure }} + {{- if .Values.cve.updater.cacert }} + - /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- else }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- end }} + restartPolicy: Never +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/templates/validate-psp-install.yaml b/charts/neuvector/102.0.5+up2.6.4/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..da62c4d183 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.5+up2.6.4/values.yaml b/charts/neuvector/102.0.5+up2.6.4/values.yaml new file mode 100644 index 0000000000..06d18e6e86 --- /dev/null +++ b/charts/neuvector/102.0.5+up2.6.4/values.yaml @@ -0,0 +1,521 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +registry: docker.io +oem: +rbac: true # required for rancher authentication +serviceAccount: neuvector +leastPrivilege: false + +global: # required for rancher authentication (https:///) + cattle: + url: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false +autoGenerateCert: true + +defaultValidityPeriod: 365 + +internal: # enable when cert-manager is installed for the internal certificates + certmanager: + enabled: false + secretname: neuvector-internal + +controller: + # If false, controller will not be installed + enabled: true + annotations: {} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-controller + tag: 5.2.2-s1 + hash: + replicas: 3 + disruptionbudget: 0 + schedulerName: + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + apisvc: + type: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ranchersso: # required for rancher authentication + enabled: true + pvc: + enabled: false + existingClaim: false + accessModes: + - ReadWriteMany + storageClass: + capacity: + azureFileShare: + enabled: false + secretName: + shareName: + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + federation: + mastersvc: + type: + # Federation Master Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + managedsvc: + type: + # Federation Managed Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + configmap: + enabled: false + data: + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + secret: + # NOTE: files defined here have preferrence over the ones defined in the configmap section + enabled: false + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + +enforcer: + # If false, enforcer will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-enforcer + tag: 5.2.2-s1 + hash: + updateStrategy: + type: RollingUpdate + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +manager: + # If false, manager will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-manager + tag: 5.2.2-s1 + hash: + priorityClassName: + env: + ssl: true + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + # Make sure manager env ssl is false for edge termination + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + +cve: + adapter: + enabled: false + image: + repository: rancher/mirrored-neuvector-registry-adapter + tag: 0.1.1-s1 + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: + keyFile: tls.key + pemFile: tls.pem + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + updater: + # If false, cve updater will not be installed + enabled: true + secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + image: + registry: "" + repository: rancher/mirrored-neuvector-updater + tag: latest + hash: + schedule: "0 0 * * *" + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + scanner: + enabled: true + replicas: 3 + dockerPath: "" + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + registry: "" + repository: rancher/mirrored-neuvector-scanner + tag: latest + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: neuvector-internal + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +docker: + path: /var/run/docker.sock + +resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + +k3s: + enabled: false + runtimePath: /run/k3s/containerd/containerd.sock + +bottlerocket: + enabled: false + runtimePath: /run/dockershim.sock + +containerd: + enabled: false + path: /var/run/containerd/containerd.sock + +crio: + enabled: false + path: /var/run/crio/crio.sock + +admissionwebhook: + type: ClusterIP + +crdwebhook: + enabled: true + type: ClusterIP diff --git a/index.yaml b/index.yaml index eaa4f5d357..4fd876afb3 100755 --- a/index.yaml +++ b/index.yaml @@ -3978,6 +3978,37 @@ entries: - assets/longhorn-crd/longhorn-crd-1.0.200.tgz version: 1.0.200 neuvector: + - annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permit-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.6.4 + apiVersion: v1 + appVersion: 5.2.2-s1 + created: "2023-10-12T13:49:21.425112114-07:00" + description: Helm feature chart for NeuVector's core services + digest: a3484f025c76a81c813c3ba00e16f4575e1bf5a3f2e0a7feb2b0764d09b624e6 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector/neuvector-102.0.5+up2.6.4.tgz + version: 102.0.5+up2.6.4 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher @@ -4357,6 +4388,26 @@ entries: - assets/neuvector/neuvector-100.0.0+up2.2.0.tgz version: 100.0.0+up2.2.0 neuvector-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd + apiVersion: v1 + appVersion: 5.2.2-s1 + created: "2023-10-12T13:49:21.436125689-07:00" + description: Helm chart for NeuVector's CRD services + digest: eae5161a382be49a6ff44a115845fdc17685d2c78b96931c95a02fe811928e93 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-crd + type: application + urls: + - assets/neuvector-crd/neuvector-crd-102.0.5+up2.6.4.tgz + version: 102.0.5+up2.6.4 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 58e7bbdda9d18e3e566128d9bd3102f5bceffdc2 Mon Sep 17 00:00:00 2001 From: selvamt94 Date: Thu, 12 Oct 2023 16:35:00 -0700 Subject: [PATCH 06/11] Update release.yaml --- release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/release.yaml b/release.yaml index ea0a2ee4c1..5715e332fa 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1,6 @@ +neuvector: + - 102.0.5+up2.6.4 +neuvector-crd: + - 102.0.5+up2.6.4 neuvector-monitor: - 102.0.5+up2.6.4 From 7b228f50943c820af183068c701a304ec5d6cce6 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Tue, 17 Oct 2023 16:18:40 -0300 Subject: [PATCH 07/11] make patch for neuvector-monitor 102.0.5-2.6.4 --- .../neuvector-monitor/generated-changes/patch/Chart.yaml.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch b/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch index 70a183fc09..bbd1fe8676 100644 --- a/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector-monitor/generated-changes/patch/Chart.yaml.patch @@ -7,7 +7,7 @@ + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux -+ catalog.cattle.io/permit-os: linux ++ catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor From 009bb0c5d543cd9d68b99e1e9a12f5233769fb52 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Tue, 17 Oct 2023 16:19:06 -0300 Subject: [PATCH 08/11] make charts for neuvector-monitor 102.0.5-2.6.4 --- .../neuvector-monitor-102.0.5+up2.6.4.tgz | Bin 7803 -> 7804 bytes .../102.0.5+up2.6.4/Chart.yaml | 2 +- index.yaml | 6 +++--- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz b/assets/neuvector-monitor/neuvector-monitor-102.0.5+up2.6.4.tgz index 52e2ad7f4f862398da86aecd79fb32d7d2da91b5..d59dc8174386eac064e7402b96a9f040eea5e0a6 100644 GIT binary patch delta 7781 zcmV-r9-86%Jp4S6Jb!6(+qjl!KJ!;#=zFJ=8B3;Q$xc+a?|Y8zzMXfoxNLX&Wx7)i zL>@`#kOUh5Wvdha_bDvgNiBA~MyzsKBDRBrv*Q2?A)bOOC~E~YB!aT7{Rw8GJ;QGeC?{r;}g-F@P8db`f{6My7zIP`FPd}aR3AK z7UK7cs?ZxvRkdwC$3tjMfpJ2^0s7&eKX%%k=WVCupnsrFyZb_Z{Gqm`9EC^Ng#pqp zTNxem85a=LHh-ghfP50h7qz7kuz(2OT2PD8De-`}##1&x>9B2=23ylkZ4-mH!cb7^eT0i?_rReTB-L}*2|92c|#NP$~SLOc{`!VousQ?zp|L*S2Zb|<4 zJN>o%zm;bL9l!|3zCe2273XH$U~Qn&3E_xvgwcn+H?LbG$^t9|cxXg?kQENV^)Ul9 z#f;#g4;%@KhJYf>Ie3VKf+8^iBp`@z4IydUSc1Iu6(6%FJI?v2!HhDQoWPYGvdBI1cBR9*|QMj@)Np+|B4y3 zWPh!p>99pY0W8G+0ND}>`?~$KcsvY243LeZh?{S=oc5UE5f1SI=93}C%q!tQ(~o?W zvomZPZJ=YVjkEWgh>Q>fk(g-&;UV}M2@<;+Zes#94zgjIDb|yWa#Cp5F88e4(JxuaeajPEV4G2cu zV^E;)({Mz_n#!ZdpUDp#2ayyPcqF+|bx*?aCK|?)B}bIW!N$NP@NLs6gVCT)(dIag zM!>MtWOeU`J{@jJTVU&ex^V!Z#(&Kgjz~N3HkgLiRnV#-gZwN=IOYTN+eZV;5_2>2 zNG5kzvtT9oQ~6)j|EZYXI-7tW0po2EUCR_$r2n`3{gVFQ-F7-_{eK(JmoHoYg{CAJ zNY+;>T?+mm1Bn)Q0t574TbGxXtYsZuL^$-6bdd57(UJPB4F0xd>b0b}Ab%ksJ2N6= zZ5y?+awSgMI?(V|cGZ5bjZRtf-4qxj9-yyM8HFy|*;XG(a1xJ3 z&j1TRI2~gY`~D358Dn3$u#!C$>}~5;(7mhrLXIKlA^FwCF$ctH0O;STuF*3d5%4{Z zq_N|ZfJh@q**1iur^A`T#(%-v6IqvpW5gqHpS7)5BgArQ14&(sNyv?-q}~ysjgcWJ zk&3W1wVT#kFPGg0oknZ!Wr@yHQ41QdGU2|}zxX`_{jegaQ zQ&Gqd;WUewXnU1&piF_CHC<(g8>Wlzq8xxmi2#s*IDcT+jvT>n|Q13vWwIa}cvoM(ECE7VAAQZVOvh38Rkd=Y_*s5v>scOE9xChE(l@P-{%3 zcEYU2@~-xtRG0uG0*^~IOdv&8l2*JNSz1!W#e9G|DzxLP0X0kk7VhMA4oD>Nv>XPK zSqzeBLyE<6^nb>@LMZD@ZAf7;8K5m4r{GPMs6?9m+}U|nAeBop;97>TbIPizn}3}Atr@%+u+D}y0mD7lrEw_U z>OCmTiCbHqFDs3Q63#lg1Q+VzCab zBRhxEbb!mtt=wzfbgKs9L7nlSI&KR*Mwgd%0UqNrtOCY288p8-3n3|pw?^Mfin(Su zvb_p)d4IVO-bLW1lzv2g;?4$W&p*dAo~r@jbddX+(VN<<*gJZ4c5-<9{?-0rp%T&? zPxU6C-pwcilJ$G||Bv1spB^5c$$#~omL#46@+U@vGN4*m9m8l)>St+X*3w;=<_x4+ zAxgMf+A6!fXDRzH*?_sC8@MR{r?=ZH+kc&YcYkgF-Ns`y6Ary*8?ai!r*5N#m>P%1 zh+5S$T-qv>pq~>lsRu8=Kc=czOera2jUShH(6Y``8F-iWCtAuXO3hTgZCfWxB~oN* zHovBImoPkdb-Vqw{J)*2$^S3r zE;I^zLlPt$w_VDB@+1$kpaPO4&^yos#c4birLg3xEg!h7Z`c^NOtj562!rGo`J~#N zTIr;>);uDB(2FPu%c`QN8J0v`n&Xm11%J}~mRdcwsCmVu(oq{b3ESAK!BGsz8 z|2CdgWM|lKUV1*Y4E22>%&Fx>;9B$*ofeg(~PP8t(KUbkSGzXMaqE z8NQUl+t^J~rM8>v3bHEyA0O@=yg6(K-Z!JMMe(0%{(rCA+gbDfZ9E&fV>;>_kIEpj zEcLnOEYA--XY;2AdfJw?v0+jGVy5hA%Q~F^8d2Y;=d!Ah@&x&W3$Bx&lFIURgc%M% z0OLtkVFr~3!eky2mhSwUb1If~lz%ivU(rE!E=hgURllOQQ~ylXXE@?-X(5s=Tx;^DM1i$UAJKe*;81p?^`K7h#UL z%3_nlmYPZj>61!hSMw;V4mp!oBXyu)(~O_bDo;;g)OS+e!jQeCO;llq$n=a=jl!wx zRp4<=cLI-PZ_4x$#byO*E}Qg%|VMcI*G?);6fH9X?U_qLci+B zhCb(!9{p%#XFtB8PpU=@B!7uQkdPc<&d(|H=0cM1OEQ5qFaH}yQA@%Sz_-!?i|oIh z-cI@a*LG)jE&p%h+1S`X$8p#?C4pj30j?6BzY;N_u|WGYkX%JLSXL$nJ@Cm?N^6W< z8bm$_Kr9YhLiUmzxkQ}$vFc34W-{3sG3o;6TO;CwIrF7rvu0?OF@GETAuv27zUs)u zVJMY|OM@W^!P7lTGFJ>EWej?aXTZ>IZk!QeaE^VyolFdI2ssgC3P{>=x|iG(vZm=A zq>VYEENHK+648;C_W}M4h{p`j@!`oS+B7?Hlw_tNcGN z&FpGp%;o=1x7+WR{C~f$)9bF!f8NUT#X`u=MM3QW`l4JTTbgS20R5H(PtuT#J&cJj zUWN7mbvCoNlB4ut=(G=0BAqCEP^ht)FOP{Qi%s%mwp)Lh>s_;gtq&;X-cN{E^Om?Y z+^0TevR^hH;-}6g>UKJtsN3&vqRz7%0Jb_kF+lcSE;#(3Xn)TKCV0M{-c>43P8|f1 zsBoOZq*U~BFPz!ts9&K_;IYK?Zyz`7@nm?e9ujEz_Q_>6m_eTDsw2g$oXz{bR^f$I1WS z3a0?Gu4x2e%cCwYdL~)>t)v5K&~kL*WB0T40K*Xctbd#2{t5{jZ*y5m!G@VTAyeR6 z`_A^xPdoqb;D4U)*Yy1_B7TmCS$B2UBRu;({5|}~mPe-l%#%Vu6?fYKW}iKJ9#)AV z^5ZcHO?XOHebMf;`)MDxAVM*KouU7TQ7?7{daVdMt7(W*uA&~tjIuO2XYNN0Ip+#1 zlThc%w14+p?AiDVyexEFBip_dvXxSFi3tNfp}xoSsZWkCViSR?_QabN^WRa8VxDfG%X$yRQ4fs&G+u+%C= zV^|V9j3M-XN(cY)MI-j|ve*rS(JO_KoPPjJnEzu{jUAdvqGNp?0qxT`6jd$81^yni zmT!ev|Jx^PTXb!abqrMQ0)j`5WcSh>frqkFj}{zl2pr!6~$0B zl~js)g$zvLk&j&nOnAQ}TU4bXW_vyvho+8GD)tyYKM^y%#y$xvs%J!e|6PP#B4#zs z#|(Q?el-X`RcAsx_=(kEDkau>41Y=DNH=%t%ctb8ii|>4rL89RO0Gym{Z!P-mzb5I zm2ZC~p4w*Wl*&}X{t5X@PPJcF(JuDkfN;UcFg8O}rkfDE8G0_vd_vDt4P}Qgg$k@Z z!l9J!yn)2H!0u-fj_W`fGa5&l{VQk<@~b%)$jqooh^R79(it6%noXtVV1NJJ8c|~g z5Uy%Pm8;JifPpu!`{&LzO|%G@3!zY7zp0_NQ!>;#-IAqNcrkDLvNz9EtF^{bsZnnS z6-mZi^`A&6l_yZB5amVakP0c(3l$_MzD|ZrZyYWoGLuyWsM0;b*cYVKue6>AQc-cY zs)HY-&Eyf0DKuC9U)iP#@PEbAaC(*{8lAaO{0t3e=&4!CXTM)1l<>{WDFa2tp2Fd{ zn%i-ONJ5rjwSV*r`i0{$)NK2b0L(lewz;+5{4F>CzBOLwnhNjkcb2ys^jvqvki>08 zBy{r6IwtWD^y_jl3G4-g%gLO15RwwV-Iut;^`a4KUT80wXiZ|&BYy}*NE?WRF^zfa z*!$rBi`}@2>@+FARDAnnJP|Fbt(~eIS9IXPMU5n{(Gv*S-Gw90!1w9-{IR-AjkUdS ztS0T38*2L+x?js_Yfj}`wP=zlIkgl1KJ1+Z=E#H0bt~rrG*~3})gW1?x;+v*BuxTH zUD`*zMUwN}O}g9TG=EFhDF6>dx2=8o>!uepXwJ@yn^T=b?0z0I8i(H6pFJ?pluNhtNIXed25oAcX_(|-v31K&ViQB88eNH|_X zQCdwfYjX;!B$FsSdpLWGgKEGhr_XGkj^`%}M2tqj1gQX11t>SNCd9U0_IbvJQ!zJ| zFl7p3xf){x4(QWE+J{v?h2M}BlreYwM3Ce)!`IE zflj3ayzc7cz zYpfgq7bMiox*BS%^4pw=O4H0p`-Ss&d$BA2yyS|%D1W))9 zipnaQD_f56*x;tlJ8JS|wd>5P{xOe(X1|zEvWrP-jW=20XTTm*-9wc;_Hs7gs#A$& z)oGw2tu#r=dCR@X!R9WbzF!)X5o4bEiLi`0%0i=1uG10R8;)ASh)h=Ay0LqE}AB&$Um zQ%DAOxkxJo0{k-JMM4MJ@LnVRg)UdKT^v^&v zl`AuvHPu-l)4ArcN?Tco?n+XN z{XU5l_2w-@r+y9eV7tu=)alnRPj}whY=1W_Ocg?(j;p7Rvg-hM<}Ty&hBbUKX8}7^ z1g6W^sUpevHN|ruS((Dn_S|JF1@}a!JpNLuGlATmr;}BP+BGXN$+xRCudH-o-RiV!p{yt$(I( zx22~R$kj#sS<5r%X>LpSS<$zw7s%*ofG?iSi`CVmrfSV3M`Kh#)ItwA#pVGYLiS-) z>0x~cd3^|ZeFzyn&@`@VA3`3^1n|2)e%ug0?##`CULQYxP{~v`a{M@efU;Tf1oHQB z{`ifW`J+FAd~IXvE{uyS=&cpgYJYQ0Z(tu(+x{DScexY#GZ|0rHiM^L^IjowXE}|0 zbL;r>F4yr5c%-<|S_8v_%f)J5Qmg!S34#crYi&;ngTgxQ^D4&VU ziL3@g>jo^U%?dyTd$cGdBLb(13L|juGwA2rg%w{pH495x;vt)b#Swdg z3P0N=m4P<$Oboo)$g5=BeWSgvY+I8WP{s7 z%qjsb^%GXFAsmb1&o`;}P=8nb#vCA(Tjdm9{L4f^3kBaWe$wey;Fu84gYZQAfaTfi z=t}M$-l{UU@pN4EeA1&f)e`Aw9R`t#0@wVqnhA85N&;N!NNq3;V#tX%e1nN`IC!cLL&S?#M!= zu7b~!(BeX_nSNiT0S2K5OnDgg$fr3$r~?P@3emr;Fv2d>F`9}cS4QCiq6oa#B&<&8 zK3O442cMFkhIuGA-z^tls!vK&fFHxSvYlGsCKQ))pEjMt} z{y<^a>P35~CZ3E+WLaP9F3wEfHRs&O-o+gpDZj1lk~Omlis2hSF4{S;D8*dMEQI^|*d!L&%0WK$O#OQh}F8AE>R@`GanDL;mP76qw zoGR#lhnJ_-s`Fcn(cRR=FAJ|BDqj#+JNP{?jjtDgTXmRw6o1D&hKO>h;b&W~0z8HR zI>puXYNqUUgmJ+r3t6Ok%IHDdA9&^F>ljYcz_%ZAy=%UH(7D@>kF(dT*);GShF7mC zmzOX~uM?;1m*RB0%f{)pzoR%^1qBZ%B3BIW5NRVeMcbs8@j%k4?^T3tA&T?Svj>Fa zzV@R_IPZe*jwZ;YJbv4tIeuj>RKdcDydrtb%^D> z)lbe?+k%>RcA;5B+|N13(P-bI#7ky$maul7a_oN24DC4iFZq(~LP>V=+wKSX7D2v6 zzQjbCKPI!0aw*eRzb)*oljE$N+~-a=_ods*f5`%l_O6$Q%Ulys#Q$GZDGK|S(|xm$ ziJ*B4@qc?zvQWJ@(mkA>NegdCG4mY9(Nt|uQwmYC#6Ac3d?K(u`)ym7)|31Agb+{F z3|j#WiJ)xj<E`oc0U{{Gb-Y?S6mP>Fz#pI{ls9 z{uAVUi@_H?F&CIUajrd9d2$crNmqMdZ5Rqbu1(tAkM)I{+-jjIW<>f-17wn1SX;UC zZI*7cSqPZ~0ClaMA*!v+5Nah&ZB>=Kj3^n9^@&uUsL-cWumhyGTP=jt?bZWyn6yy7 zH9EqR;T;oyxBz+uIt`S-V>F^HZQTeO6hS*x-8VzFkzI?0TxA`Hf?&V61oiOmpB}$H z`{m^D`0d`C!@?Y}C!Lw{L~_?q{lbAs7rJp4^>y>pFs1t$%nfK(U>@zAoc#Lk_+T|K rk1*%wlzGd5nX9`9%)4f}^|OA~&-%F+&;JGh0RR687jfX#0P+9;foeSv delta 7780 zcmV-q9-HC(Jo`M5Jb(Ff+qTwde&%0+kM8}NeAkjCS&|b?d*5?xx6Qj*Jhq#@+&1Gt z&JGp{k+*~w9pTz-R!)OAHT0`DM#TUc3^cgef(zH zws06GUwh3?v(w;h%LVQ*5(@S97w~*E0xTj1$dS?mjejW1(0~CJabQ#80JkPo&SoM+ z$Ol_nIV4)dk$uKxc!~vPywe;LF^Pr|2j#{thxo@ zG-3{@K7V7FHK+={q<;FzO3>YIb(*ba@1Ieq5q~HAUzYz<>_x!8rUF-4*Mm>|kx6lL_I7aD>r^-8ZirBg%X%1h{BKJdhRk!SOHy zG{ubIp$8lZiiUtf%sIG-1cD+l0VKc=JuHAXEq`n5(INJX#t|OKPY7wzZ2&rgG2w#E z2FSK8izVM&>U;*)B-End5777DTT(=dLq?{=gE0)y2zwkX3(h5P1CxDkpjRXPeiOy- z(HZeP6i^|7B>@-M^T4$bfQ!y_Eveat6AikVx$fuRWa#v2ff zI7gsB-=o2Zj5U>qp*NEsIQBy+F7QZlqw1an<4rV-BukDclY@QPQwF0!m8Q*b z91VeCsmZF|4Lv&ClE%Q+K6N4=0)LI0EgX`j?`|*+t)rk-L;BfSkYLOQ==YBXm?h?B z<`GZsu4cgs@F()Wtp5`+y>&VPF9gP$BD|I1}!hgp8+hbXm1Y^WQaGo`-S0ltSY6D4Kj7h+atEAo$p^cFt zD3OY=G`A%12HH8um9_E+CZhzOabbefxK3?_rI7CNw5RXX1O`7YzpfcL6I|$Cnnu6s z#tE#sw<`k}G7^Xpvj4#w|KN6^H$CnulvejSM}e88l`LaiKDn%Fd4CP9=vqoJ&s}0w z&#s+N7T@}_aoEv?v{yas0J8sSBm2}|m8Vi@v}t~77Wp(b$1AB$8~1Ujq0*?Yn9P=a zr4DjyZO>n?yB4$lhX|2Cci>&D({v*;oV#a^BUKFH3-s)JGSow#kZfU3e*- z9OEx3XvC)rHU57_sXZ+d|O61Wfu)Xj*b%S$W4(=>&y z`6ri{y|5%wej*<5=FcFIomAjkrRq|$$0MNp5cAi69{G$kR>JiA31L)m{k(8kBcv4~U z2Zw>iJP8~xasfS6)*Je+d15Bfe2F<6VlhFssjmcv{R}nH1>zIj>GgT!$H>pG>`G|U z&%))6S5J%W456!-?qTG4#|liIf>bO?fomAT&M2$8ZhtcJw_@;oz&ah;1Ppf_hem;T zt2d!ACr)K~wyZE7iajf}-BpBtdHf=^+9L#iC9ubqKeFRb&D`#pox+f|j~i3)^Tj%} zj_eFdlL0O-w=%DF)2#}K2UW&{>bNQJ7+qf4Ie3iAunHJoWzg*EEQBN{-fDd>Ddy_o zNcSqx<$vWuco%`2Q2HVDh%+0YUGEIfc%}vf(?RBIN^fefV)yXX>G8qQ`&WAhxk^ZH zJXM>3dN(5vNZRkg|37?pbaHTXD*sh?T99}O$e$SXi-2ljbp)e9p`WFdSwnYWnlq4Q zg(%=^X{+q^o~7)+cmw8&Zs4N)pYBe#X#cgl>wo;8TX~FT!hu_F1C~qp)Ty-)6XVbr zQL9>pOIw8!^fMwR)!=3K$5i!_DJ5mB@#C@%TH1Lc1MkxQL`zvkiJ7XmZL4IdM2aj; z=U2DxvSxm(7d_2b0OcO-*O}V(GlR6kW^o-%g^|kGmvs&D8%P_nQmR{7@tn7Q1!iLq zhkwPYA)|si)El6ay~C0bzohAT4`ujuo>k<(sj;#eShWAwZ585wolb8p|8M81^Z)a? z3$?=DkOT?FO@}g|JWhnnsem{M^bRyZej1NODJ;2a%Lgv28`g#`V{P*l!XVj2J}!5s zRyyvjF^>o!a6?LhqN>Pih9wb~>Hkaw?^gQo9(H5ywK|0(DHcRSlVYyQ8DXCre?M;+u*8AO() zK35#(`JQKN{^UeY)3P=;ObS56ls#=(Clf#;>Us1`Ruxj7Adhgtb@EeOS-uW2!#)UL zJkBaiq0&H@%tOMGoquyq#j+0L#((Gn?WYHm)HhxA0==aIxYdXsbb%U;if{2J>r)(L z|0Elyu*AD6DA^vkK%c5NLO!7j>k|d}AH6$xlTQM?K%WBQsVe!+AX$5t^T>zf*px;9 z;RvfJa(Yz3Bu;B=#%HfK5vTFGAgp(aIC4~8TAF#5RL|udHqpNULY>g4(0_|CM_gsG z$zcmkrGxZIrLn7d6jg_u$*Yk%P_Svn&t{b;r!cBJDQ;oN-jXJ&Fhyi?$f`o&RP`$G zxS~6O$FetN`iOk9oHUnBf91f`@PZ%f5NdT_yQIff07%5}WYdiynb~59P2!k{1dChoYh(o}MAX7lnmeajtrjRyG<{)j% z5oLaJWtE5ywY>N7XFxn+fQ}B1Ptfk+t3*7Hj7rgbDkW@2FcTgh7HZz0k6Pycd1+=> z8)Gj2w>zC)ui*c6T7TX4`uyjuJYOt?>`WBY9-uGEHL|6tW)INsaquJw$=Jh)c;Z!H z4^VqEeJeRipN3BQFeTE7vIn^uo7wV+xU$$JPo}%|mzmx*E7C-ux5`4cd+*XFgq5Q zi8nM56MKLZ>~aOd$qA*NAYt;-Bf;ksSX&DIxAZJKEjz>kcswDN7(aC+F`po6$RWXi zJ!Zr`q&(l{M1L(orWXm}cINweJR$R4E=;S`w;Fo;dGeixd9F||%?$(+$RAuXMO@50 z`0)>0z`1B(kBozX1AzechyAZV0)*t>fBl|n&)0NJKRzv7aj?P-2hV;OGSzYX|M%P} zz_e=`LeOxj!}Fd=+I}nUKpM0h9eddMEIq&=059z(zJI_%!p56iR#LEG=1j;G_|{%) zyZ=-F|LyLEKNe4 zE7RU{zJF)qEAXPwag1#HlFL>~&?P1e_=I{c&!#?I7UWYHl3>g;B3?gV3K>w9Jdo)| zIFk45Ao9GNST_|I@W?Al%@lPK*>ZKZcI{I6W#P?bvHJw`JOqbeFW*JBc|p*o_^HJq z9xC${3Uji#fUu0TGTJh$WDmWl*pI59d~ADwB!BLTbIpDKSi6i-ptO%2&;Y8{1vTgH zvp4TKA+xUDR3w)?H?($l+PWF0~y)kQ~@t1)^DX_Ryp(IoI zXT${=&EjGl37RdYjKmUD7EdT6e@lNLOVu_5H*(-zB}do}_M9?l*goLEuBAnNrc{oY zH-CzBc+1XS6i{4Q!#rP#?{YI-U1BOTCqIweG;0mLMWPVR6^E!q+i@bGF{V5sz%NLE<%gcN>3`VaMMlu30W`F*VWi@tSCW(&pc?7gaqd=6k7#H|k&|)q) z#K+3^++M4bbR|TPwP2DY}rlkJ^*lCx6_L zObsqNr0yg3<3j9#5YTWu%sFxD3B-xGpnka{d`|eD3aEqoA7HdrBY)Z4sV<+Aze_R-m6f)d*ekgrA@vebD_>$(gjT-& zjks!?sa+^j3H!(7Z#mUoQAIo0gMGpUBg4oHQJQW{>}Ke>F!KpLOEi=nz!XZb@(>47 zzVjLq;{rRMNiePgWz1+4YW6Ro)z7ZxTp&}UCMKfNKyhbuG^#h1>Vy4vYkx$I89=bA z6;-T0ZvY1FyzZa3u4$r$z#IsK`ubH3wSK`+Yj+BkTJFWX?aS^wQ?1e(OQc4%9h4^- zbJc$=p;Vqgu0ogOw#Y{B~dB64#4HsCl8?c%l`FQI8-LA%ATk5=1oOjU)Gi z_cOb371^#+eu?<@$ao?eR9ib`Ij-oyh4TtYUZE!tvO5b$oPp=jv-x9nmKtk&;aGLr zFEiBkHFUq0)7G5Iw`$SEQ)*RC_}j2|7MLRsGS{t`3s7T`+*gBSo$B^T?2sf0AaQ9Q z^%hCSb2sU3kJBt!r+)xE5Z$)+<*%DwP@_59FK$kC4zcrj%xDz2YlnWJBF!1p-+(4{ z33q4^fFr;?_!bh#_cIelg#%xunYw_3HpKY#EISdp2Y_v+|#uBDX zZj3DP&KXIsZX-Q;d8Hv0h0GbH(rz7*b8z>TkHy6#t=e6|(yayGpsJE6vZy+kLLktI zlz`V=os8U=Gk;=kf4*v#wfuAgETPWo-yBa|9V1_To!=9aSyjE(ceVnrF&BtS8GHlF zpak$dthiXf3Grc<53uX6EC6B$F&9~}QVp(|_ zC{HVOQgYsMFLJQC!>H#K#;%`FoC=qZi4M$H&7S!91}?@{6Y|v5MG+ zx`?OK?SE~eURVFMnlGLeodR8JduJ21J1;g-wWjUg={zq!aC$=3V&^3js_mtNu~^ zLcSye4s4nNSMHtTfCw!ON<5VFz-q1(G9FE}w|`T6=%{+drT(p0@VcFSE}b1*!~MEQ8`8@`nZYJwb7e*-{avxj%8V#cGunczzUx5ReGUpi~}jX>N?6(DV(dHmwXv((~@ndBv6$aR#u1p8Hl=a zWk&P5QsUN@C}MPK$NiHI>xz{^IoS5G!YPw}Ua~D0_q;e%mLsoqOfwGI^pI0*9`GS#4@RXP z)`yVShmhBYkkJE88{C`Xk8KHn#4i4ynb=1GLTp)nrnaGUD zsxh=~z@pkL0hF^x^FlHta1yI90{1?He!g8;@|6>_u%IO#vRP{?lX?$T)qiiy0aCeDt=x;BO%ya&@D<}H?M?}f32|Krj_8QxsaSGp6fPhP!F^4F@`Ub_ z6|!{jDgJ4ghjR1Xasj65q%;Ni5sXXQsTDsWQ*|F+g?Vf936_p^WzK9~^=lSBjTf2( zE}0THN{@73mK2IQiGP~{aE{MOfeVvkcKOW18sSoQH_|a@_v!KxFrWMzW=ek# z{{%-2p7(ooB$B-gG{4ex{1WqWB4`HSg+@d*Ed4rIbQb5;p(v5pth^5KQN^5et~3K4 zOsMj1Pi`)EFf)G;?@?{4<-RX8vTrk-YJPIvJ&hB%a&;f;seiNB(>gZ4Q2n-awB`!O ztYRu(adP#vv3avg|L`N}8Qz~WNM#UqfoL$b>I6g`T&CF)*TSI%B11nFm(eXZaNYhu zZrJigd#ECwj0$8~UF$B+Oy4!<+{oU=9ULjYt?iOEyVec7a1#jK7~kF*6WyZavG4%& zcKHDGs`5-*$&&~h5`XxM^xZ;Guy`i7-7R&l@4D{Ki)?)hhjLdxGJB6ARSVOoR@+Z2 zN{HLv?78+$)HOkm2eu^HjkgE7D9i1@z0b^=0GAUsVsyO~mw9e^EABBI%y`gOr}-p^ zPZjjO!OPPs)%h*P=x*xbmxb356)%XZ9Q+=b#@7qLtvbv-ihpAsK}fmO@UyK~J|4pW zo#66%)l>F5!nk0Rg)CA&W%MBK54>{obquF&;M)(m-Zfu8=-lnc$JuMvtQ+_a!>iYn z%S#xg*NM~h3URufW#e?)-%y;cgn|bYk;{j7h_n&wqHWU4cp&N2_bS4+5XIT(*#koI zauKs57!xko41X#AgQG$OZ5=ktJohJTwoYGPK7IXp3690->)X9lKd#f)(K>xSE?K9q zSLx1T`uan;IpMbQ*K6)mSf{Y()5c$PTXj^TZ<5I`^9?1hzv#B_Y4W;dno7czG$}!9 z_cU5;?o7bPsR-QO(XZp{wOq_T>zV>*_IPZe*jr>TYJbv4tIeuj>RKdYDydrtb%^Dx z(TmSm+k%>RcCJ}SoX;7@(P-bi#EWNi8nbqma_nBl3~jfvU$Q0Jxsvqcx83uzE&ObY zY>A07e~f1%_n3mZoZZnox+6CH5J>=VO8O*>Bsrw4U6@CxB?G zX4vp)Km=u5e?`F6;xuR2_rAs$tyZhm?{?MyR;yL~-`?(TKWTS+?M`c_)9tsPwA#IX zzyAcazQ*8-o`?&~p0ut#R&jC<I?`JB%n9koJjGpD5R-RImf2w_7cQ)a}*-bP%^t zzBM|;Vqzhr?!GhkEvZ}`<9gfkW+3o52YLxQ4V1uRG@>kNT?-oIK|4|1*F(0EUW@!sAOH65Xn!>@4>9Lwl)1}*nW>Xs9u){dl`G`{@&EwFCqhF2 diff --git a/charts/neuvector-monitor/102.0.5+up2.6.4/Chart.yaml b/charts/neuvector-monitor/102.0.5+up2.6.4/Chart.yaml index 3e6290a7a7..da76059edf 100644 --- a/charts/neuvector-monitor/102.0.5+up2.6.4/Chart.yaml +++ b/charts/neuvector-monitor/102.0.5+up2.6.4/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' catalog.cattle.io/namespace: cattle-neuvector-system catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux + catalog.cattle.io/permits-os: linux catalog.cattle.io/provides-gvr: neuvector.com/v1 catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' catalog.cattle.io/release-name: neuvector-monitor diff --git a/index.yaml b/index.yaml index 4fd876afb3..d784ea327f 100755 --- a/index.yaml +++ b/index.yaml @@ -4655,7 +4655,7 @@ entries: catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' catalog.cattle.io/namespace: cattle-neuvector-system catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux + catalog.cattle.io/permits-os: linux catalog.cattle.io/provides-gvr: neuvector.com/v1 catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' catalog.cattle.io/release-name: neuvector-monitor @@ -4663,9 +4663,9 @@ entries: catalog.cattle.io/upstream-version: 2.6.4 apiVersion: v1 appVersion: 5.2.2-s1 - created: "2023-10-12T15:37:37.954541908-07:00" + created: "2023-10-17T16:18:47.574539-03:00" description: Helm feature chart for NeuVector monitor services - digest: 766d65d2d65ec7a6da04e5271d544d69803c8ab501de4be3407d25dd6c36c80a + digest: 984e7cf3fdfb0caf23f27e0d0495da0fd07f7d004d579ddf8f3635722aed1cc8 home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 keywords: From 05a389b78eaf138e6fcf661568b167e3e078a603 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Tue, 17 Oct 2023 16:22:32 -0300 Subject: [PATCH 09/11] make patch for neuvector 102.0.5-2.6.4 --- packages/neuvector/generated-changes/patch/Chart.yaml.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/neuvector/generated-changes/patch/Chart.yaml.patch b/packages/neuvector/generated-changes/patch/Chart.yaml.patch index 2d497c299f..e63864c367 100644 --- a/packages/neuvector/generated-changes/patch/Chart.yaml.patch +++ b/packages/neuvector/generated-changes/patch/Chart.yaml.patch @@ -8,7 +8,7 @@ + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux -+ catalog.cattle.io/permit-os: linux ++ catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector From ca2581eab786415642a36f45c7f95608c5f9b484 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Tue, 17 Oct 2023 16:23:02 -0300 Subject: [PATCH 10/11] make charts for neuvector 102.0.5-2.6.4 --- .../neuvector/neuvector-102.0.5+up2.6.4.tgz | Bin 21641 -> 21640 bytes charts/neuvector/102.0.5+up2.6.4/Chart.yaml | 2 +- index.yaml | 6 +++--- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/neuvector/neuvector-102.0.5+up2.6.4.tgz b/assets/neuvector/neuvector-102.0.5+up2.6.4.tgz index 24e5ff5c22ef14a571d255c50c51f5486d14201d..7d406c3a273de38522f69aa5328d462135ed9b2e 100644 GIT binary patch delta 13802 zcmVwhh5+;lz>TyCsXR#z^ zoFX{M@Y(MicMe-H#_!CV>0S%Qar);`XTP)WvAtG+m``!c<=fv-H~~Whc|sBJ1+xJ| zLbE}C%79NO0u0e9fA$e;jfv>QnDdzRy4@V@TG$sL%{MrO98$L58DTz71_?vdClN;x zmxNBbdw)APKG{Dx`hVF^`@6gU_w=X3)-9TSBs5^XmIoN}6N>q)HGw$d5J!m0_h6ov_6cOd}k`TxPe?p}%iA08fU`Tr)KC*UO-!X)HCjlW!z*+g$W0XJjJ z0A>J!f1JL4P2V7Ku^Bf5v#odteAdhFUF(MwoFr>w$pyw}^HyX%RH(wder)J-}&#z!N~xp9!X- zaYBt`0WjfX6mjfJIo8q) zurW!(00erxIMMhE3H>XI5QQ9_A<7l8S}k4h9Sm`R`K*s9CP5Dz93Qn>IO2##s?(|o z@NtYHAmp|;fe{=bDh6E(eoYZEil!#eBHkAxD*BEn*A-QV^4(FSKt4shz$85bvDFex zo02e8e;}TKi=nE#1F|pRBMw6l5iX`!ieAfVPxc-FTeAV5|7roixFFGJrtnkp?}~&W zjz(|e0CI&SwcnVrnZQri2^Di@FMIPgf>Ve?(QFUwwgA8rIMP)piV4G(Qe+58*8BL^I9VEdBan(HY$0$fbL@xz} zTL8oq6Cu~mLdaP9k_4~d0ELDsF$qpfq(afO2mbjlLB`<_N0@7($-*3;=3a`1&=66I zf|m)!(db$sf}_#JC?e_W^H0c6q%xqZ0pNj;2#>~G$h+P2t!hWNaf9fjXMF-76zE^0 ze^8Pz|4EDs_s8d-Vu~0uT5bOEz%82f0F2|(Cjdw+))ApSa1l8^D<)Znso=WC)r(1x zE6zzwLNc2DE|6#ot(Hbea79eIW5VR}5WIntP@tj)MGi$o0+jEz94oO>ZqaP7r?A`0 zUhV5w`(hkp%%;9I_2sYfA`w;J#3;HJf7}^dk%S|$`i6LvC~S0@vus6b{fL3zZf^S5 zfJEVJ2QUIqFcMs!PH?1Hr&zVRFbecyOR`1g;26NJ-;*MRk10t;WBplB%+%+hH8M{u z{?r3sviAUZ;`#af*NaPVc7Anp@yo^8>CL%(TPk*b`Ld>v56?ExN`M&GBse?We?)_F zeN@5jUtPRAy*UTJpZ}v8wxf{df{c-dk~S|zG*^$!9Cl0=^a%?>jm|=dC-w*E`-rjE zB*>Po2d)qd{-Btn*D#tX@x%#*BP6+{D(Ax(`kK$d|0ERsf{G5^`%u00p?C?NfJwrn3Lr3NaDwdKn3g&%0EQ^gY*b-3e}Q7Zo3cWi z8Hy?VOIjSfmL2p7`co#X zjgBbE0{OTH+TAvI0;DE}#dcZfg98NGT^Qr`4j3dHOoTWE5kdiIQ}j_xaF0VeLcDEp z`xI`${$rkKgriR#jZr5rf20P`zeQ2t#guU3lduQclJU2#`cHtnZXTl^=%#f9^DfY^ zxRl)Ds+quApU5f*t;!iNM{wmuS3!7Hi?7C(^rUf>^2Ip0ncqkGry>Vj&Y4 zSB`A}Im{%7Sm7TD4Pr`$I7B$Y+#imlfj*mhPXOq2I_V#jG%OefFm6fA-et3AlW7bKa9CX$Ar`#1RU>7*PbqaEemY|; zl`D*}vsh_-Qw}M)1$jvTDpZfE6cfF#8Ob|0Si+M!JMe=FLq*D0zcDxFiAU z6FEfsEKuoxfD_<>Gv&!~p@cw4VDK{xVdRTfWn;e{duzud?VA}BSBI#b0phT*aAiSH zG~f+%3tqNx+JdOD^Aln+plcvWo^6MTdqcXkp}yas%_TV;LqP$t*xotcB;`p!o8b159R~gr1hJYwP0}a};96JteC>3Zs$e$6iPNuiXermC2^QmZGF* zDu-lLe_}Qy3TJ9*M}fzQhoV4?reqPoGxS&em4`wxXF$^rFcc0whDTyIAZE{;O{I{N zGmnSNQ!gKg29qAwr~2T0{cz1E%`}Nl*;^(y6}hD$M@IY1fH9;2lB8B*tJU(Sa;0ib zsB+C&>Oy0M!T1(=8n~`4b%$LsZ;kGdX%7|pe?w`Ib0X9pXxC8Z$Lwg&jCFamUE`gv zy|=r6sH+#oygcd^<8JQ^T(iJ64|4r2%>~D7Sav>0U{Ao!t82L$ySHf80Yc4$1BN2L zlluZ-!pQ`3?87jefsyux3X~E$kji<`(J&2Y?H|Dw%9`8V=x&Y^zieK@zVavsrvgfOne=1Gq zaaPF*a1f8Q6;w$Hsh+5OM-dS3VP&CU6BhkxR0YGcm*|NVoL z{lfjv!;`&}?fuV9JfA;%VjnCdR_C3%0jv+rI+|mY-kVLH`To~mtzRga0FrQq10`m( zINp(eq*uJb+pAXqvtDb=dED!EKYy+SE;j4}vcM083<)H~-ocblFOZ5tf4?H`XlO7K z%sj%;NPJ{ceotT&uwF~|TJvKD+Q!P(E+NFGen;?1(GCEYZ(g3i@4vaa`RTi7V&mcS z5R4E9o|gt00HRk{>LPyUGJX5kU%(^a-;6|pxBt}s++i{DJJM(LpS%C+L>hy?+UX5= zOD)i^ypL#*;O7RBi+%wOe*uIog$(9sBJp4x@`QC@5QuR=@}2(UueN9z`D2oL3w@{Y z=zW(`CO2dmg;Pm0kHlxM-d^9FUzIzzG>v`JbVJ(adzj(V`|e^bt&OlyH3oTTEvgCb;P9Yt`u6i<3;YmGxB_|#8g z%Lx53>VX$sxoo;Ge_H3CVxcAoHX{}|AVVeUW!$KiF6U{FTF}mdNXQ$_z{|eN_yrvm za7u86lwXRHZ>ES+p+|fXTb0NM#|QE!o?IuxA^rr~UIt98W${~Kct#QAf}5H)hDjLC zz@G^WWiTQD<5=R}Y5jo|bXlH@Hbg%d7$6@e3;{+a2>hO!e->4bhZuzc1CS!M z?|arRKvV55e=^gme&=SOHMC;M=%7AgSmp5QxuQzRXa==IEX%bkJ7m*a{nn9~z!zza z6%x1oLmRZ;x0hH`uL!wKVr{9aMN=E(JE5$R!TU}c^~4luTQ61Vmykp8<(aAk+S9!@ zXkW{3ZP3XS2@U;uClEF4IV1>dLwh!c>~}QFz3beff7x?c2>=VFp8$>m^r=)dKas?G z%3`S`$OR`~;0xg7np439zJS5;A&PwG+`&Twp**(j;-{(!Xa+*XnR%}fd2fu}PQIWb z-k2y~&ImOQl)CMu0OVFbRf9+&=?S{FTSKQub}lEJ~|=zqJ%$47bnZ+~z9 zU>pBye!!^}W(W(dBfo#j4F;ONa0=K{kZUlBLZQ zbO^tWst1fNRfcW~j1k2gjtV7omqa0(`6_KsL7Ea1HOuZR1^ z_$nFy*9hBr%4BsZpuE?l|l#iuoi-|p)5X}S`tloiCN7I zg~My<0VI#9J@+>w^T}jFqRTwT?pR05K_q<>BrMNeBoE$poLZD734V*AWhO4*x$qIXWot|Kp?m{Vo6Bf5cPZ|8xMet?GBgKNOpD`*1KjcYDUrWQyn+ znZ%GH(3SzY_r2XVc*c?e;}q-xZx3|NUKQ4<^0ShrUojfYHKe8ece}zis zlRERzB2TUFD-zbL_yZgTI2w5>Qs#ZC>@*2g6m1yeUxg^p;zauKAxfBkGA=!D}yn>8)1+ zemlv(_DTL=_B!{-%~KL=f2aG`KHaAnef(Bty6o#$G^JOx7%VbP?%!}=Cdu+MqPBN; zH!bGCv!diSon+ga9P50V*?(3$2A*gCIXpNn*nf6+xAvdSJXQ9eXZB^wybsPr*|* z8~XItm*pG3R+CCmJ&0pgCxg)^jw10>lo}uo9Wwc4I$LWQX#O(gqqwswy803Gv1_2L z_~TlH+X2Z1isT<~e-eTY_#)#SL>wFz_?)?tmId#%SgO^O`L5cT;OGj$V0Mjs5(TUW zj(1yjbYH9KGAL85fK>4w>;!Uu{K}&IoU5@dkdBB3U`+(^ggIFAp{Zx?2+9z*HG`DK z)-6`B1}D;l__0_f)vL@4JOqR~sj6=47DM-0CDII+b%pYAe}A*v%LymH>f9PaIUV{w+%;T^wQVnfSP$KLZ^3VGV3!ey#e;+&;xE&4fAu(;=-Jj9F!8kO8DCm4WqdzYqEd%|6?i)dtFjUJmLfVW{F3S;JBMlJQ2*aZR}r%mUpn#h=eA zl|$24kf8>~JWLAi;u-mK+p^2DFG0DGqkyd&R>PgMe;ahQ)SybK=V>r+$EeQLCroC7 zyarhr!bxb7?y*vr*RnJQ1=~fbB!?rL7wSwKVz5cX(I?)sKFKMgMlzo~3Ai#E)X&Sb zxY9gpm_b%DD-dh_OB;1C%EO`jp88^XPEG#n-dtS1KYjV~s(_Ks zH=B>>V~s=2PN=%E)0gkguWl}`&tFzH`3ohJGRtl5bj`^%pS5yvQ5urKRFACH(p%!(6w+C!PE!inSHq@j{<*`^(`3xWq z@QuLOsay&$inBYLJ31wbSE!YrKLz!mh`^XI-i;~ooh^tD-jswZLHA{lASZnFX_Xcb z_q%F`?ruPS@)SpC+D47JAqz^SZ6)=?e=D%dEcv1~>oOL4;#V$dka}1$P!-*pqTRYq zKU6g}5{9UiaBnHHRw8cls4j)LPLH%M#9gbn&dRdBF{&w}=iWWgzoyLMNV!>9ogUIO zT-{}9&5a-^-bC#Csnf2A1y zl|mo&^P9MX-QAV}$vC9EPeSa^df+tt2xlfgw2~+;6GKsDtg#7M`gyL$F`^7Jjw1d} zHggt2T-X@-;#IA&NC5wY8OPB`)(2nGQ1IE2m={0}+a)V(Q7u|*(~y?Qqg)ZIuo`$) zp*SHVg%^Qj$`=7u>Dg}9C)61^f2H$AfV$m;gIjv_>YJ;Pg_Zu;weWNm@vXvc(@+&I zLl=dc!L8Xpl)#FzR^Gq)z?*CtO0DE7&2MfVIIYT8P{TbH9C~)`T+1o!UY#;s3x>^D zcgTtgx;IC6jw$&!@;NG4*c@g@1x>+u4P%!9r)ZbO5iXnP03fko*D!R*e<>A6PM(vk z9llq+OP|jR^4tCeP69o*uIB2b%~PGmZ7YfPLgy9rI~}iDTc3yJ{2fBExw*$Y4V6uA zjux>T=1w)HrVASR5eLt3#9a^r%xEI#;~)t}h(8CrqN3+{b^bp4duwv|iKV(z=kk-5 zsBrh`li+3Aho5C18vFeOe}e_1HBWGKnq`-Ek5Q4LYjJ3~ThGKf{(mMN;~n1r+&elr zJSpA(+&kF%|83%#@BdfM9+TrrrCgvjykl=&&Vmu*9|^t1(WvB1eW5U_Wdw4=6=O5I z7jO}-I!!QiSc5O#Lr9J>f57#B3oZi1x7EU|0?HTgXF|9+*v*Twe;PR4_|@@H$3qlq zQ<~hP9tk_uY<)B3jbanI?W*f$>Hz2nk){XpfEv{0&~lz?zCt~;5(PMSX$4TleT4Y? zMy4<6Q#8b%(hmdZ-=h4nxAvLHt2C~JF_vV3G0tnWgq9TRD47fp?SZ}BT;kRFp21sI zut8R^U3_a_eAR2Lf4Bv!T~)e{%3@?KqEg?hsXs)4b`$JOAmfO#slQ37U(DmOqU2Be zu*L;nOQNry3)J?0H7#K=&b_L6H;;xuc ziAdiTH!5|1jXKtR*sCa6CFrX&(h|r8Iccf>%B*w_#C7u0%FeHgnU)&3A5}}Dv4X8= z&AQf>zipPkZMnoF=MpRGT*c+TkWowg^uCEeE=xXh&VMOM_{vFO=fwX#-aXnc=KnrC z+1;N1ZsPe|f0ZfGtL2X{#$w5<>CtSLvaYjV)n;Yzur&MG-s#EI%`E-+WCfl{ZanyGLc(h=f{otKJnLsQF{x)IJ+d23!03Z9`q z7pmN*2t_`f#k~D|@yaL|q4x86`d_|&SiB=$t=D}ne*~h_d$Rhq>ok~r-77g~y?Oi# zx@H8ME$;>Z*0b1igm;-|0bUK{@)H|!F8!f6#34NK<_6@^0l)sqFC=IFhbEa z3WwKt6rn)Y6_p|!f@dLS@~`LMS$fA!T_k-6LmXf}Q#WWO6XPl;PeJ}0*(2{FHM|O< zZ!U3pj`1dje+B3r_# z4cfP8)&^}GjW%d!R7p@{|Yv%RQx(Vn^*N8(bft8odxlt-vgHip@)EQ~`;2`4@Yd!T)D);Gb)6h+z^n#cXvla<;fID5;$*=q#n?aL}SNnpXr z-&CA`EwR?zECj0S_vw%gufw}c7IadcjsV=ofaWfe1Nh}Xhn@qmkNGv{MmNib_ z#Z+3@B)qV-?wgojwc};YwsfxTnYpIMe`l!A_Op3+bJoA}iIo~k?rvr+VoO}y!1L|R zt_)5{Pu4% z(eo2KMHv_p3NBIdPGu+H1dv!7zQEbl%WpH^VYBRX3FBm9VzCEECcSt7sX&zrf2EgZ ztkVJn#yIl}&N9~JqTG9+s#B~5z!cGeE|$ar=G0o<6YP}l3 zcIvI913Wa|cAsiMi56d%Ca_&ece;`uG%vr;WmQj@uWOA}F0PMo_^mIee}?PmBOE@c zrL(LWDc>aHM ze7ueSu#v}F;#(hptq;J~2Vm<1@IYtW)(7BzeE=*UO_nQ>HM~KEs}`HBpTO2nVCyIF z80Xy9PhgXN0$)E%-}(}4e|-tIz64uef~_yX*ERLFz66{1CHQKzh3#tF`WrlAe}k`P z9c~Yhw>}A5pM(d>#UI+tdYnE9kCazGe7}Y5v!2K0|AC?*p+2Hs0MUd*Y}EjubNoN{ z_YcbP-}blh-!}3T;y;+7cSZla%Shiaj#-^(bL8wQiMp3^wqDPPfBczF?wD*M)c0J$ zHdj2FNIA-(;F?p&(MU!k_0lLm#nH=`1z$j92LUPuz?neqk6&3`EXBkr5Y2R4SGTAw zo-hY#9xV0DRS?AUxfmuX?Qcv1g@3WQ6$Z(W;KyQ_Q~{XV#%VF?lI)%xd8uj3g?7yt zs}I(C#1l9|{Ui)ke@t7e+2WUs-d*t_WWcAwryMorL#U@q!9gxmg)>E^b8-3p^ySN|TqyviqTT8kcbytpS>4#_ z%XjBjHy79Ee=jSW{DqQ9ukZnYAx2>!cYnn%`deQnD`XtVEF#bm*zC?@isO7M-qe*~hJ)Cr?FDL@(oktPwx6XX?Y z0ma1&^bxmG@ z0$MB?fAotPU^AI(qk@Onha3qQzu>SmlTG(c9hnqhSt8HxNsJ~d_asJ>d+rJBIAAZ{ z5g)F-A0=jEbp4T%aRmo`z*&aJ={Bha;afG?p><#f~0^_@m|Gc||L-0hZ|(n^cpO4g ze{b=#31D#xXN>$aS@JcEYYp#WRy~RYFscJ(BaD+aqHt!E*?)9gtaAOYCG($p=B@wZ zgJS;wwLlpVN^SJxee}G);Uu%h8fZ~wMCMdeo^Z(tGlcVza|KZ7Y z{cqwatpDN$;V~Wmr?a(|8JWqwndATUCCZ^F4zUke59}>*fS>R6O6T`^Q0iIk_})ym z^`73VOx}(*?9=kvI+woN;Xg;kCiuTL*ee?7l?e|`PRjaZuuhwV~h zj>F|jSuQX@(UdLV)UcXcgK4^}#`CkI9Q&;H@w*8a1JM=vKkz-G|~RMLp_ zv}kA}+FO^ANQcV8(a5?Bf2nLg7Ye0X!_P-FNU)jH%O++n(%>t}!(72sO)vF-3tOq; zTPMG)1n~v@nGkMdh{dpK@ZiQo#6x{EcuZK9&Az62QLaG)8JkTl7WLx5UD3^g0npc@ z4dS&B4aRa5IggDzh#?=R!q6*w))e6sU2MePH!|sVpQ0iDlztdMfBzOmK`$qXP zeYQ^W{q_F(Yc2A>PXD7M;p+$jKS%%DJKjGm<$vGXp8sv+DJJOW*Z`5n7j{mRA1#BMw-`_9o|97|h|IIwj{Xgm~TB68ze|`jdKUo~FoqZ9-dOv{? zimp*OyvCyl1+uQF6yXp&3o(;_JqORyI|Aw?=N$}jfcZ>aERk!As~jE6`lA)hW?b%u z-o)_F1hq^Z+n}5~v$r_9s?RzhA-74~2G0WQbI?u&N82Se+NxID0#rb#4cfP8)&^}G zhc;+u^hi)!e-X9wJDNRLyxKN4-#fxFnp7YxMqOg;dEUJ`zHJ}*)boES)bHB-cO@DO|}C!>0b%Vub-fi5!QzD|#tDT3W8lG%t#U1O`9D z5Jo5HciBnq4(bdhlxxgv!BfwIDrZL)C0#yM+Zl` z*hT*=U(JdkmN_dbLMI{Wfu~pE?P)Z7DrL|s93`KszbA1Vq6vyP470$-&Z0x6LeaXv zi)~NiK)=Rt*)SZmn)VMrqG45(XvG2K&+G)S94$H~fmy+_1}=t+P8hOk>0r6JFw{Ac ze=RvAi-c2tG$Ui8EH4&PS-jJI(VPcvc9$rW+J<|9^OLxXu5(k;maoZuz5&nSefF#&I+{3n8A^24P!gwCWVy#){zPSr+=@ z4dW={@1&9-+pXoY;{78!umb@4K4R=Oe+iKDPEmnkR_TIWBXg1uP!D9fUy;Wa05VP} z93kn8rH#kdo02caoZ5L0jJ!j#Pz4claQy;IAI8wnUHa0k)FEP5a$K)50QP>x6>M~C zPjK^pb9Kgp0gU=DzFMVo>6~gc4yKNp&7DlERh|DQtqzx~~l{jL3PBTvKq-&f}YS~15TfHPHHP{_{qj#rXeM5(BctsJ^XWkQLouDJow zg^8>Xp3UP$)@kjl1&*vCP<`;onu_ZWAZa(YSP)5P&1Iq|+JKe`CRtT~Ra}+}Dp?8P zQ3jUG&BbMdOEv^D50`H(z+}#zv2u{fInYYTGz&CYE5OnoS>_#60kqApjwSlZqzy_j z&+Lo#Xp;Y~Lt3`2j;1aAfAv?_dabIK_x;AZr*Ch5d;j+O{Oa=bfAzTwQ+HNb)ynT^ zR*_k@B>xt|R6WvWl`upFu!cS9pI%@8@#gB~1MEo*8T&|RP#VuBQEKzs+uF>#hb~}C z=ias2y@x=xRn0%_V6|0PZv)nT-2rQJ`dxj{T6fV6Cs{AbA1=5gE@7oK()BZYmYgP znL!m8$I-HjsQvNB-M{U&O3QPh7!^*_(IYvscAo!|5P8x@f4QD(fb;x+jt=&U@jv(X zw)sCd@;Dd=9YDXzRBg_Jza#!3=>1gT2I{=`vA;^72;JsEO`8$n60PU!J*Bozza;|2 zQ|sKl=t_^%inH?{*X8e8cV&Gsx7UWT2AB_{=#jX)R>d2DaqI{$kYznBgcTS`ZO#K9 zA@|2E?XazXe0kBA9 zlSd^7Omq_~=z$s1B?6x0HVyOWlf^&TaCj3XnHJevTN6EDi0b$`9?)^6^yVFE|9~n` zJ*y*Cmxv@6S!5S&wU`E;cRCf5L=uM04SI=8@yxCgw76cec*p z>wf0we`_%S%+vq&_DcKz!-K8=_eP#7{qLC_5h$+&KHqAATP;v&IWU;u=y6HZm32Q` z$U0O&MUuu+bxkqi)}*u5Vzbraz5*@oF~lU?KAU@7`k&sjdYL73H8pUK{&%u_T+IJ= za&o-QfB&$N$KlGMhyN?S|7RxnX0H9MFZeg(6mm4Gyu@Ti&Xg;Ki_Go~77p%BO;bP> zU-V*Oo~|q1C(MJ&98gMr9|rUF-Vm&7#(DqEaSw2QSGnBQ0Lb=oTQ%+1e{;F52HKLB+g#jq_3KFn&j#0%@*^gadmd@ZSFzyspnBHAy+WV7+RK0CdB4eS6I>HN^|A_G@?fuBBLw zf6MpQ)bmw7PWw;JTD-ao*gXH=lfB(y{J;H^ZT!EDJad)zx=S9$xLmfi80G!p8|mj? zWvTAv!Y&byx2p?!YdqeLF6J+Fzx`Z;OrFpG?>zti?$JTX|95Z8|2Ok|F6VzL%K%dd zRT)c6EYJ4R0%Hy5k`HDrJ|>^O5gqa^wtGN?UpG%M<{#TjM( z7zHwgZNZ9Q=7=d^C+Y#<-(+x;JN&axw(`e zP%2E+i{VvsU(9MDBM9y_m2b`yMRg7)*e-k@{cY_nVe9_X09cXlF*TB1|1l1>#3Ct%nQe^55 zaMWev(tFP@vE4gxRm!(oGt=aha-2HURPmwj2s9@9oG>c;?I$z@-V}JAE?hBODJbCm zFX*4%oc#v8-$47+b~x?*j37l6eD}pv%cE zik`P6P`PL#?#YC3FqWP}0)AKfA7S5{AUZ;xyeIv`zZr?zzze|B&ut-m+P%+hGmXV> zqXvlImb4Rp3Y2^vcJip{vlkSc@^-KN^n;)P_~HA1c;8RF?}MA~f9rk!y7&F{_y76u zwEdTOo`R<`L`bh|cT%sMe=dwM>uN8wZmOfPZk3MKwQh=cooDS&9aEspI;%!{JAMyx z{K{b_7aG{x?Z`f!k=>5#-H&V8ulFv7xKdwqIl0&;`j=>$zrlRp7Mt}xF8kjUhFFZO z7qi&I5#uln@9_M0_vmD=bpE@$z5lt9M{A`c4xWW50?$+uFwm~Mf56oSZR?Iw8??p$ zpFan?u2gZOkPKkh@ge6S>clK|qymiy2hZ}V_-X$_tKY2i8)Tpz%k`MDh&~Cf_1;ab z)GU?a5aJNDZ^lUHiv+$x76b$_+140N5#VD4N>IRQ{~~pB>wvywJRrbKpbYxgeFks@ z_!u)~lLG@ZBou*|e-a-dd1JbrQlT~<<9!djezNu78KZE5M-icD&27wG|9i#!Uk8VK zTl@b;o+qFWIY%^NfD@pGAAB662n-S&iU|#3=-lsWYOe|p{lZ=!GpNF-|tlt7Fq z2yuiutTUHPwhF&=frKju$1 zjk+120rUmS8{!bL){74N7`I+@2Jp7^qQfU~>&5@qdIH`-ib=x2#mjTn>co`%8~MD| z!2yC@RgRK>BR`Ziy~vZT|Eu%Um#@z|lVI&_)UW^JlcQ4nuYI8sY}fw=vzj(g5(2^Q gv+PI%1p!X8@J(a^0(*P2R!=Jh2p)hAO90pc09;;SEC2ui delta 13803 zcmX||V|1QDyM@CBjh!@&ZQC{)JB@AYiEW#0Y@@M_#%^p|@5%R_v(BGc_y3tSv-h?4 zgqMLwl!3=rV0M6-+&vmwy1iXo>boBeI=o?CJ17%+3V_XQkz_eX|8&mGA5k9P^W@t9 z@|$DISL-VF`W=crx^&+fyGl~Sqnb!1vD!{)rA`|O$1(lHSB^tRiv24X$Mc%w8+YCWG2jzv%&_$l+6RY2GJ+oI&**`OgO(Zdtn$T2 z1l2HHp$>@Cw3ZX29LgT9Tsl9nSnBHnv+U}n-ixn)pMt%0WRb!t6o}x8Y$bD<+jw2; zy&nA-odu2it!{0+cb5o$Z?>B~BP{?wZQ|>R&r_N(uYwyu4dW6~?UFG%q+Gz~&Va(jG;d;?uM*pGuaulc|kXHh7KVXWTv3n$FHPT^W{jlVEKqP*?i z-P77j9YHz8LNE;wqe1JF2nJ&WQ2)X~5*YxaH1rojz!e4WL8bJML*2GO3yUXRv}}@! zCIL8xL^mNtaaiW9l-c^C|7sya4Rnh)21!TdOV^0Q%v^#iphM+?MSjRJVaA|ak$v@t zBPLSQcMhAJ5_d&+$`~k6lD{!{96={V7P4kg@BJ$_W4qyyyvw=qvoUI zRku!&fP`2QT*{)<&f@8Au%&C4b~khE--h(!R2e3|D4j55T(a!cm@e7i+67z?{_P@vbf)hI81co~>5B|8*R`;%d1Y6ETe0tOP3N{2CA;B7whvu(AhTzEN^$jMT zmaOc3D0&jguU(-uoz;6Ks|7V%1V7Tu+pq;1EVn12T0~h6=RgdhDOYL(t~glxLyVG?zx^0S!aNrWzsbpiP1qSm)iqRV3)Jh46gU<(cn|AFyGjw)7S z2_6+chCu>V+8_@Q@gr#h*FywD_7U@7I}q7EFSb|XZIAgTM#+DQ4ptxp!UIAQgP#?R zbXx@lKo}|m>9bb1aWHnXl`w|*X#(IvMs=~U=K)b8*ILY@EOO9G?A7{mfx3vDx zaf~_ctI8OG6zqu77Yd2lCSZGNJCY1PVu5p@NbG0Pc(y6+4_YaNH#g_M-CxMy&3XM% z{R0!WUt9u72YCj|7ebWtv2_yZSzw02+}?9BsD0$5S@2G$1C5FWkgF0rjjl@wo)SA@ zdeEn*54-hs0~>BDvZ4$arWEX__Sb&Y-HxZRhxm9j2dF~~v{Ll090L@1$)`o|ZlIH$ zjpIq~r}sC)h1%~SY}h8zY{`wD)P-$cHV3uF_4$gLC{`|5B7Aj%LR*s2ofN{&F8mH5 zhF36y_?@A%auJjYRQSZB^lIFMLo-W0NFS61N7(p-CC z%>2xAdS4AYsX`u0kPV<=3BCvS&R2TXm2MjP1-AQXE}Tb4K>#nyr_d=Xir0MPfp@YBourwy2 z7GK2Fg)P*k{J8^Z8QbCeDztsr5AF~>eREJcf|@hK>v=7jiDvMk8rwwVuh8ob;WC*q zv|PrOoAFKmvkXouJDv3~qhgsrrqFFOq;?x0*VLZ@*g7{M`?&@u7{8l63@@`p`FeG` zeMsgfxQ+w*H#VeS%mOLq!W)2_miHyiZmbUM0U6B4Y|KYsJp~iwaRU{)<5We zhA*Z84J`_aJ^NW%x4CT6tSI@!u}WY=;Ur9;4SR8I;-0 za+10ZS;6WvNMuswFvgLqwM{v-u3s~{hzzy_MpIXQV@-}8_!=AE?4;`b4c?JYaoZ5f z%&7UMS-kXfqRBRrUR;k2pCs?GhkRCDC;5EZdv5P2qD|Yd*9yB64c6A^Y6nH)D4_PJ z%JO%c10lGMN-$eQU!L;-1L{Q#OSW<&OG~ZtDmvwjvEVm}oTY1FJ5m3THLTJBw6@uI6>s-}` z{KXQpt$`ml9wkC^{)4!ie%y`m^YDBk7w})Y!U9iKN}dwOkRJ?>+OI^?7<6H{n9y$X z)pX39TJba0VYFV`-*jSMjbd94Q?+ea`~rL|TG`6)H><=n|8Q?rl| zgd9v8#y4cSCA({M(bFLuPA@`Xy`a`QSH_7E6MW#g0nR0q%H=rjn=r`vRk+ED0JH{T zWiAz2UU)tQJ`89hHu5O2+=A|t8a|9jZpchO{{n|2WpY)?LuT(4&# zw)DGJfd!bu(=clR%VKGlu}zk`vJrYjZkAQ^FVVz^@nlVCI#sEHDYRSlUhB04=*F=b5VA zoj&e95t%%l^9rWXl3h*JkHwOYjSz_C39icrT4}YmDxFb{UG*P4Le2!abUq&H&Mv7- zi!|y>R>OKx$2O;PtEmfX>Wk|a67J5~V2h{r$a5dN$p7v;IF7{h^tZpL~) z9*5M4f2;5^QpXQ{Z-H6uFvR|Y0Hy7Wz;us1zk2VB%~ z)<$&s#?sK2!Rf^48hGsrZ}z>|AH4vImu}nB?Cqv%c;C$5YtL)}m8cxXQ=6DcC<2c%*juK-mH;04oBQZy*T@BlSdVuv*8 z#v7u@|6aR&DU*JQrp z7)odR56)}ewBxnz4+sKqkQo`;pZAi7L!_vLtptH0(E7UuZF!be{B4e7s~;h6GcGI)26MyP6j%RHu`uhFpmp02!rZ@K z2Z{)%FwQWrDEO3i*@$P2saM>Y&>VIn<@kE^``a$=%YF~t8_+vW z2y?1sAXIRi zVYEkuQ{-Ry<2SmE#4o))V9!iHVVPKjw;$($#!@f70V)I>e~dDEMtJ{d+W=e-j&y0O zKY#vUnL;08)*pJ7xH3cWFvLM5jv-(|Np|(~x&MG8LMI`H6OFM&bPQYNg)sqsu9d@sW?99uIs|Ycd`3g-=NyDP+Y>zF$RLr#_I`fh1xz*qXo@wO{ zBxI=H^KwE~6=2FrNZzCN(}ZbEW2(tWu$F!|(yG>5AXNdqjBhKw@Q5+AWevzAq(&s-(if-{Xl*mR#Or7V_O^D2|+4#tmUoK_{D$-QV2e%1D~4pJzV zvN)RN4JiFNO)PBqZMA{fq`OG#Lhld@n9LoQ0n?;w zVE{(ClnqaD1&t7kth~p2h(v$~yI*IEEvP0h#EL>QHQ^mI;%$89b_0!hJrw-xBvI;^ zKX1zjP1J(7c29fKHTaM7vGuNdzWvDZwP1EO4FQQm612uIATV|cyn4UFtUVb3-#pkEX8A^ia)onktd4l8M>WNKK>1>PhMW0+%`3+sl zSX@*Lqp1!YRH+I&$l&2R9CpmxCDC`bZu-+Zkh{x<1`;Srs>F5 zB@1P#*D?GoR<9hC{PaEgWI)#Pd z4FeJ8;(y0@0$tB;UZ;Wp`yJ{lfX9F3^Azq7MozZ*a;4{V@EcpOh~Gua8A+j9jQg*@ zZrXk0GamJKgn#gFf#ES{3WdZsibXwr%SDJk7|k(YUJ}d`Y+2(gwPYpHExcb}dD~LA z)w3CahJcoaK^LGwB9PAIfwZO05l|AGOW!$=s7@Z- znWip;)Uzk^_2)-1D)#f4pFQV4?_Eul8Fb54okE|z>QASFu1$Ce8d-b@MCH zRF&+_?C%hXSy?YI22RsLYf?+WC~Ht^keWP|QoG41>dISnSS#3I4&XR| zvA(i}AI@7?1?Y63&`2y9=8S)r^anr~;@Bbn)*ebWiNcH$xX)R7;2GU;4x{2hl-A}? zyDo@mt7UpbE56|^oe;m-Zc6LETdaUsXjpCLc|be`qU5f_YCGDxxf#5>bM_2g$p9wr z9PhmYYB-?z@4I#0g-W!5A1$li!#!>09IZA2RtCkRJr`4w$uq9`x!0Y3JbU`L0}>$F)e&FeJlYrW|v?46G_^lG_^4(*JLI?*^U zbzXII+qV@w%xZ0$=8nj!-$xg8;%gySn2fq{8*XwlrCdQyb z`gbY80CPoB?-9CW!V|R&B1#xi#v4mcRTBamka45Du7#=h9{#+{uB86vNZ)tvzXu_H zgA8!N3B&j#TqBVnA$|3k(v=<$eAK2}up0BxIG1y92{B~qkPwJ~ScDwzpyzF`S#ZHk zrdAg!_ds@oXcP1^RrZ@&SjLi)6oag#2=wT~uY8`FXLW}%4PVO?mN7oXqSXvSw-kBP zq)R$cJAfvD5Xn(hYjKS#c&$XU3>|M5c?Md$SI+l?lMGz#VpzpILz8*?#mMcc^DSMM z2uVSy(hDQv2RRpC>|8M%Kn!;oL=d?f}#}tO@YmN(qk15&eED3p|6s| zbQ$w#%}D=P7HAx&=Ke5*x-AZzq-!82hg7jIVE=Y5JMk*hOZUU1HM8p!S5Ln0V*>iU z@a6AptP#^aR_~)3tI}Dz2x*neM0?=>!&@*s@(UKS! zUi{^ApX#hev&VEjY+_)9xldwJb&RU~N98x_QFPc^tP5uraFMn%ZJsh#a7;U*1Zhk_ z0quSr{nlo?V!D!+uREgLvxr#nZwgpJY}d9@`aOTkmfm8ldU%3P!78jDREhA9j7|Dc zvuxa23oj_}yihfW?mxr7&?USm`R|g3)jCLYflXrr{Oh*ya7OOc8u;( zSqc)NKaDClgT^;zcR$qN#9lgNq|JH@NtDhoV`((PyXd`^hu&MdHZ(^2MLoS9{^sM@riEcu+%=}w zi{nTg$8n=kl4jnWW6;^%3ybbhxFFcJi}!dL@MAnRsxb^D?b1 z7+SQboSv#_BDy7#+SohQYP#m8T3a{^$+OOv1V;ucW{$ts=_(bFE%B=D>SDiHZ0x7X zBV~l1Qp&q`TnJA*n*K}KI~&g?Zwlz@iG_S%(NpH0TUXI^A!Cg8pxjWBo*4Q>+7ZO^tzv180nJ%&a^$+BcIfNwpfQrq5y}{f zYtdeA`E1KKBm7o(N;%-^B34!x08#5=3Q_b`H~Z>QB^hF@AQFGu)Mx*oEth;%qbbAiR4^@r}7s% z<}EzPoNI?69Ndg8;np!8igX|^NKbk8_74w`_uk3Q{WkDpqs;kPT2{67^-lVV<-C8o z9y#XS4+!iHoXw=<;+d?M?HDeVnr-50T(2_U!3PN@#a<&_0vF%EI_4rn3b+r6E5l6$F}CH$dh(~jZ##AkY&o_3jtcA258iLvX1 z9Z+8nT&SkelQd;6zYI;qlkADTbbYbHP3k9sHJ>U;;XqESVKOmF%50y z-JO|Qi*p367N)%|Ti2)^e*3IzdvBV)1p%h97arr)1(8)5(rr0t8V)fjk$KAKE&l#{ zWKn(YXS1Abk(})~J^`b%rgoiE^~)c>CZMI>53?5)o}eSpl*dtHqEzgcebl#<_HK#q z)&gg0$(3k#3%HhWdx6=Fs(`6F56ljar={uP(x99y;(A;;`K)HIdZU@1_4pRY_*S#- zPJ(j;rfc=ijloDMxu4gT7*QH|9`|8)GMUdlS*`O9h~Sdo9Qzg^Bp|e#1~{*Mfa@VGjp1BpQjJl@uftS3Kv+1zD^@`Ap5ZT?RHhNNS{N={Kq8n=hYQ#<;q8NoPr~~kbY~vNF}1vNEuY5 z-Ubxb=OyPWy3XBVhQzKQVkD-#vTu!v5soQIB}AZ@vjq19Jbma{&a_s(VGs0vLG*c+ zg|m*wwxjS=2aS6zO0qqGBVuh^%ikAiwG3(2jT*&Pt-{tIf&Sn8mvbF9>!9WsiEoXp zSgv7<9{~+GABR2dPQisl=sY?J4H4!Hpfs!XoCAQDk8TLG z`CtEZ^XZ=^p8)7AH5$L~d6N|{aTeCl{!@V-vzGy~XvCfDfb{ftW7m&6W2_7w-2V6*<`ibd-gO_-Km<^c32P#u5Vp^Z(2Ph zTRrP9DcKc}`KoE!MXk69k7TJ~rScR8c4Sz2%;R_^mqs-7HfZ|G+K=)RHLKV4W;#4e z4->j7z%J{&`RmG`4(`*f=K&c+a(B)KtU7WAyY1(P19i(0-6ZSBDaxfKGeqYT5Ze_M zTmog0XU)kw^W(>-gPPSB1_=sqZ*GFNMsC|U{9ao!j-DfO3K0y{zOlJxofRrAMykU3e_MN4o9bKFxWh*UKTdmRK+p+YodBQ2jvoI zJg#^e-Ps~G)BS)|3g^-e*RVfaFGqL_kneomT@x4aAwA=P-L>~^W7DM+#t|(2T~C+h zc4y3Nr^}r-clT;0Z)2`rl#wzgpLAZ4Zg$Jlq>pIGd#^qRPJn0Mp~#*u7F8pQzFhr_ zS5F!_Gi~dzzMOJmscDD?dr6Y(?K6K+>36+DMIxM^(^5xtx-;&~oOY9;A1NSQooH7q z)-4<~KIqR|BCG`_6*rziCzPO*4CfD^-dmFoB*-JMIs`0_7}H-@A@?l87@k7b-h+GO zv)Y|PI&=$wrN&W=r;Olj=J%;ZO)e@Lo>JD{qkBX<+kFnwf&n#ozwLcL{ZAK^jzM4* zWA9?x_GzZq=REm}=EJ_)=hkHVj!00~-K)`n)B-c2lNVg2*ax}4gKTTYuaFlkIaWc~ zwbl2aHNATS5}J)yB2;Gdw-6y|wgQ{s{vdpPh1q|ye_eaB{{$S@gcCCzg}|oiFMFKf zN`*#lC$|)_4OwoTnnOVBLypp2jsx|?yV@{|mO%a&{=SmKB=w#JSy6(QWpdum(f)WK zBT;=27$)Sl9MR)&O(jFB(GEtq8BcYE&ODZ4dJr3Os@DMx?9Q_;LQ?VrCq+PCx8^#0 zkcrflah+T_*o5tFBaW-I+jQ)o`Nn;b4zuV57;F9=IQ#-Xv`~PixN5=XT2{iorqWwA zfI44!5P=KMm5Aai_^Bzwj;h{18_q%;CQfPk-Fs9Te~)FLRb3=Cg$OyVNf#8$w#q-1 zSiD=}`Mw|l{n;~G!T^2pu7e4qbw<46$*K9L+E*dgF|iq9 zs4dR;DYiH@e}Gnvn~wG6ndx<5e-65~C2x3%;FaZ9G1wU~26ANab8Z$h-~TewlXuXc zwpJhD48Usva*3LD$Lm{TJ((deTzvDm2>?v@YmLmTlGWtv739JXDh$+6Kdk6cy ziZKb31)PgaYgbc z3BV9yR`w)VIU9orF;FTgd>8HpzRBOjjmZN&qyY_^j)W+<-bLA|nMlAx1+5xtgHSnf zK;h}+FAaUL$4pMV&|2LX{gHhI8}SfTW*71d5ia*ycyaEj@nR23D1usz0luRcDUO?u zSX;f-oLK{kV|Uj1t+?wV`%F7UjSx6}DuD1Zh)|m`(WKn_SqO-QiZ*c2%p5I#Esm9g zucb>kd?b@dO7TW38s&e4a>K91z6?iR+KfYMsB^-4|CG(Dv9Z>BNmPdXpW84bSrYCj z<(U_}oOj=2`Gh((;iSqkQDCF)z}O~>GN38G$*qEaN;60{6eSzT;-cJ&yN)*tXhG19 zS<&2o1Ggt(maW>OnY6bf;G!R;DNVpO({D<5l!yGQt*`ItTK@|RA*=2p9&BvX-Y6sM^*LR*8=cx@Wwhrcih03IcHmoP~gT)FJ6_ z%3Q2tXM#Ko>TMrOiO-7sw~L@_VP+8Mx_6WVv?Y;ya$iH)^Jj32Xl1iV=b0d%36J<{ zgFf@z|FW0~sx!~Zf-J+|X7AQq3-0Y+1K9^07de5c%fI)UIPz`BbKMuP5~{whX%b@; za+ESd$JjW223?GfDnEY~ZVWpF#^rP4B+gCoSdpdU?dx|wL#Y;5`d&zGP$G&7Nw3j8FK!pR-FA*;+KyUN_BL0SkQwG3x_(=X1u7ZeQ!pJ(mgkw zX*C9t4qP->+ls*bJ-O(1wwV19UZ*af?H>=|LdjqB`W1Z``yZzhyOYKro+a`w;026u+p5Y>Sfb4H{wuDcLy^+)UtPYIfa$L9@+B5u_-z$ zw&hjI-p^{o^5V3Y?vN_g>#8IJ^}r{H4>?#)mH{J8b`J+*lAVGsTs{iAaWjLzf2fx7 z1EMF3v7)>jx2uoLdclrPXTMx)hkr5Vj?5mGAQ*^`Q~7z6!fzev5Xr!?bNMa9r9*KR z1&|R$0P=yT!u+%(F{j);ab@b)Hkx0H8k>?KO8R$cv5BKXHh2IZAD`yHdWYWOH_gMf z`=*zda(xN$^D3)5?{{50L^``sMb{fQS zgMnp(rMpp~KWU|}84Lc6i&)iGJ#^Os1#VXc5GqZ35z@E5P zQBWOrB4*H*PxhC)bC!|}r!_0int+m<^8NFLw<4K+3-&+a9@F+&J%X^VbIb(1V}Rru>8q^}la5$N8K*cVnEm z+k!UM1O=#9fR<~3mM<17x`Ek=K}b)(WSWUR z_Q5@#r3Y;d>>9HCw`zAyd`Nr}K5F<& zc(&*Ev2*HUmPYHrW)^L{9~9Wz%~+Eti_Nx=KSSkZIk8jdFw<<7C$|&pXm#4dM9@EF z%OV7@iQtd2isOXtk;1|Mfttmn`Gm z<-Yw{dQOk$e^JkGGZyam9(Vd!!f0TiJJ!uGZC}|v(DE_4aJ^89 z6zPTA@24zirXJS0ta50u|Yz;01d5UJi- zA&^>QHi$Bwjfq*1gmT~Wm-hOBEt5Zmh!mPV#=2kge&4MH;(>w8j9rJ)uicE30!f>x7D?Yb_`3I1pQ z1wT=|k6JJ@fmt~f`)e7UxrOg#L-?q3PSsM*fhQ6lEtJ7u#7J(ZWx1391}hn7~5ARqVg0kAo;>p;=+HajRMl*hEog_je8qG%ITTg9sF8fj-N?r=-@)%QBo z5#!qZhjje;qLbG32kQ4_a4=s&<_91XYQ(doREW94rMEhPdlaS=hGnB>#P};1E+s~6 z{N3Q(knySfD7LY}`5zdGO=7Lmz;NzXKk#B?Lna7@9rIVj`k+X z*5~dvp50!sAs<)CZSFVF(XUp}*4EnES}w?TkGguC`s7G?+VN!WrD+WFJpdpK<8@dd zGgwqOFC5V@s^b5(W-BSjFHP_~%(1Zu0A~|`WP^?z5)VXHc2-2BF zb?E{r5`S!cT#SB(4lM~K|2{4&Zo#Y4caeK=8zCAbw=q|7ZmYbHf;=;?Kx)WAC(oeG z+1a17pu@c@hi@QH(rKeN5N!mwmXYd~I@3txMGXdKJw&lr>Q`jTX<)De0aeT5Ft<-k z9d`QQn&hWaj2xq@@^W2ap;uF;43Of z*@J_f`d;#H5E)_PEm(#u=F^(oBYXH3$lfuUIF<3>*ZOmn?_p(RE zBSYhJwFvasuy>$&tOZ0)ii00NWeyFOgRf$aKA2R7KHR+SZ?kC8C7XczgM*lkHh7k3 z;_oQEMGI<0My%}4vP*P%Bx?Cjx5xK`E3bcBIJ-LmZ(l!GPvGTcJ*14cqS9*LovmVo zPA3ug`m>zCvOxx?5JIy*_fD~<2IS#nK#zqxmoThp0k6OO=`d-s;_V7eL z{3jM(5ug8f+P&Cv)A_yMrW6fda(tA4uf;nJNQd)T0!6yh>^+_zf|4-agHL&{-fM4p z-#qc7gOKtKOv^dUd$&+QD0hD44v?;!ugeDHO2Kxw`Nfmr4iSsD_qjiGO197fcFJ5Y z^j&@rTMn)~$DQ7|S9R2PrLS4{YeG(hDc?!0>s9O^_HelcV~^D5V)emC|Kd0dh>L&S zO?6vd1iBNs{PFqGa_t4x-nOD|c?Np^JPE#1{(iETlw5oLjOUx*x`j`-(!n&z>PL$b zAt~A;FzY`FeJB+5nER8>XfGKsmq;Ugcl{_wg*Y665XOLG?z z%4Nk8qv%+YvL=*c%-YesCmy}EmMe$ZRj{*C0rQ`IT!n28e77Tx_UO(Tt-LzsSFVE2 zcil}mU9;uk4`_+ z!iU!upgY+K>?N^p)7rQEs)Z@04?*s^AmH&Re-G5rvJcAg6iB-jOfmJR4la)-r${yT zwhX8XbsmLjz#>d4Khp+f0?=Lp{(hzzkjSy>O30@Z*$>6#qJ6#36M;nFK}$Kg>%3I3|^IU zGeO2EY~q1u#;GhEe=Fr;9dG8n__2?6q2w-`JKTn6qgo|RMvzq*+rXye&I4nmcyu7- zN^;0k208V&oo1*Rc!|jA?dXlr>#{f=Kw{%*vfkEH4LnI2g*rgTqh@i1;X0{zJnlS9 zTfX?-O0%z1m0{^5!>#b$s{Coj9SSeWR{~wViZ}bgPa>WKzRUYS6scWBs)H?}od;R$kpq_qk2v-h&~3MgGqb;kB|g1|R;tT} z`e-7;g(Evn4BlPw9#?xQkMf;ZaWm=T-&VAk?KbrG@nJKH!1?B3bH>n4i!$VZz3gg) zAhe7CGOy?S-O5*Z1<#HpzZYR8u(zvs!9SOjn~%MdkKOlOz{cyx%PYvoWA#IpPq9}8 zm*m${6K|OYpnyG;?%IT{&ABkE*&-u(s?9mrG1c%;5=*UQmZL`6`Mn#4+i#yK=_}&d zxtj^$^oZT?{l#$8*^)Q5sBRf!d$#Tw`nxRKyK zPI)pwVDJ~_JNtjIbqb$8DW!BO$b-b$v8GKBD<$M9bOfdA5;Q<)2rERh{rhDZV{ z=oqefDjwz=t;5Iz>9OWD`!A{Weg|aD4}M8BNcMAkXP?{J)kx+e#%J?n8?3jQMsk#_ zn{X^se{XaVwD5d9zI2!)UHiasvIM#wRi^$}`k4K^gO(&3GB}jbAU^&zoJv7LgCjLu Z%A0^gbVxR+Dbhm2rmcLaf-OUU{SVQ=1.18.0-0 < 1.29.0-0' catalog.cattle.io/namespace: cattle-neuvector-system catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux + catalog.cattle.io/permits-os: linux catalog.cattle.io/provides-gvr: neuvector.com/v1 catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' catalog.cattle.io/release-name: neuvector diff --git a/index.yaml b/index.yaml index d784ea327f..cc7e68bedb 100755 --- a/index.yaml +++ b/index.yaml @@ -3985,7 +3985,7 @@ entries: catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' catalog.cattle.io/namespace: cattle-neuvector-system catalog.cattle.io/os: linux - catalog.cattle.io/permit-os: linux + catalog.cattle.io/permits-os: linux catalog.cattle.io/provides-gvr: neuvector.com/v1 catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' catalog.cattle.io/release-name: neuvector @@ -3993,9 +3993,9 @@ entries: catalog.cattle.io/upstream-version: 2.6.4 apiVersion: v1 appVersion: 5.2.2-s1 - created: "2023-10-12T13:49:21.425112114-07:00" + created: "2023-10-17T16:22:48.724753-03:00" description: Helm feature chart for NeuVector's core services - digest: a3484f025c76a81c813c3ba00e16f4575e1bf5a3f2e0a7feb2b0764d09b624e6 + digest: 971c50d99292fd2204ee61d761d939fb1aed7694357089a0f66b89c581e093a2 home: https://neuvector.com icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 keywords: From 17a016ce0e71137b970aae6058972d7a9c4fbb85 Mon Sep 17 00:00:00 2001 From: rancherbot Date: Tue, 17 Oct 2023 20:12:50 +0000 Subject: [PATCH 11/11] Updating resync.yaml --- regsync.yaml | 1610 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1610 insertions(+) create mode 100644 regsync.yaml diff --git a/regsync.yaml b/regsync.yaml new file mode 100644 index 0000000000..e3da4b0bf9 --- /dev/null +++ b/regsync.yaml @@ -0,0 +1,1610 @@ +--- +version: 1 +creds: +- registry: '{{ env "REGISTRY_ENDPOINT" }}' + user: '{{ env "REGISTRY_USERNAME" }}' + pass: '{{ env "REGISTRY_PASSWORD" }}' +defaults: + mediaTypes: + - application/vnd.docker.distribution.manifest.v2+json + - application/vnd.docker.distribution.manifest.list.v2+json + - application/vnd.oci.image.manifest.v1+json + - application/vnd.oci.image.index.v1+json +sync: +- source: docker.io/rancher/aks-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/aks-operator' + type: repository + tags: + allow: + - v1.0.1 + - v1.0.2 + - v1.0.3 + - v1.0.4 + - v1.0.5 + - v1.0.6 + - v1.0.7 + - v1.0.9 + - v1.1.0 + - v1.1.1 + - v1.1.2 + - v1.1.3 +- source: docker.io/rancher/backup-restore-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/backup-restore-operator' + type: repository + tags: + allow: + - v1.0.2 + - v1.0.3 + - v1.0.4-rc4 + - v1.2.0 + - v1.2.1 + - v2.0.0 + - v2.0.1 + - v2.1.0 + - v2.1.1 + - v2.1.2 + - v2.1.3 + - v2.1.4 + - v2.1.5 + - v3.0.0 + - v3.1.0 + - v3.1.1 + - v3.1.2 +- source: docker.io/rancher/banzaicloud-fluentd + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/banzaicloud-fluentd' + type: repository + tags: + allow: + - v1.11.2-alpine-2 + - v1.11.5-alpine-1 +- source: docker.io/rancher/banzaicloud-logging-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/banzaicloud-logging-operator' + type: repository + tags: + allow: + - 3.6.0 + - 3.8.2 +- source: docker.io/rancher/cis-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/cis-operator' + type: repository + tags: + allow: + - v1.0.1 + - v1.0.10 + - v1.0.11 + - v1.0.12 + - v1.0.3 + - v1.0.4 + - v1.0.5 + - v1.0.6 + - v1.0.7 + - v1.0.8 + - v1.0.9 +- source: docker.io/rancher/coredns-coredns + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/coredns-coredns' + type: repository + tags: + allow: + - 1.6.2 +- source: docker.io/rancher/coreos-kube-state-metrics + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/coreos-kube-state-metrics' + type: repository + tags: + allow: + - v1.9.7 +- source: docker.io/rancher/coreos-prometheus-config-reloader + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/coreos-prometheus-config-reloader' + type: repository + tags: + allow: + - v0.38.1 +- source: docker.io/rancher/coreos-prometheus-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/coreos-prometheus-operator' + type: repository + tags: + allow: + - v0.38.1 +- source: docker.io/rancher/curlimages-curl + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/curlimages-curl' + type: repository + tags: + allow: + - 7.70.0 +- source: docker.io/rancher/directxman12-k8s-prometheus-adapter-amd64 + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/directxman12-k8s-prometheus-adapter-amd64' + type: repository + tags: + allow: + - v0.6.0 + - v0.7.0 +- source: docker.io/rancher/eks-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/eks-operator' + type: repository + tags: + allow: + - v1.1.1 + - v1.1.2 + - v1.1.3 + - v1.1.4 + - v1.1.5 + - v1.2.0 + - v1.2.1 + - v1.2.2 +- source: docker.io/rancher/externalip-webhook + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/externalip-webhook' + type: repository + tags: + allow: + - v0.1.4 + - v0.1.6 + - v1.0.0 + - v1.0.1 +- source: docker.io/rancher/fleet + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fleet' + type: repository + tags: + allow: + - v0.3.0 + - v0.3.1 + - v0.3.10 + - v0.3.10-security1 + - v0.3.11 + - v0.3.2 + - v0.3.3 + - v0.3.4 + - v0.3.5 + - v0.3.6 + - v0.3.7 + - v0.3.8 + - v0.3.9 + - v0.4.0 + - v0.4.1 + - v0.5.0 + - v0.5.1 + - v0.5.3 + - v0.6.0 + - v0.7.0 + - v0.7.1 + - v0.8.0 +- source: docker.io/rancher/fleet-agent + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fleet-agent' + type: repository + tags: + allow: + - v0.3.0 + - v0.3.1 + - v0.3.10 + - v0.3.10-security1 + - v0.3.11 + - v0.3.2 + - v0.3.3 + - v0.3.4 + - v0.3.5 + - v0.3.6 + - v0.3.7 + - v0.3.8 + - v0.3.9 + - v0.4.0 + - v0.4.1 + - v0.5.0 + - v0.5.1 + - v0.5.3 + - v0.6.0 + - v0.7.0 + - v0.7.1 + - v0.8.0 +- source: docker.io/rancher/fluent-bit + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fluent-bit' + type: repository + tags: + allow: + - 1.6.10 + - 1.7.4 + - 1.8.15 + - 1.8.9 + - 1.9.3 +- source: docker.io/rancher/fluent-bit-out-syslog + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fluent-bit-out-syslog' + type: repository + tags: + allow: + - 0.1.0 +- source: docker.io/rancher/fluent-fluent-bit + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/fluent-fluent-bit' + type: repository + tags: + allow: + - 1.5.4 + - 1.5.4-debug + - 1.6.4 + - 1.6.4-debug +- source: docker.io/rancher/gitjob + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/gitjob' + type: repository + tags: + allow: + - v0.1.11 + - v0.1.12 + - v0.1.13 + - v0.1.15 + - v0.1.21 + - v0.1.23 + - v0.1.26 + - v0.1.26-security1 + - v0.1.30 + - v0.1.32 + - v0.1.32-security1 + - v0.1.37 + - v0.1.54 + - v0.1.6 + - v0.1.76 + - v0.1.8 +- source: docker.io/rancher/gke-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/gke-operator' + type: repository + tags: + allow: + - v1.1.1 + - v1.1.2 + - v1.1.3 + - v1.1.4 + - v1.1.5 + - v1.1.6 +- source: docker.io/rancher/grafana-grafana + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/grafana-grafana' + type: repository + tags: + allow: + - 7.1.5 +- source: docker.io/rancher/hardened-node-feature-discovery + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-node-feature-discovery' + type: repository + tags: + allow: + - v0.11.2-build20220901 + - v0.12.1-build20230120 + - v0.13.2-build20230605 +- source: docker.io/rancher/harvester-cloud-provider + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/harvester-cloud-provider' + type: repository + tags: + allow: + - v0.1.1 + - v0.1.3 + - v0.1.4 + - v0.1.5 +- source: docker.io/rancher/harvester-csi-driver + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/harvester-csi-driver' + type: repository + tags: + allow: + - + - v0.1.1 + - v0.1.3 + - v0.1.5 +- source: docker.io/rancher/helm-project-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/helm-project-operator' + type: repository + tags: + allow: + - v0.0.1 + - v0.1.0 + - v0.2.1 +- source: docker.io/rancher/istio-coredns-plugin + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-coredns-plugin' + type: repository + tags: + allow: + - 0.2-istio-1.1 +- source: docker.io/rancher/istio-install-cni + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-install-cni' + type: repository + tags: + allow: + - 1.7.1 + - 1.7.3 +- source: docker.io/rancher/istio-installer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-installer' + type: repository + tags: + allow: + - 1.10.4-rancher1 + - 1.10.4-rancher4 + - 1.10.4-rancher5 + - 1.10.4-rancher6 + - 1.11.4-rancher1 + - 1.11.7-rancher1 + - 1.11.8-rancher2 + - 1.12.6-rancher2 + - 1.12.6-rancher3 + - 1.13.3-rancher1 + - 1.14.1-rancher1 + - 1.14.3-rancher1 + - 1.15.3-rancher1 + - 1.16.3-rancher1 + - 1.17.2-rancher1 + - 1.18.2-rancher1 + - 1.7.1-rancher1 + - 1.7.3-rancher2 + - 1.8.3-rancher1 + - 1.8.5-rancher1 + - 1.8.6-rancher1 + - 1.9.3-rancher2 + - 1.9.5-rancher1 + - 1.9.6-rancher1 + - 1.9.8-rancher1 +- source: docker.io/rancher/istio-mixer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-mixer' + type: repository + tags: + allow: + - 1.7.1 + - 1.7.3 +- source: docker.io/rancher/istio-pilot + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-pilot' + type: repository + tags: + allow: + - 1.7.1 + - 1.7.3 +- source: docker.io/rancher/istio-proxyv2 + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/istio-proxyv2' + type: repository + tags: + allow: + - 1.7.1 + - 1.7.3 +- source: docker.io/rancher/jaegertracing-all-in-one + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/jaegertracing-all-in-one' + type: repository + tags: + allow: + - 1.20.0 +- source: docker.io/rancher/jettech-kube-webhook-certgen + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/jettech-kube-webhook-certgen' + type: repository + tags: + allow: + - v1.2.1 +- source: docker.io/rancher/jimmidyson-configmap-reload + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/jimmidyson-configmap-reload' + type: repository + tags: + allow: + - v0.2.2 + - v0.3.0 +- source: docker.io/rancher/kiali-kiali + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/kiali-kiali' + type: repository + tags: + allow: + - v1.23.0 + - v1.24.0 +- source: docker.io/rancher/kiwigrid-k8s-sidecar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/kiwigrid-k8s-sidecar' + type: repository + tags: + allow: + - 0.1.151 +- source: docker.io/rancher/klipper-helm + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/klipper-helm' + type: repository + tags: + allow: + - v0.7.0-build20220315 +- source: docker.io/rancher/kube-rbac-proxy + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/kube-rbac-proxy' + type: repository + tags: + allow: + - v0.5.0 +- source: docker.io/rancher/kubectl + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/kubectl' + type: repository + tags: + allow: + - v1.18.6 + - v1.20.15 + - v1.20.2 + - v1.21.5 + - v1.21.9 + - v1.22.6 + - v1.23.3 + - v1.26.3 + - v1.28.1 +- source: docker.io/rancher/library-busybox + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/library-busybox' + type: repository + tags: + allow: + - 1.31.1 +- source: docker.io/rancher/library-nginx + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/library-nginx' + type: repository + tags: + allow: + - 1.19.2-alpine +- source: docker.io/rancher/longhornio-csi-attacher + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-attacher' + type: repository + tags: + allow: + - v2.0.0 + - v2.2.1-lh1 +- source: docker.io/rancher/longhornio-csi-node-driver-registrar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-node-driver-registrar' + type: repository + tags: + allow: + - v1.2.0 + - v1.2.0-lh1 +- source: docker.io/rancher/longhornio-csi-provisioner + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-provisioner' + type: repository + tags: + allow: + - v1.4.0 + - v1.6.0-lh1 +- source: docker.io/rancher/longhornio-csi-resizer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-resizer' + type: repository + tags: + allow: + - v0.3.0 + - v0.5.1-lh1 +- source: docker.io/rancher/longhornio-csi-snapshotter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-csi-snapshotter' + type: repository + tags: + allow: + - v2.1.1-lh1 +- source: docker.io/rancher/longhornio-longhorn-engine + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-longhorn-engine' + type: repository + tags: + allow: + - v1.0.2 + - v1.1.0 +- source: docker.io/rancher/longhornio-longhorn-instance-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-longhorn-instance-manager' + type: repository + tags: + allow: + - v1_20200514 + - v1_20201216 +- source: docker.io/rancher/longhornio-longhorn-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-longhorn-manager' + type: repository + tags: + allow: + - v1.0.2 + - v1.1.0 +- source: docker.io/rancher/longhornio-longhorn-share-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-longhorn-share-manager' + type: repository + tags: + allow: + - v1_20201204 +- source: docker.io/rancher/longhornio-longhorn-ui + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/longhornio-longhorn-ui' + type: repository + tags: + allow: + - v1.0.2 + - v1.1.0 +- source: docker.io/rancher/mirrored-amazon-aws-cli + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-amazon-aws-cli' + type: repository + tags: + allow: + - 2.0.52 + - 2.9.14 +- source: docker.io/rancher/mirrored-appscode-kubed + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-appscode-kubed' + type: repository + tags: + allow: + - v0.13.2 +- source: docker.io/rancher/mirrored-banzaicloud-fluentd + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-banzaicloud-fluentd' + type: repository + tags: + allow: + - v1.11.5-alpine-12 + - v1.11.5-alpine-9 + - v1.12.4-alpine-1 + - v1.13.3-alpine-11 + - v1.14.4-alpine-2 + - v1.14.5-alpine-1 + - v1.14.6-alpine-5 +- source: docker.io/rancher/mirrored-banzaicloud-logging-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-banzaicloud-logging-operator' + type: repository + tags: + allow: + - 3.12.0 + - 3.15.0 + - 3.17.10 + - 3.17.3 + - 3.17.4 + - 3.17.7 + - 3.9.0 + - 3.9.4 +- source: docker.io/rancher/mirrored-cloud-provider-vsphere-cpi-release-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-cloud-provider-vsphere-cpi-release-manager' + type: repository + tags: + allow: + - latest + - v1.18.0 + - v1.19.0 + - v1.2.1 + - v1.20.0 + - v1.20.1 + - v1.21.0 + - v1.21.3 + - v1.22.5 + - v1.22.6 + - v1.22.7 + - v1.22.8 + - v1.23.0 + - v1.23.3 + - v1.23.4 + - v1.24.3 + - v1.24.5 + - v1.25.0 + - v1.25.2 + - v1.26.1 +- source: docker.io/rancher/mirrored-cloud-provider-vsphere-csi-release-driver + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-cloud-provider-vsphere-csi-release-driver' + type: repository + tags: + allow: + - latest + - v2.1.0 + - v2.2.1 + - v2.3.0 + - v2.4.1 + - v2.4.3 + - v2.5.1 + - v2.5.4 + - v2.6.2 + - v2.6.3 + - v2.7.0 + - v2.7.1 + - v3.0.1 +- source: docker.io/rancher/mirrored-cloud-provider-vsphere-csi-release-syncer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-cloud-provider-vsphere-csi-release-syncer' + type: repository + tags: + allow: + - latest + - v2.1.0 + - v2.2.1 + - v2.3.0 + - v2.4.1 + - v2.4.3 + - v2.5.1 + - v2.5.4 + - v2.6.2 + - v2.6.3 + - v2.7.0 + - v2.7.1 + - v3.0.1 +- source: docker.io/rancher/mirrored-cluster-api-controller + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-cluster-api-controller' + type: repository + tags: + allow: + - v1.4.4 +- source: docker.io/rancher/mirrored-coredns-coredns + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-coredns-coredns' + type: repository + tags: + allow: + - 1.6.2 +- source: docker.io/rancher/mirrored-coreos-kube-state-metrics + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-coreos-kube-state-metrics' + type: repository + tags: + allow: + - v1.9.7 +- source: docker.io/rancher/mirrored-coreos-prometheus-config-reloader + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-coreos-prometheus-config-reloader' + type: repository + tags: + allow: + - v0.38.1 +- source: docker.io/rancher/mirrored-coreos-prometheus-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-coreos-prometheus-operator' + type: repository + tags: + allow: + - v0.38.1 +- source: docker.io/rancher/mirrored-curlimages-curl + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-curlimages-curl' + type: repository + tags: + allow: + - 7.70.0 + - 7.73.0 + - 7.77.0 + - 7.83.1 + - 7.85.0 +- source: docker.io/rancher/mirrored-dexidp-dex + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-dexidp-dex' + type: repository + tags: + allow: + - v2.35.3 + - v2.36.0 +- source: docker.io/rancher/mirrored-directxman12-k8s-prometheus-adapter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-directxman12-k8s-prometheus-adapter' + type: repository + tags: + allow: + - v0.8.3 + - v0.8.4 +- source: docker.io/rancher/mirrored-directxman12-k8s-prometheus-adapter-amd64 + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-directxman12-k8s-prometheus-adapter-amd64' + type: repository + tags: + allow: + - v0.7.0 +- source: docker.io/rancher/mirrored-epinio-epinio-server + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-epinio-epinio-server' + type: repository + tags: + allow: + - v1.2.0 + - v1.6.2 + - v1.8.1 + - v1.9.0 +- source: docker.io/rancher/mirrored-epinio-epinio-ui + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-epinio-epinio-ui' + type: repository + tags: + allow: + - v1.2.0-0.0.1 + - v1.5.1-0.0.3 + - v1.8.1-0.0.1 + - v1.9.0-0.0.3 +- source: docker.io/rancher/mirrored-epinio-epinio-unpacker + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-epinio-epinio-unpacker' + type: repository + tags: + allow: + - 1.0 + - v1.6.2 + - v1.8.1 + - v1.9.0 +- source: docker.io/rancher/mirrored-fluent-fluent-bit + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-fluent-fluent-bit' + type: repository + tags: + allow: + - 1.6.10 + - 1.6.10-debug + - 1.7.9 + - 1.7.9-debug + - 1.8.15 + - 1.8.15-debug + - 1.8.8 + - 1.8.8-debug + - 1.8.9 + - 1.8.9-debug + - 1.9.3 + - 1.9.3-debug + - 1.9.5 + - 1.9.5-debug +- source: docker.io/rancher/mirrored-grafana-grafana + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-grafana-grafana' + type: repository + tags: + allow: + - 7.1.5 + - 7.4.5 + - 7.5.11 + - 7.5.8 + - 9.1.5 +- source: docker.io/rancher/mirrored-grafana-grafana-image-renderer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-grafana-grafana-image-renderer' + type: repository + tags: + allow: + - 2.0.1 + - 3.0.1 +- source: docker.io/rancher/mirrored-idealista-prom2teams + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-idealista-prom2teams' + type: repository + tags: + allow: + - 3.2.1 + - 3.2.2 + - 3.2.3 + - 4.2.0 + - 4.2.1 +- source: docker.io/rancher/mirrored-ingress-nginx-kube-webhook-certgen + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-ingress-nginx-kube-webhook-certgen' + type: repository + tags: + allow: + - v1.0 + - v1.3.0 +- source: docker.io/rancher/mirrored-istio-coredns-plugin + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-coredns-plugin' + type: repository + tags: + allow: + - 0.2-istio-1.1 +- source: docker.io/rancher/mirrored-istio-install-cni + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-install-cni' + type: repository + tags: + allow: + - 1.10.4 + - 1.11.4 + - 1.11.7 + - 1.11.8 + - 1.12.6 + - 1.13.3 + - 1.14.1-distroless + - 1.14.3-distroless + - 1.15.3-distroless + - 1.16.3-distroless + - 1.17.2-distroless + - 1.18.2-distroless + - 1.8.3 + - 1.8.5 + - 1.8.6 + - 1.9.3 + - 1.9.5 + - 1.9.6 + - 1.9.8 +- source: docker.io/rancher/mirrored-istio-pilot + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-pilot' + type: repository + tags: + allow: + - 1.10.4 + - 1.11.4 + - 1.11.7 + - 1.11.8 + - 1.12.6 + - 1.13.3 + - 1.14.1-distroless + - 1.14.3-distroless + - 1.15.3-distroless + - 1.16.3-distroless + - 1.17.2-distroless + - 1.18.2-distroless + - 1.8.3 + - 1.8.5 + - 1.8.6 + - 1.9.3 + - 1.9.5 + - 1.9.6 + - 1.9.8 +- source: docker.io/rancher/mirrored-istio-proxyv2 + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-istio-proxyv2' + type: repository + tags: + allow: + - 1.10.4 + - 1.11.4 + - 1.11.7 + - 1.11.8 + - 1.12.6 + - 1.13.3 + - 1.14.1-distroless + - 1.14.3-distroless + - 1.15.3-distroless + - 1.16.3-distroless + - 1.17.2-distroless + - 1.18.2-distroless + - 1.8.3 + - 1.8.5 + - 1.8.6 + - 1.9.3 + - 1.9.5 + - 1.9.6 + - 1.9.8 +- source: docker.io/rancher/mirrored-jaegertracing-all-in-one + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-jaegertracing-all-in-one' + type: repository + tags: + allow: + - 1.20.0 + - 1.27.0 + - 1.31.0 + - 1.32.0 + - 1.33.0 + - 1.35.1 + - 1.37.0 + - 1.39.0 + - 1.42.0 + - 1.43.0 + - 1.47.0 +- source: docker.io/rancher/mirrored-jettech-kube-webhook-certgen + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-jettech-kube-webhook-certgen' + type: repository + tags: + allow: + - v1.2.1 + - v1.5.0 + - v1.5.2 +- source: docker.io/rancher/mirrored-jimmidyson-configmap-reload + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-jimmidyson-configmap-reload' + type: repository + tags: + allow: + - v0.3.0 + - v0.4.0 + - v0.8.0 +- source: docker.io/rancher/mirrored-k8scsi-csi-attacher + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-k8scsi-csi-attacher' + type: repository + tags: + allow: + - v3.0.0 + - v3.1.0 +- source: docker.io/rancher/mirrored-k8scsi-csi-node-driver-registrar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-k8scsi-csi-node-driver-registrar' + type: repository + tags: + allow: + - v2.0.1 + - v2.1.0 +- source: docker.io/rancher/mirrored-k8scsi-csi-provisioner + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-k8scsi-csi-provisioner' + type: repository + tags: + allow: + - v2.0.0 + - v2.1.0 +- source: docker.io/rancher/mirrored-k8scsi-csi-resizer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-k8scsi-csi-resizer' + type: repository + tags: + allow: + - v1.0.0 + - v1.1.0 +- source: docker.io/rancher/mirrored-k8scsi-livenessprobe + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-k8scsi-livenessprobe' + type: repository + tags: + allow: + - v2.1.0 + - v2.2.0 +- source: docker.io/rancher/mirrored-kiali-kiali + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-kiali-kiali' + type: repository + tags: + allow: + - v1.29.0 + - v1.32.0 + - v1.35.0 + - v1.41.0 + - v1.44.0 + - v1.50.0 + - v1.52.0 + - v1.55.0 + - v1.59.0 + - v1.63.2 + - v1.66.0 + - v1.67.0 +- source: docker.io/rancher/mirrored-kiwigrid-k8s-sidecar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-kiwigrid-k8s-sidecar' + type: repository + tags: + allow: + - 0.1.151 + - 1.10.7 + - 1.12.2 + - 1.12.3 + - 1.15.9 + - 1.19.2 +- source: docker.io/rancher/mirrored-kube-rbac-proxy + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-kube-rbac-proxy' + type: repository + tags: + allow: + - v0.5.0 +- source: docker.io/rancher/mirrored-kube-state-metrics-kube-state-metrics + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-kube-state-metrics-kube-state-metrics' + type: repository + tags: + allow: + - v1.9.8 + - v2.0.0 + - v2.2.0 + - v2.6.0 +- source: docker.io/rancher/mirrored-library-busybox + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-library-busybox' + type: repository + tags: + allow: + - 1.31.1 +- source: docker.io/rancher/mirrored-library-nginx + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-library-nginx' + type: repository + tags: + allow: + - 1.19.2-alpine + - 1.21.1-alpine + - 1.23.0-alpine + - 1.23.2-alpine + - 1.24.0-alpine +- source: docker.io/rancher/mirrored-library-registry + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-library-registry' + type: repository + tags: + allow: + - 2.8.1 +- source: docker.io/rancher/mirrored-longhornio-backing-image-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-backing-image-manager' + type: repository + tags: + allow: + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 + - v1_20210422 + - v1_20210422_patch1 + - v2_20210820 + - v2_20210820_patch1 + - v2_20221027 + - v3_20220609 + - v3_20220808 + - v3_20221003 + - v3_20230320 +- source: docker.io/rancher/mirrored-longhornio-csi-attacher + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-csi-attacher' + type: repository + tags: + allow: + - v2.2.1-lh1 + - v2.2.1-lh2 + - v3.2.1 + - v3.4.0 + - v4.2.0 +- source: docker.io/rancher/mirrored-longhornio-csi-node-driver-registrar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-csi-node-driver-registrar' + type: repository + tags: + allow: + - v1.2.0-lh1 + - v2.3.0 + - v2.5.0 + - v2.7.0 +- source: docker.io/rancher/mirrored-longhornio-csi-provisioner + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-csi-provisioner' + type: repository + tags: + allow: + - v1.6.0-lh1 + - v1.6.0-lh2 + - v2.1.2 + - v3.4.1 +- source: docker.io/rancher/mirrored-longhornio-csi-resizer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-csi-resizer' + type: repository + tags: + allow: + - v0.5.1-lh1 + - v0.5.1-lh2 + - v1.2.0 + - v1.3.0 + - v1.7.0 +- source: docker.io/rancher/mirrored-longhornio-csi-snapshotter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-csi-snapshotter' + type: repository + tags: + allow: + - v2.1.1-lh1 + - v2.1.1-lh2 + - v3.0.3 + - v5.0.1 + - v6.2.1 +- source: docker.io/rancher/mirrored-longhornio-livenessprobe + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-livenessprobe' + type: repository + tags: + allow: + - v2.8.0 + - v2.9.0 +- source: docker.io/rancher/mirrored-longhornio-longhorn-engine + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-longhorn-engine' + type: repository + tags: + allow: + - v1.1.0 + - v1.1.1 + - v1.1.2 + - v1.1.3 + - v1.2.2 + - v1.2.3 + - v1.2.4 + - v1.2.5 + - v1.2.6 + - v1.3.0 + - v1.3.1 + - v1.3.2 + - v1.3.3 + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 +- source: docker.io/rancher/mirrored-longhornio-longhorn-instance-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-longhorn-instance-manager' + type: repository + tags: + allow: + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 + - v1_20201216 + - v1_20210621 + - v1_20210731 + - v1_20211210 + - v1_20220303 + - v1_20220303_patch1 + - v1_20220303_patch2 + - v1_20220611 + - v1_20220808 + - v1_20221003 + - v1_20230407 +- source: docker.io/rancher/mirrored-longhornio-longhorn-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-longhorn-manager' + type: repository + tags: + allow: + - v1.1.0 + - v1.1.1 + - v1.1.2 + - v1.1.3 + - v1.2.2 + - v1.2.3 + - v1.2.4 + - v1.2.5 + - v1.2.6 + - v1.3.0 + - v1.3.1 + - v1.3.2 + - v1.3.3 + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 +- source: docker.io/rancher/mirrored-longhornio-longhorn-share-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-longhorn-share-manager' + type: repository + tags: + allow: + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 + - v1_20201204 + - v1_20210416 + - v1_20210416_patch1 + - v1_20210914 + - v1_20211020 + - v1_20211020_patch1 + - v1_20211020_patch2 + - v1_20220531 + - v1_20220808 + - v1_20221003 + - v1_20230320 +- source: docker.io/rancher/mirrored-longhornio-longhorn-ui + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-longhorn-ui' + type: repository + tags: + allow: + - v1.1.0 + - v1.1.1 + - v1.1.2 + - v1.1.3 + - v1.2.2 + - v1.2.3 + - v1.2.4 + - v1.2.5 + - v1.2.6 + - v1.3.0 + - v1.3.1 + - v1.3.2 + - v1.3.3 + - v1.4.0 + - v1.4.1 + - v1.4.2 + - v1.4.3 + - v1.5.1 +- source: docker.io/rancher/mirrored-longhornio-support-bundle-kit + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-longhornio-support-bundle-kit' + type: repository + tags: + allow: + - v0.0.17 + - v0.0.19 + - v0.0.24 + - v0.0.25 +- source: docker.io/rancher/mirrored-messagebird-sachet + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-messagebird-sachet' + type: repository + tags: + allow: + - 0.2.3 + - 0.2.6 + - 0.3.1 +- source: docker.io/rancher/mirrored-minio-mc + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-minio-mc' + type: repository + tags: + allow: + - RELEASE.2022-05-09T04-08-26Z + - RELEASE.2022-12-13T00-23-28Z + - RELEASE.2023-01-28T20-29-38Z + - RELEASE.2023-06-28T21-54-17Z +- source: docker.io/rancher/mirrored-minio-minio + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-minio-minio' + type: repository + tags: + allow: + - RELEASE.2022-05-08T23-50-31Z + - RELEASE.2022-12-12T19-27-27Z + - RELEASE.2023-02-10T18-48-39Z + - RELEASE.2023-07-07T07-13-57Z +- source: docker.io/rancher/mirrored-neuvector-controller + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-controller' + type: repository + tags: + allow: + - 5.0.0 + - 5.0.2 + - 5.0.3 + - 5.0.4 + - 5.1.1 + - 5.1.2 + - 5.1.3 + - 5.2.0 + - 5.2.1 + - 5.2.2-s1 +- source: docker.io/rancher/mirrored-neuvector-enforcer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-enforcer' + type: repository + tags: + allow: + - 5.0.0 + - 5.0.2 + - 5.0.3 + - 5.0.4 + - 5.1.1 + - 5.1.2 + - 5.1.3 + - 5.2.0 + - 5.2.1 + - 5.2.2-s1 +- source: docker.io/rancher/mirrored-neuvector-manager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-manager' + type: repository + tags: + allow: + - 5.0.0 + - 5.0.2 + - 5.0.3 + - 5.0.4 + - 5.1.1 + - 5.1.2 + - 5.1.3 + - 5.2.0 + - 5.2.1 + - 5.2.2-s1 +- source: docker.io/rancher/mirrored-neuvector-prometheus-exporter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-prometheus-exporter' + type: repository + tags: + allow: + - 5.2.0 + - 5.2.1 + - 5.2.2 +- source: docker.io/rancher/mirrored-neuvector-registry-adapter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-registry-adapter' + type: repository + tags: + allow: + - 0.1.0 + - 0.1.1-s1 +- source: docker.io/rancher/mirrored-neuvector-scanner + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-scanner' + type: repository + tags: + allow: + - latest +- source: docker.io/rancher/mirrored-neuvector-updater + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-neuvector-updater' + type: repository + tags: + allow: + - latest +- source: docker.io/rancher/mirrored-openpolicyagent-gatekeeper + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-openpolicyagent-gatekeeper' + type: repository + tags: + allow: + - v3.10.0 + - v3.12.0 + - v3.3.0 + - v3.5.1 + - v3.6.0 + - v3.7.1 + - v3.8.1 + - v3.9.0 +- source: docker.io/rancher/mirrored-openpolicyagent-gatekeeper-crds + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-openpolicyagent-gatekeeper-crds' + type: repository + tags: + allow: + - v3.10.0 + - v3.12.0 + - v3.6.0 + - v3.7.1 + - v3.8.1 + - v3.9.0 +- source: docker.io/rancher/mirrored-paketobuildpacks-builder + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-paketobuildpacks-builder' + type: repository + tags: + allow: + - 0.2.289-full + - 0.2.407-full + - 0.2.441-full + - 0.2.95-full +- source: docker.io/rancher/mirrored-prom-alertmanager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prom-alertmanager' + type: repository + tags: + allow: + - v0.21.0 +- source: docker.io/rancher/mirrored-prom-node-exporter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prom-node-exporter' + type: repository + tags: + allow: + - v1.0.1 +- source: docker.io/rancher/mirrored-prom-prometheus + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prom-prometheus' + type: repository + tags: + allow: + - v2.18.2 +- source: docker.io/rancher/mirrored-prometheus-adapter-prometheus-adapter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-adapter-prometheus-adapter' + type: repository + tags: + allow: + - v0.10.0 + - v0.9.0 +- source: docker.io/rancher/mirrored-prometheus-alertmanager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-alertmanager' + type: repository + tags: + allow: + - v0.22.2 + - v0.24.0 +- source: docker.io/rancher/mirrored-prometheus-node-exporter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-node-exporter' + type: repository + tags: + allow: + - v1.1.2 + - v1.2.2 + - v1.3.1 +- source: docker.io/rancher/mirrored-prometheus-operator-prometheus-config-reloader + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-operator-prometheus-config-reloader' + type: repository + tags: + allow: + - v0.46.0 + - v0.48.0 + - v0.50.0 + - v0.59.1 +- source: docker.io/rancher/mirrored-prometheus-operator-prometheus-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-operator-prometheus-operator' + type: repository + tags: + allow: + - v0.46.0 + - v0.48.0 + - v0.50.0 + - v0.59.1 +- source: docker.io/rancher/mirrored-prometheus-prometheus + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-prometheus-prometheus' + type: repository + tags: + allow: + - v2.24.0 + - v2.27.1 + - v2.28.1 + - v2.38.0 +- source: docker.io/rancher/mirrored-s3gw-s3gw + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-s3gw-s3gw' + type: repository + tags: + allow: + - v0.14.0 +- source: docker.io/rancher/mirrored-sig-storage-csi-attacher + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sig-storage-csi-attacher' + type: repository + tags: + allow: + - latest + - v3.2.0 + - v3.3.0 + - v3.4.0 + - v3.5.0 + - v4.2.0 +- source: docker.io/rancher/mirrored-sig-storage-csi-node-driver-registrar + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sig-storage-csi-node-driver-registrar' + type: repository + tags: + allow: + - latest + - v2.3.0 + - v2.5.0 + - v2.5.1 + - v2.6.2 + - v2.7.0 +- source: docker.io/rancher/mirrored-sig-storage-csi-provisioner + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sig-storage-csi-provisioner' + type: repository + tags: + allow: + - latest + - v2.2.0 + - v3.0.0 + - v3.1.0 + - v3.2.1 + - v3.3.0 + - v3.4.0 +- source: docker.io/rancher/mirrored-sig-storage-csi-resizer + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sig-storage-csi-resizer' + type: repository + tags: + allow: + - latest + - v1.3.0 + - v1.4.0 + - v1.6.0 + - v1.7.0 +- source: docker.io/rancher/mirrored-sig-storage-livenessprobe + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sig-storage-livenessprobe' + type: repository + tags: + allow: + - latest + - v2.4.0 + - v2.6.0 + - v2.7.0 + - v2.8.0 + - v2.9.0 +- source: docker.io/rancher/mirrored-sigwindowstools-k8s-gmsa-webhook + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sigwindowstools-k8s-gmsa-webhook' + type: repository + tags: + allow: + - v0.3.0 +- source: docker.io/rancher/mirrored-skopeo-skopeo + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-skopeo-skopeo' + type: repository + tags: + allow: + - v1.10.0 +- source: docker.io/rancher/mirrored-sonobuoy-sonobuoy + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-sonobuoy-sonobuoy' + type: repository + tags: + allow: + - v0.16.3 + - v0.53.2 + - v0.56.16 + - v0.56.7 +- source: docker.io/rancher/mirrored-squareup-ghostunnel + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-squareup-ghostunnel' + type: repository + tags: + allow: + - v1.5.2 +- source: docker.io/rancher/mirrored-thanos-thanos + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/mirrored-thanos-thanos' + type: repository + tags: + allow: + - v0.17.2 + - v0.28.0 +- source: docker.io/rancher/openpolicyagent-gatekeeper + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/openpolicyagent-gatekeeper' + type: repository + tags: + allow: + - v3.1.1 + - v3.2.1 +- source: docker.io/rancher/prom-alertmanager + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/prom-alertmanager' + type: repository + tags: + allow: + - v0.21.0 +- source: docker.io/rancher/prom-node-exporter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/prom-node-exporter' + type: repository + tags: + allow: + - v1.0.1 +- source: docker.io/rancher/prom-prometheus + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/prom-prometheus' + type: repository + tags: + allow: + - v2.18.2 +- source: docker.io/rancher/prometheus-federator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/prometheus-federator' + type: repository + tags: + allow: + - v0.1.0 + - v0.2.1 + - v0.3.0 + - v0.3.2 +- source: docker.io/rancher/pushprox-client + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/pushprox-client' + type: repository + tags: + allow: + - v0.1.0-rancher1-client + - v0.1.0-rancher2-client +- source: docker.io/rancher/pushprox-proxy + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/pushprox-proxy' + type: repository + tags: + allow: + - v0.1.0-rancher1-proxy + - v0.1.0-rancher2-proxy +- source: docker.io/rancher/rancher-agent + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/rancher-agent' + type: repository + tags: + allow: + - v2.4.8 + - v2.5.7 +- source: docker.io/rancher/rancher-csp-adapter + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/rancher-csp-adapter' + type: repository + tags: + allow: + - v1.0.0 + - v1.0.1 + - v2.0.0 + - v2.0.1 + - v2.0.2 +- source: docker.io/rancher/rancher-webhook + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/rancher-webhook' + type: repository + tags: + allow: + - v0.1.0 + - v0.1.0-beta5 + - v0.1.0-beta7 + - v0.1.0-beta9 + - v0.1.1 + - v0.1.2 + - v0.1.3 + - v0.1.4 + - v0.1.5 + - v0.1.6 + - v0.2.0 + - v0.2.1 + - v0.2.10 + - v0.2.2 + - v0.2.5 + - v0.2.6 + - v0.2.7 + - v0.2.9 + - v0.3.0 + - v0.3.2 + - v0.3.3 + - v0.3.4 + - v0.3.5 + - v0.3.6 +- source: docker.io/rancher/security-scan + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/security-scan' + type: repository + tags: + allow: + - v0.2.1 + - v0.2.10 + - v0.2.11 + - v0.2.12 + - v0.2.13 + - v0.2.2 + - v0.2.3 + - v0.2.4 + - v0.2.5 + - v0.2.6 + - v0.2.7 + - v0.2.8 + - v0.2.9 +- source: docker.io/rancher/shell + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/shell' + type: repository + tags: + allow: + - v0.1.14 + - v0.1.18 + - v0.1.19 + - v0.1.19-rc8 + - v0.1.8 +- source: docker.io/rancher/sonobuoy-sonobuoy + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/sonobuoy-sonobuoy' + type: repository + tags: + allow: + - v0.16.3 +- source: docker.io/rancher/squareup-ghostunnel + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/squareup-ghostunnel' + type: repository + tags: + allow: + - v1.5.2 +- source: docker.io/rancher/system-upgrade-controller + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/system-upgrade-controller' + type: repository + tags: + allow: + - v0.10.0 + - v0.11.0 + - v0.7.5 + - v0.8.1 + - v0.9.1 +- source: docker.io/rancher/tekton-utils + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/tekton-utils' + type: repository + tags: + allow: + - v0.1.0 + - v0.1.1 + - v0.1.11 + - v0.1.2 + - v0.1.22 + - v0.1.3 + - v0.1.33 + - v0.1.5 + - v0.1.6 + - v0.1.7 +- source: docker.io/rancher/ui-plugin-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/ui-plugin-operator' + type: repository + tags: + allow: + - v0.1.0 + - v0.1.1 +- source: docker.io/rancher/windows_exporter-package + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/windows_exporter-package' + type: repository + tags: + allow: + - v0.0.1 + - v0.0.2 + - v0.0.3 +- source: docker.io/rancher/wins + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/wins' + type: repository + tags: + allow: + - v0.1.1