From 0dc55205fbf789b0d5637e21303cccafa9ff3a84 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Wed, 17 Apr 2024 18:39:58 -0300 Subject: [PATCH 1/4] Emptying release.yaml before release --- release.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/release.yaml b/release.yaml index f1b88f1a2f..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,10 +1 @@ -longhorn: - - 103.3.0+up1.6.1 -longhorn-crd: - - 103.3.0+up1.6.1 -neuvector-monitor: - - 103.0.3+up2.7.6 -neuvector: - - 103.0.3+up2.7.6 -neuvector-crd: - - 103.0.3+up2.7.6 + From b39545696667f4c7685eee8e1026a7324c399f59 Mon Sep 17 00:00:00 2001 From: Lucas Machado Date: Wed, 17 Apr 2024 18:28:12 -0300 Subject: [PATCH 2/4] [dev-v2.8] Forward ports longhorn 102.4.0+up1.6.1 (#3796) --- .../longhorn-crd-102.4.0+up1.6.1.tgz | Bin 0 -> 12631 bytes assets/longhorn/longhorn-102.4.0+up1.6.1.tgz | Bin 0 -> 30514 bytes .../longhorn-crd/102.4.0+up1.6.1/Chart.yaml | 11 + charts/longhorn-crd/102.4.0+up1.6.1/README.md | 2 + .../102.4.0+up1.6.1/templates/_helpers.tpl | 66 + .../102.4.0+up1.6.1/templates/crds.yaml | 3931 +++++++++++++++++ charts/longhorn/102.4.0+up1.6.1/.helmignore | 21 + charts/longhorn/102.4.0+up1.6.1/Chart.yaml | 40 + charts/longhorn/102.4.0+up1.6.1/README.md | 50 + charts/longhorn/102.4.0+up1.6.1/app-readme.md | 27 + .../longhorn/102.4.0+up1.6.1/questions.yaml | 920 ++++ .../102.4.0+up1.6.1/templates/NOTES.txt | 5 + .../102.4.0+up1.6.1/templates/_helpers.tpl | 66 + .../templates/clusterrole.yaml | 77 + .../templates/clusterrolebinding.yaml | 49 + .../templates/daemonset-sa.yaml | 167 + .../templates/default-setting.yaml | 229 + .../templates/deployment-driver.yaml | 132 + .../templates/deployment-ui.yaml | 182 + .../102.4.0+up1.6.1/templates/ingress.yaml | 37 + ...king-image-data-source-network-policy.yaml | 27 + .../backing-image-manager-network-policy.yaml | 27 + .../instance-manager-networking.yaml | 27 + .../manager-network-policy.yaml | 35 + .../recovery-backend-network-policy.yaml | 17 + .../ui-frontend-network-policy.yaml | 46 + .../webhook-network-policy.yaml | 33 + .../templates/postupgrade-job.yaml | 56 + .../templates/preupgrade-job.yaml | 55 + .../templates/priorityclass.yaml | 9 + .../102.4.0+up1.6.1/templates/psp.yaml | 66 + .../templates/registry-secret.yaml | 13 + .../templates/serviceaccount.yaml | 40 + .../templates/servicemonitor.yaml | 19 + .../102.4.0+up1.6.1/templates/services.yaml | 71 + .../templates/storageclass.yaml | 50 + .../templates/tls-secrets.yaml | 16 + .../templates/uninstall-job.yaml | 57 + .../102.4.0+up1.6.1/templates/userroles.yaml | 53 + .../templates/validate-install-crd.yaml | 35 + .../templates/validate-psp-install.yaml | 7 + charts/longhorn/102.4.0+up1.6.1/values.yaml | 483 ++ index.yaml | 59 + release.yaml | 7 +- 44 files changed, 7319 insertions(+), 1 deletion(-) create mode 100644 assets/longhorn-crd/longhorn-crd-102.4.0+up1.6.1.tgz create mode 100644 assets/longhorn/longhorn-102.4.0+up1.6.1.tgz create mode 100644 charts/longhorn-crd/102.4.0+up1.6.1/Chart.yaml create mode 100644 charts/longhorn-crd/102.4.0+up1.6.1/README.md create mode 100644 charts/longhorn-crd/102.4.0+up1.6.1/templates/_helpers.tpl create mode 100644 charts/longhorn-crd/102.4.0+up1.6.1/templates/crds.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/.helmignore create mode 100644 charts/longhorn/102.4.0+up1.6.1/Chart.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/README.md create mode 100644 charts/longhorn/102.4.0+up1.6.1/app-readme.md create mode 100644 charts/longhorn/102.4.0+up1.6.1/questions.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/NOTES.txt create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/_helpers.tpl create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/clusterrole.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/clusterrolebinding.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/daemonset-sa.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/default-setting.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/deployment-driver.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/deployment-ui.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/ingress.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-data-source-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-manager-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/instance-manager-networking.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/manager-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/recovery-backend-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/ui-frontend-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/network-policies/webhook-network-policy.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/postupgrade-job.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/preupgrade-job.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/priorityclass.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/psp.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/registry-secret.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/serviceaccount.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/servicemonitor.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/services.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/storageclass.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/tls-secrets.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/uninstall-job.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/userroles.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/validate-install-crd.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/templates/validate-psp-install.yaml create mode 100644 charts/longhorn/102.4.0+up1.6.1/values.yaml diff --git a/assets/longhorn-crd/longhorn-crd-102.4.0+up1.6.1.tgz b/assets/longhorn-crd/longhorn-crd-102.4.0+up1.6.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..1238812580387ed85288aab67d425bbd4161809f GIT binary patch literal 12631 zcmV-dF{sWTiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKD3a@;nSXny-CP})1?WH#NBCXRDgRa3hf$-bjq+vAdKPu0$* zvS&;HS7327ii-w&QOLRM>AQ?s*$kt3C!^a#5ktp3~W!I zz&y8p&Y#aupQMN<4Cg|K583GyJV1ZH~C=hGR!Pkp>MU2ZgH?k}y zE5LJSlxJ>Be{i30xs| z_0~eU?1e=8YfO@?NZp;Bf78KsEku5HeEd5;TfpQNk@W1}zCSrRvKpO^G)DCUHOlEDgV{4e*5jWql(};!&@lOHCkaV*!`TDf8MhUd|ea% zOc8#l4o7UT&|Ap)T?+mI7SEp{l6+JB2dp0JSw92EzkgB@JA(_9aj-%JG0Dc&l;i@E z6tWcj8D$%wi^yqdugK;w>oS_aFwf_=)jBA}_!;>1S5Qie&QhOCs& zoS@QEU5msN`l%}9q(}9&!>ET#G)Ad0Q&suiQ45#<9{n$2Dc_qR*sK3Ndv@~t*>^4d z@B3#zoJ9TaAs*Y5f;mPX1tRhnpWpsp%?MAQ++vcRfs29*y17Q27A!%Ray?*W8Eue& zDHKrJk1cZ&fP@mkXqF*1TOp#D?4rO~idcioZcpYv%ul2pD0MhY$veD3T)<6!21t=* zPk@nJk|EDPSI;PA)*So;5KK};1b8M{fkdL3M6%1xx z>{J=PrcAu4q0d0JUf|Sx#AH=ukolT;0sv2_v~nxfl0E^zjEHJ+24I@1F^1V&$-NP~ zpjojY6}*O-{Z1MK1!I!*Tu8;hSO_^yLBX}QoHM$`N`}fW1~s5?Q`QGqGP(i0rWgP} zb4uPqu|5NH*=)h*2Fi^DVhZW8wBKkGo(qP_%7?BbhXJO_J0RvLnd=ho>H-E@`}G)* zgr>;X_dA?rV1Yo+P!1VN0VN)cWGh#f4Q$@fG^p#C-|miwY~}s?7ABX?mkw;KW=ifc z@2vbro9C-$=hAYZ_2=#B0ttAkXMVCq8+c}l(;SiWw^tv&yJ@@zO^UczBfuQotr0`u zRjDL!K^fvLqS@1kE`COdm{(wOMsvgjE*GhOEVgUCZ6Wnk;%ziet$%2Z-mFoSny%_~ zhPhOq8RCd&4lG|oQX&MTdW;yCT%*WR$(Xl@3BXW7R|Nl3wZ^qki-6Ju1W@aqzzl4q z=JG9oBn2CI4;Yf|f`V8rY_)O&UQ>nuCQEt-q>abVj*nMZlp-aen@vHmxIb3X0WS(c z89z?Z7G=jAuV#=XYb;PA3Wknhj%Ny4qQuI4ll}`cLWnY z@9zcTLXN;3Tqs#8mtm31*`Ch96#*A;gR%>$5gwYzlA3%bi8qeSwi?hbtm$NZC2di&JA^tRCQ9Tlw9_3h0eedX573g7S%i~ zF);XmUw@k>KDAX-8Sp8PY_t-irRYSdgK2vhbWz~6!AScVa}?;o0^QMNj(_p@)%s|l z)-R$0@o5!^KSTv0DiBeD_$(EO5zFx=M@eHLq=;k5o*L4vTB_bP+JNg`pYlo8D7odu zrv2Va0o4u6Zxv??tt1&{P$kK!-!Vw|5;2BSU)=?z8G@wsRm+bccsXQng9Kt7LV<>+ zd-raSm=6Tbj1*NtOH$1 z%GH%h$FUz)5Q53-?V%SNDY6VMGSsoj?7Hr?h<|YqZ%Nq(3e~IU&w_evY_qGkyDpFb zGq8TsZw1yX4kii81xnwvy~WBET|0c$&x8^^MEnf=?Z+n?FiJm^&RO|#Hk&<(-h11* zZNBfzb^ls7r*Uxl?M;bZr+tZ(o-Iy~{YHOtI_x(U5)b9A-&ox~sI9Jrg9TFg6_n{% zaG&L_DmB1fS#N^u=Mt(^!ymv*w!ksOb4oZ~WJvP8{hG#Z400&eZ8QpAvqcwh`MU$$ zdil9I_FvasA7hl4l!^ve=(| zCC<=m=BlH$7hd9a|XLQ+E(&ROKGdw~H(Op+Y88!XMGC zAKm&&2D$zDS{1M51s4now7Ne7e?^NmrMK$so&LWZLajPpP_o3UdRlS4am=1)?JeOI zu-To}dR^A+YqxhOId%%o%f9O;S61Bd_Vm~^dR)V?i%}-dz`uQea$5GHDs_#v7~Ora zq5weIh_*>r|2~}*2GN7%jDPe7KKdda`ja!@ahOO)Q>l^t-Iw#@QG2|{+Tqduj`nx7 zzgvZ)i+hKpbq9OZzU^HT(#tH_r7!nb4yT8?KS0_yzyu(etd(!UON782@JH?PjWQ<6 zm?&d<$b2Xt?=H^Wk^a2N8O)z7#rNQOk6&z(@jjf+yLy{7utQJImpC(+9@JT!L9RV( zD#;#~!updrjrZX9-NF5NAP=S-&sUI(YqUHUI}PW7vYjWnKKGmf@6c(Aop{il!A($_ zwnmEpa!T_xN`b%woiB2Ij$(Q)I{oi{n~WE?QrR4&*g5r0N?*Y5Nix)DC8kxmR)=48 zKXd@^&zx?qv$00CA!f9#qir2+>sH|@wsmtA?vy^Im*z-Y#?}DrXD`aDgEy*kLg~_p z@;u1qy(h`Fof>qMXOYZjwIC#r0ylxYimTO2Oh@)dynDXt7#@^S4)kGVuOt4kWGQ6!PHW+HB2Cl_nlD z8^ygD@~!#5qd6b61Z>4?#5C%vbiR4(9N(6v6AZ9Ny9&a?@5JbCB``&uv5zpIbR%Vl zl;^LJSks{?eo>c~9CuB9)7J?NF-F;l{;6`MmqThl1PFLr3c?UhEYaYCY!b@6k2YIPJ-(j<{!Q#$E4g_Q?Bp#M6Zw7J>JKcr4q&r?%Za+|zUf0*pBOW>9EqRDC0m{21iHV zf}<<))=)+Mk^&+_0;TfD3ppj_Kks$=!cov*6)c;I@B8al0idFn^9#xqE%MzRp-$(g z$Kl!IN5-m zja)#FDh@P=^QR60J>HBYNB(R59IRc_pk2^lqp59@hDFF1g z9y=FjB=L2{r|n2~@KES>#$`a&aCewwx`CixPVLprxOHlP1g_E;R{WyEidx@^N6>td zBWQ~Jog%*;tX5=JfAYj<&9LcVaYbp(GHiuuMG5Xedr&F`S_%Y*pEE~^*@K~bSC=wp zB~-ry{Hq3H!jPQ(7-oQ@gdyR9UzfYFi)jQds*jWL$Z3{of8w@krHz9ubJZ+TdwTWo zk9KHZkrXG=P`_Ivu~x3QHcFTSxP@4$F=o61V@mAp&{*A&j3eV3`c0nv&nP?x$-Mu7vR-(T!pcC@=4k&) z1XXOWl11bFnzfV*3*@zAPcXoakPCDETViJf=u(K)F{mUfxIhdLgi^&Ws`zmgiy8<* zeWGagCkTq|7SuLNU}9)HY!y@@e}Lqb5&*E#IXJ*eFR@)}hi^i-Z!oqzq5YU$qlB`Q z8&n{dGLV3~^}SmeDoBM_7a=UrX7XWDZy8;nz9Xa>XuqnWymv@8zmTet4g>0bcd@gH z)^m`Q#AV!>Rvv^JXaG?)g;FiiC@GHulM4_MDpk+P=nkBl)xh!3#RifYLoikIs?0wy zQ&P(86bXnk4&Z_oM(?aUFd0WZuSTKxp5VVrjfoO8yQ3`qwwB)I^juQbr14X}H%whD z#)GM0Fjy}gGoXg2)U&V*+r4A5S1+X*`7JP^xye`x=OKI!9N*pNsKiiK>f$#Ih24)k zgN(uZ*0fQU1Ro<=6?vGclPrIQq=wxa+ z+9rG8JZOAYfg(Ns2Yp?pf6>UT`1PXZ5` z^r$dFFy(r@QNEvGpo@$qw;-Vf35&8l?B2SzZXsdsds|(p@{IDfDv?=|uvWGLNoXs4 zQ^5vLPzm-mP4QC2Iebx_p}DHE+O?Lqu^RJG;gGK6y={p!U9)yZVq$b86R`g0+zjd4 z32AMEY?AOZ-wJ8wLEw(afI}c_7~%T@wQYToLC!~T4IPbBRX`%^D0U%bdcHl*w+UEa zbtQWp8uFQzgA`QS~u6}$oMO|e-ZCc9U$GEnf+voNZ= z3@tCDHr~MDy7{uZQQqZ`lk7z)CPCy@)h^p4|5NL&#-O@u_7Pr=ZmkQyPtT@Ebm>Kx zUUccT3&&{GuuQw4n;Z(fz!?_zLChAD#MEtVl)37D7~CrpMQaqT4{|4b6s=LTM$!7< z(K2h<1qRC;+^KIJ$_KkI=h|TM3Xzp$MyKO_M812?x(H2;Y1y<14rxswPsPf+BzCT>)T8&zBd;zpIYQKePawNa&ZZ12L_>_#TFAcgEp z6^xsTL*2rp>MJZR=w^c*G02{Au?;|9MfavgLa)*C29qRA1QD8|OO$8yeuId34f9>2 zi*D==67lQlR%zOWjhW{Z%D!U-`=>^Xk3Cd;?66U=UG@lRRa8T2MQJ<%nx5E<{?ZD~ z49DUQuu~{07*l3h*URK}c$hjjJG+@wXurzWDD`y?s<2$!*CZ=kT{d98p=k(6Ot^p~ zsjm(l*X6R>YhA08<$cxs9)M6e0LG&dG5}Yhp0`ID%^CDIML$#YGetjBt8fhAjFWJZ zeib7bV6Rff$nr1j0-Dub%4QnxL%4esuTi{ys)$Y$uTi{4@%k`foJkR!Mx#9kaU}w8 z1KmjrnA{?gs$C?P3~$lU)lE+?<-|zTr4is7<(V`y!Qvh$ArJnymX7~Be;VRqSy8$GdhMCnfI! zhiK`=*+*x!%_v1%$0y7ajvepGcC&Q6HcqUOn0msPecMUss@fwM>XDU7QJ~w>zSU?C z-dKtACZy_nqeMtx{VkS4UwLp5yVMIKkop{ETew0K$F97^ z=QaE|#gAOqcHcNtZWF>pJbxBKnu2U#{u;8|8v^r-HN@l^ZRi%IFUSNM75R$66s6an ze%ke20@UY!@441zB9V7XIhdMlFjAB+tg9)f57JO1Uqf-8TsuI#^6^~uII_0?HaWWi z_uA9X(DiU55$V7GY-}TLRbW)@-D9-Qx=BXMsd~6swA&nzM#S}gMiKLij1o*%{Vn(+ zmtZe5@{65HF_mZlp_oe4eqt(7OeJd7b*2(o?$ofnN?q}x)Y=`Gr}5bD*GRDA06}ys z{dIvUOC1+{SbfK^^cCkXKITyEQV%nBBuh|LrD^%Xt()}u0qp88A zhdLr&B9W{^jl3!8Q))+Zkja}DZ1u=BO3dFDZ1t(tz{jV-F`ZfUxCd{q=D@Y?ahwX> zsh}wQnx^P6ic5oDQyV`VqOH3?+^|(pvAiTi>HDy{Tpp9MnxUwrlJZ*l->7hVrTT-f zDbpWyOiUd?W@x}F`yhu zZaTR-)8Vk`yvu!V+eqjIM{LxP`!P5a<0;o@xaG?QWZ}F@=V)HN4Fa{#@TQX(0m-Ft zqs@bEv?<+4=G!hiZd^&9_12r#*UlcCHX?csI5y+pjs8^a#%b03B-?TtG3Itst(m+B z%pA6z%AJ(nugkR2%1ZdgfswQuWHSvs-qkO{6PP=QU=CP8h_sycm(u*`_QqWE)5XKO z`_>~E*!;x?tp9v-;WNuCw|X;T!MgDS=J( zxyVO0GU$fy&s`idFnzhb^%E9_03+isU~D)7jG+bS&2DQqG%$E7MEjb11EixH$}kuH znAYfKa>~RD*Y3Oev0{7Qb$2ti;q?VoOMo{5x^l!01+rAtye!lS*b&DJ1>74%24jb) zFGF`^BLj2%Kyjl|h?vZiC`FAFXTd0LeqE?>Z7{}wTea88GiCr zC#_G7o+iH|mrr-1PUR!I)jcQZUFnVW2;8la+J7U;5WR}`!nE80?MO_hmg(P~UdxhC zfBf51{q5$JOHzd z-rZDH8i<}dzjf8JA)Kp#QUXbd9xCzWfRa8WyVNxp$zFSDY?bj-`q3o>zA-b+o%~S! zRueL2KE%w2nEB8u98&-vO2+;B*Z-k%-~RYVBkjKV(Ugj^Zhx}QqOvXZ+_e6bGH-hB zUzB-K=0%w|K<0gB`^g0tnBr%#tGk4TGWc@7~I&+=?P@hs1HmS?N3 zO9)AQ0lk4u2sPjr#|mf??HPPYm|7ksR2TiZD=|(Ebc)fo9iOd zuMH_J2r*1koG5(U=V1eD>{BSvOllW?#dpHZLBCK}Dr|=e|4r-jC;|x|Gq}Ex3@*y@ zH6*(nE%q1Hf`(M(8|jywj3Wb0kGv!2NN?+|bB<`)_5qFsv-KTX_n{la)F0pN_1F>J z<~}bF-cM}sFBM+y=%B$nh6Q6-Fop&DrQu*$P_MPXz@T1$C{>$Y8g2V^6W@6pZXR`Y zDRsiTHBQ#0Em)p;u2vtiFrpBP7pag7Pynd#OU5wJ}vYr2=if9e>h4ftL&mHphZQ|)T|w^nbE z;JV+KtSZYzQ3(8XjR@dK-9vMfq9rUcaij}_JDg>biNG|KVvgE3*{BhbMjio#nyYVq zrVH~PeZfux*;q4sdHYT#A1|}Evi&3tDVzWR@5}>-0;8;^a4fZWU zc_qDi2ZTv6+(hNte%19RyXZoRIbTinUMl$o0gHQpV6xU!``Iii2Pw+R$$gU|o%b$W z_LwT&o@zNt@bcc6{E``YI?(v2VZ5?m_4-|=??bYglHdE%oR`rF6P+;83DYVZ_ajAp zqShxW9pc;i|JjnV1kLoFM2!zgh9D{O#=8_{NEb7@N%dc|9i_6=2>>&}@Fr?5QFHlB zG?(cSqo}z=%_V9spCEi>FTB7YQe!nXAoM!$OFlRvN@JB)(BW-4LrOtmeX!U>mG@BY}ZSd;gc7~b^D>1=jbrpR5tb}-p8A=3Y_isYa$?CgI z#^)B@p1NLkFW2Y;tHwS2MpG?^gR8uC9ue15Nh@QX!3dfVO1cKl1r0rTEO$JrZ3%Ja z-ooAJ@Jmxna#)UpPJ)5eE%K$t4;x478&?jtZA`YgPd}X z7umh!OBwpcY`8kF8o0w^T?3F**c4o`cBXunLW>6o2qiO3*Q)NS|x zQkP1u92GM_a~p_zPOF_dyhswnxty5Q&^G6I8`(Wf@psk!>dW`1X&s3-p%dq0JW~R}~ z@~m{OYR)|6W)i%l44{v2lV`}DQi|<0z{tUenL5;6P6D&Ylu3b!=Ibkn$sGKd-brk~ zZ4GXt3*TCNF`=7WO+7&s#CpET*^IIrruvf7&bUfv#Q;a zq3t+9s~NSI`T0e$*Nm~xtA@)~}e&;hIV4gSR;)%wrj>Y;2wHZXq;+3h9fw-;-O$u-*0ElOXI2{h7E zE!f7<)%M!6=~*t?r!gVHCB&@}j}jO{C>|xye&SIA@hE{-T~~&!9n1;h!glm;-!7^k z@0tqEbsF`%+eTed5G<4eZ;;LC>Ln7%I#gtapZs9%;|xR^DdCULG_qz( zk5t~|8d=rGJNlkCQN3=z?&grpIvJVe$-p|#o8V2c0UZCL_?;Qs(xasJ6Tp5&_50DwT&Bs?)(RB_N5Je zg7aayefE2&&h+cUwPYHgofxT}%)vXgPE>|0<^XRtg;4qD%^j(8aBU>vcy+%U4Fx(P z+BK~vTb|{N9bpnzcg@y+#WDXN>!<-ig zyuW_s@mZ+v^=EUGn|wJE$T?UrjF$GxvXj_qrgNTNUAzJMvh)74FlX(F*%Q=jjCz~x zMe{bAx6!-}HE->e7Z}y+ikkkV*aqHjt&L=igVd5w$)!gGciIfUen#omPVl}{7`j*d zGqgmEsl%@7SeF$AGf}dD(<6KaXIFsO4Nb5*8xtuw;5lV3#f|+#2*r*4?I&*R|7Y6R z@87w<#2Ip5G}Qx7Wkl@R@E?=r@~&g?G;>};`d})$_KJ^%dG$5~;P@1f@;vQ+*%#zz zVsyn2cdVjb-%jAE4ABYmr8r?!wv)M#b{8LvYUfY&rDK*0#`@Itz}WD;4j8^@J7277 z2lBn>G%%BoP$_MuRj>P{`Q2o6G~SJI!8C!}E}cU-e45az!$$?~$-mGMy!2c&ARBjX z0PM_C+{zU120C|;1Ab2ub>yva9wb@8MNiVXZ1hIeY2o*(`=Nv6p4>aur0?uVRvASl+DtT-B~_JH^Wxp<-qx z$I-XoNFM>LFDFgS36tGhNvAq&Cc8jva)*0B!YLjdAVUa62T1#g4v>E)2gvl34NH}F zjGMr(GI#q_dP<}$o>^M;sQ#|7xS*R29)%T@ytZPmrSoEi1xQpIUEHR7_-!S71a7-1 z`cp_cy{4Ix?_4J<4AW*xyfycKgQ;~{Yz1yW2rj9ii>16<$W(^LMYgKNIl^`PseVK zmy)m(JuhLjjjop=gre)E{Y2MGbiK6dx?C?0Wdj?A7iI)2HDO#PrBNxGV&(nyt3z7d z4JAGRP&9QvtJ@HCxX5kE4%|MVEri-e;etVdR`+M%uV}HR^j5vS)Bl$vs5ROPN|tz4 zPeus_Cym*u(W`K;fz9r$*6Xs$hL!ZG$-_{FAV)t{pCy3|QS_55bMkn5dTbg!uHo3l zC=+Mk-@ZR7Z=0@5U85~VcONXf8JLTyYumE^eLC7dU>(;{I|lU2jz_?Zq1P3#ZFvH! z9kPesTQqRk#_lO5j4lc;2;zJs$htxU?sfb1sQi{>jnX1RsimBa!=h$Fe|uWB^7O~Q zJ=Ncz{@5f+St0~C>j)1oGC4{@kM9^bM$rVHF)uR^vwHxAfXP}J$*$vS3`KPDH!8iq zfzM}lcJ`cV>SZn2Da{PuCq{{dUT#Hhs z_=42^)jZ?jn{bPaCbuctIzC~ZaO_&G+s)GP`l!3vpzrjFU@ntEF3y!&iqb!Mxw|`I z6R#Llrxk|H0bLJM^2T#m#f0-M2C6*Vx*)}7f!JS`a>n8W2JQ!@%VmZMGL^4&$ODtr zz*_l>r(;40Exf=n%YgnS1Q}08d5<4%rbgcLg(ge@Y<|5NjV&DkOI&RbB5E_H^@CyA12&H zqV1br)S{PUJCBxL|4j*+NV8v5Hq8Mings9|38%ak+RnO0Nx@{H|D=n3@SA<3y2a97 zxKOvNuuIcKn2?@+_=r2X!kqbg2?e~8qK^eB@Ou>}Gq99AT%9XCr4O&+M@8B&(QehA zenPA-aV0Bd|2w=vv(BD!-gDl2iEJt>>-B@@u=6nuxYMZyYxZQi#Z1^CgkmOa`-z#bF%z~` z*SQH<2i?NGw5Hv98 z_dajU2wd{*8|PVtqpJD_U{vK~GT=MPZZir~?*st-RHW(gUriGuiRjffzzB^)m7%G> zyQ4Z?wbR$>fR;)k?gg!~v3EVvVq{~z{2mPRe9+7Hd)t=_dqTLNuIAzg0~IgPiow)< zxI^D*1|ARaG(JA*q7_6Wz)|wA4($Z(&|pYi7<;XQ{=qadE}ScZ1rELaq^doQpmo+& z5XS1p*B9Q)c86--1fDJ$&m(;#n^_+I+yio2g%FCI4bc1#poL6mW=&el}^=Hp^ z4GR}NLs}a*%+?L4KeqO6KpXhbE{@?GQxKeB2OLRupqpstO0{bz+x4W|Io(_}Wy?gn zni?wmiEZj^w;o@YPmS?q;>BFNopSMdxNJ8cFJ|QJmXX&(Y?q zA~i@h2XAR!$Q7>=gz7WS=IUbV870}h&)YQQn=hX}AAR{?hgRt9`MWg&h4MC5d#bU` zrsv>&nYDqJOT;8aGtqrtY*Y;xVc1**o(_=Xz<80d13QQPlm9qXs{L+JhNyW-Y0_HxqM9IH&~ zH*ec?1Gg|1OTSqdPz*O$?P zyEP&}uzT&I2FoH_;w&4z3VOY0zyvj>NZ6$WG9FVY;iPmUo5qBcStkMc8v0bjFzqN4m| zD9RiP%$L}uo;W*mrTHC_VpH F0sxfK%3}Zk literal 0 HcmV?d00001 diff --git a/assets/longhorn/longhorn-102.4.0+up1.6.1.tgz b/assets/longhorn/longhorn-102.4.0+up1.6.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..a5f5e440217cef0ed648e8a98d9c588f62ef9e17 GIT binary patch literal 30514 zcmV)cK&ZbTiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POv1cN@8}Fbe1E%U^*_Pu{T|HFdR|a6jJbXe4S-g9G?~XJ@DU|K5w2yMNd{INW);ySux4@Zt|UyZbwP2Y*028^@&P z$%MrG4?A~mtK7MNkq0LUlUP!gh<*p55KA1hNiW1w#-vBtHqImqXd)zz<36(N5`;W@ zHN!HT)>aA$mvl@?)JGgA;gs;&Vi6T-jORguXQYqb7}&K%ud)#dt_c^EC4Kbm|GYxG zy}jMuPO$TBZFvP!q&OrV&SEYknbj6g37=6Z0w($>rb%|YbwiVg-H7_qoL$q1h+uNf zbNK4Z_3nsByjxq#P@>q2z1~aJ3G{!^UhmJ%-QgrASP(<0coC)KJSBY;#+i_W2a>V4 zwpf-5$qAn2=`YxOhrenN?eh>+7%!aF-?hzf*JM1|yZlt~hyQOv?C zBqZZ_LXf6C8Z(Z5%tnMKL=w^KOquG>RLWHJx3?!$PP0)jWV3B2mt0?IsM@ndIlk%X z;+Y^kWQin+gqmRzj<+$FH;i9x&#%gHUm<_ys#9<`697ApxkZ2;8n%K#~bfNZZmNIg*eBGo0WF;ce@QDdsCz zTCsRW+m@6>NU@~w2!~fRnFMr(CpqT%?AqDu9rSkol%;wWeQm*S9*6!ljx!?eMFCj6 z{=eMa-9IR=|9gk~kL&+KJWtRG8RIOLNHYLPXeV(xPtfI*3N76KcJ%g5FlKy)rIPPs z8WUCEgoH8X1YKiJ@hBz&NrpxQrC10OA(}{r<}Bk#l35yK5c`vujc{xf4jB{m7eY@^ z5IA(qg2Bl|N!fW1O6ZrS$c6dTN8K)bHB0ufUivgl19eEGq{#%yDV7MwF}o4D43!M= zEI}+m7+vT^8vU$c*>$vMfRRLXG3ui+js@{sxMVTmphy7;-zX&lB`i|(P>qH-fmYOV z6+|SB*_=c<4k4SREFp;$wkhcV3fq+cT@lsYd=+P+YrY{pfPK^j{Uv`*#$yu7KI*<> z!*EKXEGGF!mZ~-w@1ySNKQbJ5{Vu&@5kZ2)B$SMAs8_1)(17eaG_G=$06JCfMWjdE zjACA|j`EsEi~wGU3qoq;lzII=@+tcYQ0V7mD>hrD&MGbIvTt?KV^`pvPo64S0HaPP zA)wt1SWH7ofIS+ye9kh(;F@ufsfkik)r=xbBxfHt0pJJSlhOAt*aoCwiFPtQ}$?5KOSFS=W(%dg0u`G2?jtb>qN zZQ*mL1M95nx|LR%Ewp-4nEV$cWr9k^H6jWx*S}LJjsTb)9q!6I^JRNRIcJo->yjaGgEIv15nYD7j?@PZapNRORw6)p{lf@?iH2!MSX*ktvhB^ z?lV=aW&gg@RS?uEbr1bKB?-zB0a#HIZF#&Tj6{okb!kiR7{yH8>S0o^faXod;5k`F})@U5n{mE zXsK?mkg*k%+#8VxBbRL!T3tk}4dZ9$-0og)rvp}fBBpd~)_sOEIUR6zJ6}e+^P@~o z5frsJf&WJs!xE=ytgJ?s#B*gPo~I-ks)oP;AXX)p!!ux->1Ieg5MKG9FrV(A!0fqZmuV6-)wu3WbG&G1u$A*!CM>N zfykS;fDmYaNj4i1UPWWU6w$sIfiN0#LNu5WkvD`SXn$vCX9vi%zxVR+WzVhjs>MD^ zvN-OPtnVc>F@w>&Yo{!nd+J%Y+v%i=bA=>{9`t3dB4H+oFKu!SUGIJ!$5_C0HwEB# zA4#4$-_UCs6XV1M>ap=k5MPT+AS$_)Zfec0#sa07;~9~Ji&a6sy&8*wsx6Gm*owiJ zh8Tq`OXR8`;kSWstN`@UzH^RYiBZf#98)=O2iTuw5f$KaQxj=Kgbc`dtmfIXymi&W z8`D4^*$R2b!Wh$8K?>QOYj7g)EQH2@A*VQrV#N_`j4--paW*3ek6|^J0%=fGAhQ!4 z6>z;E64OLsdO~6%2_VUJ`&J0)FYR5GYKcTMIx((YK+93h;5X)MhFC&?;X$+}OiuNz z)KwLzlGAcXBzpIHh-P}g)0_sig92YJe*S+=o1%kIG8TE?ySl3x=QNr8m5qwt?UtQY ztl@y5Pi$25EaPTIw60lyOTrHSs^HLRA~H@ip8v?0Bm!Yh)M6E(ka12z8PCy;l2k@Y zSory@?4hTpw|JH+ls^9Qxtrh_>Gr!L9A0IqVi797=PXOReI+fv{QaX|7e2Ak8!BWU z{qpxt(X-QzkeMI|m)s>ZS&MSt6@cj7EFgiRUC0U6ibfJC+eR{=v0;uyO==0Bup*M0 z!uT4~SRu1j6u(M@=zV-GL{+1n00cVZ$^!;HQDF>NRtRDi2M81RzuuNxxfPgeMN(#Z zFK;nDpP(}><%)I5Efo?-qrRCPwW@CGDRGi1b<0x0!@Z$}h!KGjCUsLDXiWzJG9nY2 zbqI26Y=ywO74>!qFZCMKK&#?Pv?j&=#xfW`3CW!>p5e4GslNUEYd7QZ zuigHyT^o^5^ehrxwkP(%6Tp%lp5fnEf^P%_EhxRV=#2ce`{i3R6Z75=Tn7s@IK53t zC`p8dKO6-wcK1*?CE=CGW^0py7>LIPkZ#Vba_=fzhARlwq_RubYI$#z4b@%07OQ%Z z)4?*)d#E>5PD>mq@kB2GtcuXMD)))(ElxyL(4s-oxIh}AO*$hh>I*$b6 zWX7&>jG_#17<;-Lr?bV2h^H6ONuq2%CH2h)qWaTmHd;%Vv1?+T2jT=8%yq|0PG@~& z;B-1EC-2h<#}NTm(Yku89sZQ?G2=6oauQ@3gyGvBI?)IfWe}`#Ch$@H_6AY?JmM3E zj!%@y2r38qp33u7Ai-kT4h1&)#73ufuJpRflJe3T z;}MBbSH11|q1qZqU_b;4#49D1y67n#D>YqBCg>4)$OaU%}QR4`SHslc?U zAkb$PoYx0XMWHO;+yFk}2u+Eg=SWf2_Pv>j`oJ@;F&$Gt~Xf(ID zXu$|DhHNa45=oE7W11{Nt-$P@jI>Ktl+cEQ3%3_lNd{S4YuVJ^GJK1QHWCu55`F=#|UPe@MnMrD(U_7rvc8d`Ayv;s`@VQ?(6vq$ z+oRTWgr7q+Qpp!&%(cmWm8o=PEW8-B~Yr7?b3Ec!?T`-NTT&!t8i4-t4tTPR( z)e#owEhHGCz|JWXf`Tb#J$m&%S;^3dCK1BuhViSIVXeG*I1PRRInFZax$OK=D!^l- zPb6$yBJ)5tsl>8B02aL=eDPuWI-lb%K|+>9WyjqOrc$6087tue)5o%zr-Ql)W!^RN zhmyIuSj<1{bhl8-v@z?gRk=n9%?wx^pCyv;YaG{hVMdcol5!W66$l$tn8NJSIx8pI zRn~}4?s|xn!Db|ZkD3PfomP1--!!e6+7kyE5wZjq_EIxuCM+2-0&9P!a|kH9Fc+5G0tMIZPS86%(-O%AMKFlu;oIc zX40Z56|lSC)PnAvUPBx>e>Y?3YN;;#puxSNGb$H$$MC>Cb)^D*X*XU&jg`7kYx0z^ zE$#cf#kUtkDqD;tZOCK7Base|^v+XgJ}Y|58%g6PU{PsIGY(q|aoo@xEdG9!s3uYa zfiAJKks0?6rL1t`p>oP1mnv(Xp=fn_B3Gg~Wt_@+zMa>ul_y2zLXFLo#3@QSxh9FM ztET16h=335nu3=+OCrK`R|lL3k#VA-zhjbGRSs;*8yd%;cSEd5R5*xH3>fiR%oQCa zsg%u1V6jdZN=?U62t79^yabVGPGlZn^3kquHWnfE3HDKYmb^E8^#3<47AULM`3o}k zmdlV+V915O=w>rt;P_f;zE%s(i@@LVV)>6l;kccL5g~#XO*^4P{Ci4NjB8|UE3`J zODOSmBHv!N%s!eUY)|~egqNrmf!kOR`3wk1t_iQ%cUNn)apIsXvAZ{Mc?ir}=_y@C z5f{&T=m?zHcG=hFmxq>GN->wY-S3F*frFq0A}m^J{Z?4b)a=yzv#`lelZmCVjzSo) zNXgTpJL{2Hq{)OKkbO6D9=EcK}M3vY1Wgz2d1lRrl5Z`CkYk@m#Zt z0{_#sXq86InhUvyMb&TZ-l_9EX*VNyo*GHq$^})=KL&)dPV!?VId zo0+QYTT|8SQbk&D2{jR{7+BZbo5OkYng_IDe4+7Z=vaYA-CnN_In%ya zy(y=bdcDYUGMd+{b+E=sZsI$XCU(QAB<2)3gwZKk?_?8nTx)TAUz2OK5QGg$w?J}|x4 zY+H)(a>@ia(&tO!%iFmK^CkSkko;Iv+#9B9;CPLxlCsDP4KE)<-71_j7CJEecz9+` z`Sj576eklMh3+D&3Qa;VnlV41i#pZ-mYpglR!ghcWCIon=+D3lLtiK~O-PE}+DoF! zj-++xP4Ts5KPMZkR-nS=GeUcnab&j5m?3(Ph0F7E!dij2~JR! z`V^axM9mN4c|SB&Edy!+7MT@X*>*}vjjYaktYBv85TJc;f!S^I4WVi=%aH{`q2k2( z#6~5&d_R{KM>VKbg{$UN&$|o=Ypb^)WNi>kLB?tVR?opZ6QkLil-qhXYOqKb7j$E` zBrTrISd%x--Yy*KH#-?cA$?>a>pTNy^Q1veFY~b$-NcIcYFx|!7NhR8>@)GEZk8Br z7Pf`7ISVyhP=SrOH3QqQM6aY?MC>L}rf9yVm5{^}Oq1ML7ZS@%+aqyoqdOJ85Q2un zTz+-6deT+eWj9N%5_Xex%RRX;LcF0X#qBk3drK^oKl3|V$Nl0{7%vx|fc;6%h^fnst#lX}^NaI;7 zZl!yMjycVO6bp+G$2uq>H=fM*{IiR6yQBLeL5!zUoPg?SLT&8|4?*Z6Wl7{z)uPKm zNF3+Rm}fn7UWNr@XjEIqk>MO;@@mIfSt7t(Q)_#wNT9Jhvd)B}N7L*8Ij56CjwXR6 zw&Zv`reV7{Cx1)P)Hh(gt=o6{jfcYP7?-^jI1IsF#xcqg6VvDvPus9IH&l<3$uUdD zl+U1yg6I2!>5Qml*d9QtOQ)iJFV!&s`|l-QVe2S<*BI{@m4BXcTy( z%^O78=@mBAHHoYumM?izET%T1A6SYel1#MYR7Z$<(Pe7tp4sn9+KybzrMIP!H>aaG z?Q5&4C~P5?L20&hmf{dB8xwwOB16^eZ^Y_sHX{+mQtx+zpUtkwR_|%F4vaYs!YcP~ z>m7a27#(TY*b*!6LoTU%5ZFG;gw#h8rUboD=q(DllAyOKCqkHAgc+8NT{-3~`NT$R z%aj@BSH?8ZXE~h$mPBx_DaC4;HmeI3CLB4ku1j1FeeTt$54w)GXJmX=3cxIjB~4?3 z!YPd-Lz}i?&kH*}R>qE}Ir^q@F3|nZ{MupqPOsB2KgwaeTQGZI5CxG1Juy&YALQJi zXR2D3^-R;tvcfR{6uNpZSCmZg>YCA@UEl=$aCtdEVNBI{X&pm{q3Z=f5WCl_sECI1 zBt)<-bEh$}M9_$EN1A*;0HT_%iRXthq*SmJs2`+EkD=+R)Oo`uC??k=HmK4hqMra1swH z!HK+4Hc@|EavbWDc`=*3Q3$sao%zWWV*)4x#m?UukyGZy5FF><-omGaHh@~Wz`EoF zN1mUh=w!)~T(vSj6|X&8a=ANa_127kCwFjooBYi!w>z0qR09>@>s|Fi|6U#3o)2!z z>|RlUMp$SEl^0;76kofHpcBOkECt`}k5rwwI11NHX$g5?80iTd`c7amVWol z?Z6e0FSq(bHX*8Vo6#$ZSvDTWiW;?{V!7z8Hg75xMIcQk4K`pL(=g3i+8mXPWJQ~! zGLB1aju$#~(=Jj``U}MMw>c>vY}1& zvDhYTn5@!f=@gF_70F_7JmQ2U^BKz&r+{&*hDD8{nJh}>_os_e78_4Tz-{qoX36x#NBJ14v6CG>gKQMj5WOXm(@>xj zET$udd4yccGyTaAzBkgPg05Y$ooc1UukNGggtw

?WX53&a+pNf>7^QO^blN0C~K zw8jMkbgbz{lZoxXdo>CM`=+s#WR^0HIgLH9IF4h4rTQd+fgt3@I*ptz=x^SdcLPb~+*J?m3LcJRcTW8p@dtx~ahI|9VLvm@EKY4k*40dR(zo;zBd zsMLhbaT^h!JD^_qea=~-Q;I0kX<8@V>D||0_xbJzw{R)#xS;H&u}LoRNwCD6bk%la zAHlcgK(D%VEu~nd=L=$)oX?|_+_{XhJ38X|u$3ZN*Sw$CStmPq0;k#)3*6vD>P;%? zm#c5oo$%bUt}_TR|K;x=?Kpv!f=BF{=vI`bmL>Y+rU^MSjx%$60d&_SnZ6=(9k*4V zCHje%aT@-&FB|erH^lo@O`xHd|DZKd3u&d%=P!*^t)2&OOV`g|?nYM~hZ0k?+V|*3z5_*kpGCkBa{D$h+cY5ox@uV3va4Flq9pEq%N<1tJwo z?$wms>*nG|Z+rGz$Op4Qx>@mHaw{&C4yAC}y9x-?tPZ&$e(cS^g`}{1+3f{IKDe8Z z6K%=+H3f#70q@WH^#`!anbmTim*}It7Bj}AncLiKd4KlcGv)o+zuV+^f40iR&||oX zNwI*EUv(as>jhe;39;c1_Fe)A1L9H5iunG_Uu#SEBe<9z4Mk5Mx0_iEaJ4O!jt%CP zER3TUn|hX4FwxTbJOT9@gERwhI|oT)ePEQ7?vt=LFX+Po`7-L9^A9|;lDv`1N|z0dRV%}|Mp(lCKkh(&oA zmV*-{%(%ZN-~v8s1{_^etg|p49PDdNOV$1khgT$tDy=J2eVfmXyl-e-k-0vErmxP^ z8wka~w97ZcrPiNn%ZmbTq>#1MoKpr)dPfS*$ymXJqo}WI z71>+HBEX?yOPhJ;i7xgU94mlVOa<7W?%1hC)YFBxPzpSc1Tj*JlX2~xb$R=CZUxDN zCb!$8n2qdJbP)^1wg|Hu&Yy90Hums zq9fH4SrSkM<=+Tv$Uwx#iZiu5MJc8_$#3b_$S36+d<6c9Zy(gkIZV@*Awp;W!PaUuH<1K~phhEjY(5de@r@!=ie} z(Qg-9N02bwTO$CBuMc7@wbv<7&v&QapS?rJrx%xJug{K;E>GbtVq8P=%3KVO(BR_i zr=!bL^yBH@;ETs@Afinpur_C@b#6Hs0h~C_IAlY~(xnqrnhV3SBq1as(U$5dm6{ce zU(s_SDZ!=&ijK_@aB%x-2DOtyr%8zgE1VDaLPd3)Rh7mplY&NO6`}%7NjyX06mtz8 z4cyE|7pF%jZ%=zOEovdn15LD-i8AA1Ld6>vJ(;O>Hl^{IKRq=1oleU|C}ol6MJng{ z6-`eE!-06_Rf9=DV^TP}2;sPjmmwZ^am=!bCK5^+OiCxTc6)m-fTm{k*D=I-GNO#e zGN1_>ut?2QjVq33RG2_=cY@310MmaAh6A@SYI+zom0c6g)hM|;TWu0dBe5Ju2{O)N zlVwAp9lOJ?0*P!Cz{tAL4x_8&U@donR$96h_G7Q(%AFg8boS)do|io18eE!HIhms~ z&EmM%!6lE3P04+vz1aP#zb6+X%uF7wh#0?jNhAYIv+dH)9YJqdLYL=Igh}N2kTDu? zHY0LMGGX&!8%ViETkA+G-+NZpk)J%tGu2x{iB2JTeJh<^N1-TL0Bq_qzSrpGrIhCv zERz~}U-7g1D*4%J6MdNHlD{D%h$msONg2u&q`r6dHKX0U9Y_HV8wsE_S>0#>ycDu` z9~|u00D=7YrF_o$)osfF!#x1#&kA(2T&gvRLS_CzJT06W;LJobX&Qgej@2i~x2K8y zwePlke3n0MFWBAAx&7|^@^sjfw{lZ$EV=)EXaB`s>HgP)7kj&p_rE^G<0d++jW;&o zX&y0TbcO%wbd0iegQ-;Z6S;B66vi$IYF$bMdsyjsc!nb9BNAIS80E}6t5l9+u}L>* zLM6p9{Y~i;ou8V+6GEPALOr+u00sGH@GA9=p&s}tdq3&R$5lzIe4~FN$+ILxhx_m+oei_` znBJmpkOL!01b=G;kIQL6$C)x8{*mEW=hnt)YJwJiCK@`Fm#Pib4M-@0mE|tjta$2Q zp$Vzl^cj(u&ZtYcM+JI1((d+?cSBWHsZ+{?dA5iy3cDh0zJX@?ui6vI)=W7~bU{|7NJ;vrZ)7ij7+4e%A{nSQ~)OE7=tb(l)*8T16KML!(>i^}% z&Q8|@x<1m{z0gIaCO`k$#hILnU%P$u`Pc3r?H}r;`cuF9^5sj{5xf*W)$_uT(9@jo zeIWd@I)d<}g>>u?`X?G49*`t_=Kexnk2Ti^X#065_ebCniG@?xg*{Q1M3_hD2NKWp zUWrg_>CedGFzYg!z&K4yu14(x`TW`4=U$oWJ%!wq#Iv55Zi9G$@;)=;zwy}F)clfCPJ;Z}k`jZuPe1yZES_m1Z zzv<&HSAW*haJO?slgM3hcfn%PnGuO2EOEbsN{;bB@lMBV%nKz$15{NF>@w3s|3nE* zB9cgSpk^=6Vj}vT0O6FvRZ-x?grDSAl0;__)~M<8IQn3(E)`}%vYCAe^Ok~NuY=Gv z;UiP5`@CCd0sYeL{=EPV{nAZYB;fKA2>Dijxx4hFIXh7I67D?{-K~ZX+xn2ZstMs4 z0D`mI`F8%3MPfTf2 zDpj5kxacvaLRP`xG!<1)E~A`A&7_60zdeV*QZz?chSO>TpV&y#K%W&|4o9atsU7Wz z3Z8+Vew0NMgQFS@v(sTWWtO&)pFJ^*TGO0~k%CRqGRPa~Ya^-6;qOM+=DP*GWi#sJ z`SI#sdaM}=>ew+9R9`jPqT}WSLT?$0X8xGs6-?a;it4M7C9>Fq@)z5UWypG7qDBP0 zRy^vMtRUW>-bWiq=l|_}wp$(DEpvygeGDjl03Zjgf7eM3_`~~PwOnJU)xLAZI|!B3 z7Ps}%v+*NezAQp%5e{y;=4-g{%3=MF=t8*i7DoVjuc*aoi_PCa;g0VHSK^h(VU>1k?_Idr@jLOFe!pyr>lP|7>jBCHAr6v+%-$sncEf zfBLNK&rZYeB#%&u{{F}jQv9;>YC)L2)G(Znfr>PZ1QfZal7Nvp!Qu>-AInPn2r zVBL_>l(DNq%%mPb9Mfn)k;aaL20^eSu;kn2R|m3Iv2N6rt0*gFSkEvPlM#i~HF{Oe z4XuXPHKX1}WCuaexgW)zg=vsSpKM;wR|x+r+G;b`D7K(lDARbsuF34EHwE|)Rjva)mlC0h_Au>qc45CNZ85ZKNs@2TG7T`hw zFp$AR?0Qw>9_-y+BDWy5(W3&bNc}E|ZsbUy7WiZxqL;h0BF*oArED=Sr3Lf%HzVp+ z^sg~NS~ir?dvD8bzCJ+(<0QZnlE@NQ>bwOmX8~T1OTVJNQM3L#hg~4>Mm7Kzum8LI z2QLpx>;K{Yi=D^y{~;b<_~A4axtw$1%mwkbrsPrvH%?P;A{*CAb%qx|tT2;AN(H&I&_m)mF#bL z7B@9r@~~MdsmGkHA>08hA8{xliga?4()NFGdsvOd=g+PyP@z{2A?b0FGC|=^uPN#NK_qE09a(E^%k}Ee2DkG);0$nAMYvF@4qM}f)Og+l)_!vBRgtf&TTAhRigh2P z_bO=y;gThX2?LanJtCFsZIvp4tZ_DnuGqfo%xqC5+1#yJyS zrE|kB5^{>%!WX@6%^JW7nZLZ)+3|$9UcIVPxms(tQY&PMMeAm|u0M0yZH_eIiQK;g2ty`P001iSI1~@e)8en(c9DE;OO|&YXJ^%zvgUKrxY@6Jz7p?8~UDkWhrVG-;T++|R|KR-VI>Ga~{?4pcU`{6YExn*74pK@xx z0Or2ps(HqndbJa8K~;YOHcr0<^_%8mYdS8R8Vee(CoF=j+kJEbQ=akpIoC%6>Mf!+ zazMvm`55Ro@0Q9Bd+N7fRJ07AH3#q=p3dqS=E(_s{5_4JEyxNjN~kTo8aA($mh(Lo zkXa1mpXeVMlVmwgj5k8`Gd$IYM&HmRVmJ2Il4^j9pG&GN2yhau2DMdTA7>riYz_HU zYyT4&v;WW+O*PBKlEGby(V_}1kyvAJ{rpsGj&32v)x!*L0qfPrw@}^D_Rn`4;N>_i ztkDvU%8O!pgLlie4ze`Dk_;usl1%1$xHyYrnoQoqCp&^OeEUAZ`r5Xb^ig+rXXlUI z%BGHUX&Q(B13NTx)qX{X=F;J;Civ9V3ZBB{V_XBqjr2i|h#6ArK-6ojC*^H6G-rLz zQzO)i9@!?cIa4pFG2_yrwWnj`v{mI7D-o=WlHz7aqhLnR{$ALRa;1N(2$8z|AHACu zm@w75Zvidd|Ji@>a(}NJ|FLuU82|AgPpzDU+rK7nak^+{yTm5zh_^LmuSKYiQTynh zfiDRXCec&Xt22SRG=b>A{P>xHU^1YHo(|=_1mW_`&UgJX&?2WGDHc_)kro?4>zEU` z^Z*+ppdQU2bj1Q=yR=2T+`uL~0@-E!`$B)7(wG#l;ddQ^!hs7*4nDC_aHGlx=62x7 z)L7WHHcf7_i#mqX9Kk%H;tKX2^)>y%^-Y&@b10(XDu{K#00MLu_Gw`oo9vAFeS#%c z7Pv#-;f*B@v@N~>-4c{dB4|!ml<%~6h??(#U}G8JMA87eYws6e+yM3-Fh9y9`%dRW ztsspv$pVuswGFx+tW9ES4)UB|6F%Tf-(F3VNq%>#L)?@Mz$KG7s!%Iacgfb5r-wuM2ZURNlyI#yy!)>7Bh(%Ij1xX1pMz+VpZ+ z!<+1DR@i`YU9#Iup?<#*>mrDIke(**I^4%ok)U?2>%@O8q^J+=o<#i{7UI~Kq6Kju zo3Cv}zJ+!V$l7dELuIyx=59N1DppX>-3?GSuuN|<)GqHzb6cC&^x)vqfW@)BvbvPxMcs&^Hrn?zjSoT;yWzr1|o5Z3PltDMTkh?byicD;rEYsJsk2Zgup zYQh@zvY>e`=8nyg@$ChX$_!yiO`nu0FvGV2w`JP(qXhU~kbey<++tkJ%vg6!>f70<9^nVO z=;ms>R0`KI{c7K(CG9Nk665IUYTc5UCNjT+UybQR~n>o&j%@*NQ9<2R<#Nuklp zVw0%YbeGbo%4R)lN<_THNrvNiek8TP(BeZVNn$6O=V4Q2lp+RI0&MCS=_Rx% zvy*#?tF2|@_b@dsNE(xb3ds8NGp4fQd$aR{`z3=LOl3PS+_Hu?x(msYFyovg)?a)< zMj4Hx0pUtQ77h5kaFF*AiU%p-TAyBS#+Muw^nbL zw0;lk>jlv}W3UI{?RwZ{m7DK+Q(?*WM?K7q`jLD+dcY!aRy@4fWYVQ966PFRn#FM& z!MLocjmI+R!9O_laoh*O&7ORlU>}}J@w7^;_J!1xO+wC zv=J<;cCoq9`;nYS_GU={%;^xDO~c#hT% za{I-8Njvw|r3(V*VdgFR#7)sPJ5|@xCVMr>Fvp1`Bswb|(mo!%cRk7rRZo|PX|}L4 ziyGKuNAi0Gj2}%gya;hj_-V~O^v00l-bvT(o*sZy6^mU9Uo{6Ok1ff?V7{_?B z#GI;!yGh*j3Scz;OFAPg%hwFEJXoVb>dy;tu7kHxMlkE?36}T_?v3>IGy7FXx={Ol zF<;a{ymyq(W-}5|EOp${(O430RRyaIF6&i5Eeste6<`I$=`2n^UA^}$kh^yR9qVlH zONn5z#;@K<)4*n35i@p8EUCmv1{?h}CR%sCB z6mBI3mo>G?ZpCc!hFp_ePmI|lh}D~gDB5b94}Uvmvy>A^r}37^DT~Ty9KyUnFoO~; z!rv-T?*nmb)D&$ehqg1JmK#X55bq%%t_f%B6I%)CdYGHU`g&IhVQnfpT(5VvRM*PG zLJa--8^vp{4zIoTc6TOMJR!^!e zY`iDOELQMoGO=OZ?**QaxB3c&QinoUIFBOF1e^ykSL`qC*W&i>V+-Esbc2jfYWCf& zE}W{*t+v{Ic=sirzHj65DT%AQc!1ireIK^UTYOtQ5aPyUhHqP(1}Vd-;@Ix|Z|(VS zdnH$(FMYb}3GgNPe-CzdcFX6#5BByS&woF}vmpPkV}pgKz=1;o%`@v{?Opp6xXnXh zFWBm%-PM!-R?&aJB*4|ii|Ki3LgjHKMQ@%T1045_sc3&Uxq9;qy6Bg0#q`@P^lcET zf8j7U`UQRSG|YI6f*IOHfj|M%$;^^0j!|%fx_|tv%;ygwi^!KQGM7e|)2qPM(c9O% z&(MFpLfyTcoi6(Of1`*Y5>6SAiYAl)Mj|F8MSJQ?LcaZb$0FEF<%PrbJ0tYEX_0G^ z94}0BTuO8dxrl)*hDgPN4H;2?A30Hr7-l>!d|AS5UfDt>#^t#f8BWb$w@2UC419m}IoE_@-F&M-w0kGoxHJOG$m17WNTI>S`A=uVv-5WwCsG5h zO?0Yad^b|*uuvs`P1;Aigk*IU7LpDG%E`sqPp20jE>6Ec8(v-g%%R;;&gcSzZ>Vd8vL3_RK)UbWU=Ga*{aHz!Dcc&YsSR=|!G^<0rE!F&W)h-=% zSuUzHaBJPg>EO-T@zI9{m7}tJ*EUnhL%Ry%o-A*NyT1ypihfgLcj|$W4(+hFvTRk% z>l(Qe*4|`ohq*6iR>i)lv9)`!D6{yI+~Ui!i#H|mUz&%$O(yz6?>e$@bht|8*WY{xa_H=oYhH1e3u`mWim>j>Fqc)vz2YqaRnF`gwy z;=Lfek9O)sRr3PTa9PBI-=OfdH!vQbJ3Wi{|1!FX3qY6d|5fk*d~vw@xc~PM&*v7G zBsZ4HXpgf@D>_fWS1$V7+Y>6M*{Bz?*|saX&2T2CLCV?fe0vnL(e@0hg<(5niR5&& zEoekSthbswPmq>22qUOrg)TC371lVCh>R0NCAy(;j50xxoD!rF>O#G)4+*3&K_N>L zeGwFr3~J~mt|>-X*Dl@&t=@Qj_OF7zfYSGJn?Oe0UaO~d){}nin^GmyD?;&h1cYjC zT~?*-CaNTSMiUbo&Iw6EK2POWx^}@MRQ26T`_Ps9RqaIpI8LXy$O7;wnFJx>(j?dp zsy9{3SU6f&ZZ{}mYi~Gc8f^6y{nOnveQ>aE$>Cpx&{!K-Jg@#|SAWsf3>k$n^%i^Y z&y@oQes?2Y4Irqo@7|x;SZq;8u%!V8dgeS_Oo3r0Ka60Z##(!yI)JrlKU_m8i~PJE z#k+IKm~c)aeS{!S%yKqKn0tMCOTrAKM!_3#L+E5Gb@+w{l0~+qOTsHVhCr684P+k} zm(yDt@GYt(0(3>@z`B)B2(eVzfsFUjSyJ;EJTEmc3w!2fB=SeHl*Mc^|53G@AJkLg zL@DS=zL!}IM`*K5FDY4EF_337cx$smdCic9yg2|mP%xMIk8A5JyYKmI{Eo>1CxUnv zlrFn0banA)A9J5xHi~I}qaNmyLTdpW^AG`!BE@&F`s=o*K!J}pBK(!BS@`VUmZ$Hl zjM)G4j(4Z3Dk@_EE8VMYBExMNi*4hIQ-AkDE-R(4$h^Mr z6`2@M z?hom1b*~8@b^BeNhpU?pNV6-|_m!6VTbTa!%0WJ57dsuAbcQ?3R7VXZ7h1;9WOP&a zurIn~7WGjwp~-C!;&AFyv3&h2eBXw$N7}1;aci;bTe(~XfA(Q;eo?y# z(p6Y@>)lTGx-Qkvme!YXt~|$xK7GLZ=yT4g8kH(TwkhuO-oo-lHv8AxNqK*Ew_TJ< z{k!a-ygz%~J-O5FNr`|9UF)T?o8L8gfA+Xza_1eBG7*;z=^b}Uf*>fleoB6!`|}Gp z5|Dqmj#)pBQeWmNLEQ_Sgj2!;Fg3asTG1r430O?!KI%%Ik#48b_tIK5<}8tGUH55i z_BA`8cWey%fO-IE#)A0YYwo$UP@znoDhqI(<51b|X&{B(H~dZ; z($2E6UyDkEE^DoB(X2G+pIj{j=$k7t-$LJjwT=3(DhS~6_1*}sb+{tnt%1LF-ICGt zxq4@JLl@2e&PLM^%5RI#orP5kedSq9%t8h3#X2zRgT)(s7}k8ma$0bxxXVVZ@3h;k z0870~MsqNip#PlB(wNLhq6s=oNl3?@OIPP=A;p7mZVRRC@o!fB{0Elf%3eW|%|?X7 zGTksLGB)FFHeNOP3^jsfRPX@8#~^-sAfJ5Kl?=m;oJ_pigGqqYajQBlsx`UCT`t{fyXbq~UG@w&eO#CC(tHEjLS~(rc z<{%e|cF*AbF?n2^HvX(G|LsxvcC!BuZRG!9S^gjH?;SkK|A%KcFXStkEq9KI;Y|NXi(-p``QSXyMPD<4bnK9 z(BzIH+}_eRnm2S5Ejfk}pwIdUM&ahPp4Y~fcMjw9mI^7*m!()QYt8S&CpHQs7FTOE zw2ac_bdkT$<*beTcQ=KZy|Gmnf+g~Q=f(cZlKg*haQLYIKgjd-o$2*YoB5wnx3#^N4!A7-=WyqsZ2up;e9Zs-AWuz* zXOj$QiV=DW8SuT(%Q65Rf7yNZ>^{VZ$D9u-K}-nds#;_) zDTXB#k_GoIZULN9apG$wJ*O1+=W}F1@)?Phb zm4c-<9{RE=97=jkP6&=-nvfw0865NY3n+&p9A2^U_>I0eb9ZUtr^Q`EcS{ZBXMn2a z6RMFnbFb05Nk%Gn8ZEfdD5!ETDyQREcBfCn^)^kH+qAjOhZ7~9r0w{5@*2}P z<9;62f2~Xr=2peKrHiNsvOH(R8o7I$6BAe@9&=6HCD%k96&GeFsH?E~tP{4C$J7&d zO+8Ud$yOtL$0QVATeJGtcYUEJL$$LHi$5Rqs z5#Ia6MyDnDQ!Qk8##j^Zw&XRsvwgwIX3dK&_%+5fCQ*&4QE2Yp%F-wi@<9!aO56Ww zc18^W9?gt(&5TEt{!yiWRO$aiRQgBle&bKA{;$0%VT?DE1!`&h=V3Yj)8XU(?*l!) zelA?v{>m=p!1uJ(>{52~ZCy?!4RPFEUj>ec2susl{UY5{eb37qQw^mo5@?FA^>r^( zI++q7o#PNmrZlW;0=LA>QI?R~l!TH*h+I>B@5^WoReyAGAhzd(qb!LC2LX>Djy&U} z+tH%+L}wi8qcM&J>7<;H86auZrh$I*hTRZu3Dz-5ly@z&@BF?*SKa&<>E;33HYCY% zzx|;_{O60x{Z9ukUOwLc^dL{|eRG51pd9g`&Fbyz-4T)4Nd*=S&E0m(;}=qq-rXuz zb^?vbghYKLd8P~$9LMZtVBepL5Xa_fB2$2qe`J)C=!CQM7^iqdV=Ac)UwC(V`QhT| zXA6i#)gr^c4L=;6yghr@(O2o2kPRyc^vkosaq-3A>?B9QUGxV^4bNiIM;GelQ8I^Q zpKoZA-8Ot3i|;wh(x$puYEzoUP);-y^isD&V)`+iyu~T}ir7tZgL!l`IP3VS%HfC3 zB-Sx;9G^g#x^!g9u&ji;@DUDsIFnPx>2EL?l?CO3#bgP$1YDK5L+-y7T{b39U4U>( zb3z7&^?{M}$yE0~vNt>0P&q|q!bhe+CWu!{*{0@0VNR?`yzgid(PXlWh9gt#0m;Z> zV%!jxkPAB1vA2(1=)rDc1Cfms=fU_CQcE8>+df%l{IA%NB@LMbgsa2-U0E?T>%aBA zm`hpiJ^p9saPOcT|FgUMnE&lTo+Yk5@RXBcrpT2%fejY|!irKAT`PJ7AIc}MQ>Pc> z#v>M95w4ffPl6>K+ml}TOUbdVXH``e=JP)K_H$PaeYf8|Kg#6v z!j!zQCA(YQoKw2}?)5HQHfO)~U3IuTxVr@x+IhFr1sUyr`SNWYNjJxg%4TF-2BR#A z;)mSben>|A+M@Me;%Q$0XDp$T@%vx@cU~S=^#7gx$N2vTd5m;*vvEcwr=gpbZw(Vz z!5x%Tdc!0%ne;-&2@`Pbds!kGC<}cRoXv=wl1v0e{=0*4%1>Occ4I_q)T~!>#XF&E zG9T3($8!E6lkC4mzey6Mj3&}Mg4IX1wR*wWJpVU$0nC#5zrT0zvV8x`;m%|H--A34 ze_?;)xzBq#8(O^=ZPC?Q{z1pm{aUq16^?zP(tTTgjjEUYVaVNdZ1jFkmTrvLbvPBy zjFxHbRrp$@ZpdhKFFB7kM(7%p3dxMhbcXV-@WT+gL`9NJXtIF>vZ1A3AH8D>E;wM356NSb2lOCWY${yZNB;z=VuY#wd~C3Tz34p9O@H+E)zQ*J6V{R| zd!xXk=;KmK$0P!?Q5?YM;vSbmNJwxnno_k#SyRrgsY0FbKGJzb{XD6 z)7um$!ViH#YT1r4o!L;eZUYvDV(7~keRZLZ95E3GZ&?KQ=*>t(vDDC0%<+s!@7#yJ z-tK&Sp#`{TZqo0#DSgbcM7q`$eQ`|8w@W%BER%iI-QTg_$DGZ+!{Jqy_EERnaA=|0 zEI8zG{5_jiix&8^3 zSl{=2S-yF@5n5EJvkdMapLHuj&uiAV0jKvwHfsmhM%da~?Xv=uM2}7b{Z}@!?y$-L z)fMWaZ=0oA733#2dPCu!%x{~pRD^oNLL5^$Una0myt4Hv2o_6%cixeRN_PtfO_m9T z0wj^2%UDM~a57`pWSHPoOqmoXnWExr8WWv)?~+q*l(S@p)3=yksq)8DOp^{x4%;LcccT0$#TN^WtSC{$p?dG5+g8p5^y{=NDDi+>EW5WW6x2 zeBo?wIefE<At|Jy-1|J&hIZdV-mQ>j1i9+BmVO;Mzkg7V;;D#{nY9If^g2_%>{rh(fC}z)2>M`$ zKG&h^6yErd!PD+_sPLjvP#GYMlbSb;$Y}CmDRDTRkwkj)(R*pD|J@y)SM&S1n$>F@ zjc+TUNJQnD@<~;F6i<)h=}|mAil_S$PuG;(tSO#U)kpF4D4rh0(|@jbnh>c<$5g=o zH&}*KHPNf~Uyc2Ljbj=qVPdxdLmu796|n65*Fh!!b)l7y7KDv&dhSZ_E^7T z(aO#4ZJ)!UvwCY6UToqzwL!UBz2Z=-U~5!VI?4-Fv90~s9!68eUWb0Sg(#}rf*6izXhCe*|hRo~>43jMJMtJl)*`9Hq) zlD*Mqk^Yy8)aroussHV~cu_k4zqhlq_Za{6AkTg1e~WSoKk?EzJ#CazzrXfyR~|S2ds7n6=pGNlq6`B(HIue6o*%MLPW3g1YN3GV4NZXi7AO=G>O?rr>vpLWD9W;V@a~Uv-}ML)|B9M{oBtQ5 zM<;Jjd$VZsZ7iApFZV0wKlb(?@Be<7=ShCC#<5!5I-UPP&!3;o)C9+geEz&&r)j%7 zdO?Kck)V%x7$w+EAM+S(#FBX4)4+emJfX=%fp&1zGM#)Yt!ROS^b?Lj{){=BA*^ru z;K(G@QPK*dnBC;B4ET3U5(WFcAm|4Y&(OY>XP)|xlL+Z6*winJL{AsrLsXz&5(Yt` zgjoOH+ zcW391h@~V!TKPbNjpYsIN(<2<#(oG{L{trta)Kj-L(YUi*c`J)Y>Xh>y5H&S_HwFf zR|*OObgaaB$P&p}92356HfK=GCNxC0UlS^)*$7g&Ik`~Ey3*P6;9HjqGJXNwQl$~Q z5rbknCgD7ciAhSPY}!E*U9?2<|h}@=35Rq3i`x6KYbU|?R zGpCZg#mU@$=(R%)Hj5ly2R&r`b_o1mK3etz?7P5vQ%jM>?V7!t0D!n=UwGv3T6FIi z52r*(9V@$K&lCuBJUlZA1<;sr|4N)zeYedYdd7h@@;gz+uPm$(^g(NQm^)VFaNZKhzxtr z6d!x_{^ynYzPGFR>Mgz^2<{yEIKpE3aSMG6Gajq|$25s%iBx}1I7!w2_~z;(2$YYb z_=-j!(G&|bBDugJk&=%}a>AyinyaPThm5V#Q_SNvt^`9sMJQ+;P*A9}*o89DM-*YA z^cgA?rId(8tX;$CHRI^}A5XU+yVGn&l88j;{U}Rhrl!XvBSNC{q2XLX)num9Qdbml z#j%o6b1nPcJ25Mn-?XCki$8TbLy5VBNs&}OZ=qiXEJD^=Lj!ZmMlOgeDcQw#$dZtx zQf%A1Ikr<41@?zIf3*Ef+k-$-eHJ;=>r9D4M}xCor*ou4Ehi$2bj~vF z%1&D+MjzFxX+eENPsz37ZQZ~OCmD|8ISONf6O^TSbiy-5eyX|{ z$0#P&q=$9e9Q@Ms9dUN0mQ{(R77|89vG|HCoa$v^oN=l23V^{HjAK0MDaMAeR=*TOJbw->_x$-*k-Ax- z59kvcX;vI#8u!pp2^t4RGW7hpk~zC$w1vuVj$=$`TZP0}Tj&G? zfSRQ03zlS@#X};u&GGtyWj=R7~sHCNF|Dw~|G-jM|^!{uMCHR_7l)#k? z9i^#&VKD4O6yN6-;zvb~r1&lfdGt|@+L_~EfFkjz*MVTWft7>={SwpUDi<4zl*?!N zET@TDLp3A)D|%}-|2S&lG!2yAHX|GN0WCZKzgx-wynnF&=>L6?C-?spT@x6^bTXAU zMEwg+T?*SFY6T-$z&)#(-X@WpjxwdCj$#&G*<^Ug$kn1**+b{bcCdPfRd$s;kI6NG ziY`x(bm9$+d1aG~=DEAZLs(x^rLc}j1SvWqhez)909*(Trv@%`M$D6N%2}c{VB@k- zu#~{I<+QtHmc^2$F|nltw4t>p_YG_usl*|N)ua$k~Y;+PCIqwtB zbvAdu+knO`LtoQZjeHZJs|XuMBle{r~E87CZl{j=vU8zk7B0{Q_=F zbi%?6?!c4|XnTg$LbeV4$(`WOI*-=tqxJe|y)L$1)2ex86-2PEJY%Yb zUHfR*-pQ~nQ2zI3*M4m^=kaNH++z5Tj0lh&o4xz}56krb-TnQYoyz_1JG+njzYp># zU3bDb)u+Ua#@g|6Yn9Zyj^h(m{u*Tnpgs8RcA=1%a(eSx}pTsz{8BJYSYxct~|iPh+IhqG}2Vh||^A zDQI$4D(QX5iz3zyBtb)aM6Vq!B%TzBaJ}0*?CsWcZ=pvAL1cbk{Bch9sR(@K!bN+VpUeIMgpCf6MXzX9L&tk4W# z6Fn8)DWtn`MKNq=HI^s_9IeC;#j5wg3O;IVp6KT(Nl=yuASfl#mbaHFNYT{*JB@95r@qzu;GsGa-+`4DA>N*)mO$Ca-0=?^ z{z&Cod{w+$JGi29Rq8dJjU#H?~RW?B?04NXxnv zad)q`(}Kf(FSNNUgRzt(VoJxd$8aX61I}*eYw?%^6fjOFGzkEnG68Pq?O5*oD3enJ z7+8Ah6Z|H^1*d6DiGV;oBpEtSNitL|>M*Xwl*|kJ%`D`vyvoW1tT5I=Z}(scSKYDu zJ!Cyu=f{KX^B+%KB;rAD7cq`vtYqr?R4Q{?l{`Linr`8F&*OZve4q;<`w_jrcvIbX zzj%Y#7-0+2m0oSSnFwE3x$AAUTRbeb1>Z`ER(Y5}yAGRs1)KY^7`>)iO_3w!-t}c1wc`}S!(Ov2QF5+&b z*vO}>5KH*K8QOI*kJS3Gohr<0(%J*1o zhFS&#`?)vrQak%-=q$I$`%t9GX%eN3TJ1tIrEMtVSM|~y0F#W99(sD7>O}$l+I{zW z_-l6y{n|Y~vwt1^Z2tKEcwpZA@B53>U%St`^?j^cd=_XcD|G*ulSt_pICh$8JvmTb z5_v_71bU}*>uQ=5qh@0vSV-Y?o;wp^a>wbUlf4J&J}A?E_UNCdG$#6t_Xz>9U(nx< z;5fajfd0xx2&y1m2b~F2s8^uLw{?oV>zU%AOtKkPT3#H_%@!@f{s~K?@8<^&8F%Lu z!BWZ(C4OQfeRhmzN$=a$shKNBwYuOUvRd@s;@eyf84}tljo#v0I?HA#FHt0x{ceF7 z@dMhhA&EX3s)b2@s%J#x4Iv5IQzYGcv9nI+t+)jFxR=Yvy%#%0g6J2Eh@pqfG+83sX6R(Td_oHv`!sO>!eQBLOjeK}^rjt*wCs z21KAhyaLk|J%x0%h`~WR^z_k=SY9{3Pq4%TET{f}x{<^ZBlod5dbSKC_*A^DmJLN5NH7A2MyE_j&FRJElM2+` zzQ%kzrlb5IZg-vj*P6LCu-nt(4GVEh<-Cy|g#z_7F*#OrxgI(yr|N){tA#>v1F-(( z^aZm9nJOkxIx|imwMYR+VZC&xEON}HkB#Sb*C8xPvKjnjsdpW9fV!6PyY|J12pN#^ zm~q)H4TN8I5&2Dzhioj55=oE7W15tPz^Zbvas7r|lNhPuNR;UP(+KEal&04A4%DvkW&s8qh>5OW_DSJ{LRFk3^MsFh!>emY@=OPnkjnqnU5 z#EdA!DGouH)QZ#Hot<^`&VsT~(hqibmgxtkBX4O!XE;8x%&?errZjTJ7nANx&%&9i zmCZbkgQe9{1(Dm3kVs2H9LfyGC@m1Zp`t!Z4zEn=R%HlkVF9JHMABFvqSo0gs6b;* zNQAPqC=d2tY-j|GIa^WJ+Kt8q5rkipD5vUc#yuUbZcJ<)Zzv!cq_5D`ZL&=X;?V3H>sPf2)Hbom=O``+Z5 z@Jkd0a;bzSOiDOqk=1?G7k!?;(EV$BQ-an}bp|)PJ*l)z%k^988<$hCPCOiJAui|BZ+6SC@d&c_BX@ez$Fi6gsh=ciz6km}%Nx-)xwPO`l+cekUw zZF4A6ur~Cu}x#+)%B_KYgc%`6^viIz~4g9NumYD;3u8LXzwi>p;l)c3uaSpC}kV#{%#?`5CwHRWkNt6Vv`LE*LOpG9?>L1 z*k$qqE7!wn@DpgIER$yASgB?{yA|NE(I*l%8CbvO*T@POhxItA*1jr1Zs(~4ui}8k z@mV4Xzs7OZO9w@eDuW7zO8z-Fe+3Cy5}DC<-MPU!*9&aof#kFk*+az1QuD5P2JYL_GZW`vK zozW!I`OkdPUJ;V28KB#U{C#jD!+>HASd(W27K zVtk|p_i2qst82@be3>rckRh0{=*`+&@E-fV(h?MNUlIrl6lGishkOi_Xn>rSYf$q} zHmSjKn88NEIExi^exM4W`5QW;vgj*h{~vqL+S^8st>w846akuxEcY8;fqn2KV?Y$uilOy zuzL5x)}}zl>%0ko>Edq!+@P_JtP$Pth=K%ENS2sD6<@U!kX;%uIB*nz;D6UUIwCmM z=n6wURQr8j82?FMzU8;4q818LFDJnDfC@h{BAM_1TRm1mn4ryG=uEX2bek<(jo>x<*Kc!F*A@f zm(2Ls7u&7wjF;CfZOLJHFKzPUdgr?3<`Wtxh&iCn<7F9zAXI=bSl=Cc0%=lj`J!^t zlrOiyeo#LBWqH?oyl^x)0Q=~Lg0U_T;EpBjnrB&O z)Q6bWd|vJ-lcbge%!dH*jpqn?&d# z6^q>)vBN2pb0i*;GC{^=IW7p2ReFm^K(4f=4M*BS%Q8tJeag(c(2a5+d}K8Ta>HlA zRPkONX;Wy07S~MFrm~c=Eqkw+Z_PsU6$FEF)7x%JE#OuYgGscAC_n<5B!MVs;r`Fv zOEV*`D7?uVd!;+IGPZR4A-CWXTf)PBpZ1aV{3Ayc>p!^^s>Qrd;t>Z_X z*o_*4JM0X+>ZM>cDLHs|0yjo2y|y(#+z9ehCrkOKT35Q%v%68Aq4cv>;-`Oy$yDMN z;|}~kKKaR7m_T|7s3Zx_Hlz^y49ofXZa;|G?iBx5aN=0nt4(kMJQ*HnY(!sz2O1jz zQjbcF;Nf_=sOme1glD1z4_n0P>?wmSLqoL9`lc*tyPk1LVK!v~h67}>emKv#&;_`! z=6@Fu0rc4jB7i`(V0e9_#=1DBCmD+=r{HkhjQ^EUt!0oA-%&L~ zH$tD$6q^D_3NZyPlFWNaFpiWQgZ)kpLV*eDv?FNQ@|L%pc9a{POX@1AhQ=Ax{+wZdYTv}_olFbHIY zFnF=YMp)Yzkro@l7|&4Yv9Tb9QFi@gpjv&18k(&;7NU}~BD)TX*e68p52xyyhK`(b(cdJl_`GxeEch2~UG|tv>wYTE*=|t4U*wP~Jb{R6x!C zu`up7cg+K#eR4F=gN;1}Sf<47DzJk9lRC4-C4n!Y8@$fEphqyaNBr=pxkJ}w5op=P z!0S0$D@Ef!mEZscL+Z>p3IiU?=~Td0f#Mla-jPt|57GM4J%uPaME{p=?_RIuA%&YL zpe`cWg5p=XH+bMvPzW{|+It!laLZmv_prw$cdaJ}sO9p!1`x~Kb$BXx-59}cKu>U^ z&DDtg+z{DATbKI*)Z$K1kc*0=eC|HQJ<=T@Y={M+$hf$3s7_Yk);xfAk>oCfXI&@x*wWPM7!pH4WzLPJ-q=73lB^9#*-t zTfC{*gr#j(uzEDIr8`BPC)nAmZ;iOT>rq&uS=~@VSYDRw#>iTv6_B7D_BQ|qv)9i1wyaI>YNj`-q4Tjaam$y?vMj2#=5YO*<{?5 zWmmX7Lq?DqgZcpTq`2nGB2_VtevDhXDKb#R*#XHBX%_BYK96I z2T$3V(y@k~zl8JPV6OnxUUwzlT(MJCgPb}6e^?n|g^Hf?C@+SOV54cvjoq$m)nQar zmXe%&l=b|W7$WlTmhDg))Q%Bp_8n2?_gz`1@77sGRM81S^p16Ne(lLctl&tM5nV4h zEx5CK8q&8szE$za^=&G=4X=a}P!ZC{ATBp1Qa^uq9H{P#cZ9zOi-wdtar^~1qnMwuYN6g_%Bdl)b}XSX*q(d+nuvRgx(zMR zgDF2yKckQ1^DEV%o}O1Rq|Z+%Zn|SuZ=F1uCjBRbUnbh;srdcvSSQ-A^D)iccio_F z4!RGtIsy?gRPJ1qj>Md-l3*)AKNIM2uV;3(Y`z63PlepZh#5qJ`oy1)is8Cn4TND7@#8MV!*Uv7lTG!DSe}M5WKLpEA*`4 zhO1hL;v}z!b2R>t0{m5I*DY4#o34uD11>?=y!2s9ApRVUKP2@>^T=;<>!Wz7P=&g! z*aVYQID@}D#h_zfAuP!hx5Q!n>9dQ$5(Ud&pw$6e2(E0bX$whFVBwGmiuA*_5)-%4 zzV+FtusG7n%0d`FPzZ*IwAqok-chj5t*>578ek%q`>4KB8B9-!UcdVYrMn$RottO7H9uIGF~0NsK5w8h@~xHgAgzlm>x>8022*!q1Ts6phfJll` zP26bX&i^r#|I30Nzi<1jK3hX$OFaXpn3SHr(K8mm%-v$#Z>9TV=8Bm8dOSUYV#EF{fL7K8?Fy=~52K#LA3$JTm&bN@Lvd?E&WyGla=<8SEnM|}RcF|&S8KQ9Qx7Au5|S}ZDUxRGU|H{)O(aX-}- z)0>*$4;($wcdi*)wfpF7c7%T2P9(4sUJ8TJv&A=A#y|2hqsA<@reNEGJ$ZRs2_qNo zp)U7UCnUvySdj{2bCUmk#>Om}#>y2q`jS1k!(g>YWZ#JoJQ25*P*y_y{t0iaNRv_+ zLB7#}r^S9VQHM(ZmvO1tv|E3ewAAiWf-A!)iGg5fxeg`V4hW-)&{A$CeQ#l#2H-cYN_K?ext1BP% z+QLTPna1q79(hOzhGgL@O!9d2`f#MH5(m%|Ud@iQno6?(UF9z& zBoq&xIoN`wO&GPw5yO4iat`N{3Hb2xk~NC*)&@IOmc902*uKeQf!Yxws^@Ycbd#k2 zrY}McH4>N{MW8O7{kFT*JtdiuG4}r0J`+4A*2DL_82orKfVLNd=LZ)9FO4r1(tae- zcnhc@_ZA`c<7#O62i;NL6DLF&RHnC+*#Tuv8?1=iBH9dT@!h3BQPhz~Vq>Dda?UN@ zTyL$Geu@y1{otFCCi&SK6eo*?C?u~ja|g%-9wy!@5up_tFM}KA?jX_PC_0QJTHze7 zuL(W@V2NS{?eigf%2b;L2qWG}9LO7@mJAE)g?xy9C!@88mpeR2spE5ClS=^7-NfO= zkNQYgy!WIipmiLJt&s4DnOHxK#k6oEy3LCUM7djROcR!{#iuXVhUm z9f*eb*ts@x5gbxFyxW4Ct5j_ejYX1>vyPmG#!SB(WwqB)T;% znzEKvDcEE#%fg7qdX=W!wmh#olFKjLcAc$atM$yVnh$^q_l) zn*mh7TT5qc2H^R@YRp8-;E`TbMp!GgdMoO=PVkZ}mq`m2nrv)ww}B-hOXMUOZUMvX zfEbpazu#=L-qPnShwZHf<0CWxOC$c)*>l&%=;RpC92&uk#2YMk1#48)?UU!%y$(9$ zZi*@3)?5bgL0bv}@Bg+9406|UjI&LG_FDj{C;}G@cL_`$Xa9hfN4hM<#C_rC`C$1> zycM;P6Z=ie3njKre4{L6DGVL9Q&r?y+i-Zsl~#8P-8fnP6(RaifoAby&N%3r(XSp#*4xcpY1uYo(Bl3sH{S{>!*$bMM*K@R&KJ}hL#GS znYC^A>)%YvHn^ibJ?q`mvt8^d8ze!vOK#D3Hpz?U$WoAej>WYobp;pX&$4Du&c?@o zCXC8Qg{*L(zmVc4FrvUgqK1i5`v5vg<*%T7tc1FjMymxx)pXTWTU%&ailqB%kiKcT zhIe;NHsSr;qC8A3%1tdx`B_-@6pVWlDDeRFeJ*En_ztO)17KYndD$eHIBiv2{dYa9 z9lW4gglUxW^_-+yJ}>b~?e5^d?EJ#P_Os+-=Lh^`Oz8XzqVwLa_~-Pl zziwut;xp0W8rEEVK%ll-$mhfqY(YHKyqO7BL2g+2S+FNkvA6Q)yeW#or8yNP!TGHWlqJ3OYxAA zj7NF2v$Wa~u%S&>TuvA(Z7tM9_(Y;U@UiP^xV5~I<_GT28anu@Qk0P)0gDb&uKA4t>>iIkzQoYE9a}aLf$K%I=k zTL7t7(uswvk_^3TcHSyk(MqeE#ffdS=?oqGZAXMivh5RAtb|UxSjN`S>BX2luYbD& zz&g`F>uLrUaG#=Mgp}-_3~rXsFy`q%7pCPnwgq7F)Z%SyOx@D`j@EMs4=8@R4w`@0 zmv5x)%Q$(uJ*e1A$8u3f_dgn43!g_0Vzv#1R020muY@1J;)X9o4b_~VyhJB}7wpqt zzYG*#h{1~iDryG%Y#{9`cN~KkZvS8Z_KCcKmeB1!h_kTeEe>{7C9pLVAkEM7F#OFE z?s(>GJ(1iI0%z%i9t&^#fN0|ymYjThscrOrcMnLm!Vn>TtX0-3lqh61pV_SH620^V zuX)6A`-1tj=KE7_>!rSJyG6{@@%?+uyQbFk)+DKQE;t?6sooEJw?`9;hJr2m=9h6l3&gL4eps#sQ zL?|7wBkbMqKzyRgBQme`9L`H>!p>eF4*&4X>zTq8AIHs4SiJ>2<09wEyhEnMK@I+SJ3T(TgGC z+{Iw?V@-kQV3)!9agW+KFPr*X1M51kok4*cx9~USon#Ti9elhPG*ziN2rO8fqlMQ66z#Z{ zoP9XS(!FGrHRi&I5&Ka2XsMua1RE~SD$u!<6r=&BZn;7gN#r+W0`V(P^xhB#OS(uo zh3D^vqgfi0)Vj6$bXS|-D8N$0V-^tk9ye)ejCssMM-gS=3xt07*rg2ZnDe%O{04V( z9NwB9H~931CXdp6?&*K(2A;2I;r`Rv`*+@Z2u57+DibKa{cca+lojrA6;;-fr)tOlU8>ep;n2rsiK9Volwt0+En}yRWR!{E}J`d z?M4?vs~&8wC=NZ+lap#@9R7*KC90ENq*cWHw$c`IZP3H@hTjRpeqe7jFMRDw!-jtB zK0}Fz!I?1Eaw5>Sl=P<@nOrNj>Nxcdxar)5OevQIN=; zYIvGadX47P1HS60YGXK8FFaqz&V5U-Vx?fe^zZss?Xj2oK?&hVZdB>*O zT}#iWOdE*Qi$kz4U)=7#e*L#EU)<-fUq?#_$nt%k(0EYvINhT~EEzR&RO6c(H+jm{ zWG>8bZ1nA2pEU!zB8TEgLYjytBLft|b3z66-|0e(LEGv+xuftWf!}2F5`kEDUExxO z@xu%4rwCu9vxF}@8w^2z@qB2P{suU#AGB`vPvJIic=vkmQnuz*H!3+YMO}Khk4{KE zHDyp1M8)zh*{Olt+^FPzP26=#F{zcKlz3K^PlZsx@St~7mtmFZR3tJ+{fb^pN%&m&FkOMN*BzENdw-bVAYbs zvM1xSvE56$vC7D6S&A(2DTMMk`4kc-tlCbd%if>&AcVvxH-$XL8ILBsu1hhxk*d%) zK2~y@_i~-znrRd!#H5?fKH^lN-cGW+b`x68J$Fd)VPisrY*X8zm5*Kv7=`X*cv9h2 z(K#-GqYpO@JzjvTir*cOx>yYiMg}d2B!v9(_K$U91b4NldU0!#j9 z+R8RuVuEejiib-75x2p;iWauPTzk22$&5hp=rQbj!KFnPA*q$m@f|X=Vj75$gN^$~ zn~s1=ar(C*djPMVTYTEgm3S8Z_mtkYl=>~fo1ff+{=46`A0F>!&=GATSlx_+uDA>D zpIgHq`}i#Rc=g<_3-eArZC>prLkYmKL7{|Ps%Q9yB;6^Z8 zV>V;-1>7_$|J!B!#M6wO`0=1!=h~gmzx?+1+uv`0zy1C8_y6qge*ypi|NpvUb87&; F0s!c{#Y6xA literal 0 HcmV?d00001 diff --git a/charts/longhorn-crd/102.4.0+up1.6.1/Chart.yaml b/charts/longhorn-crd/102.4.0+up1.6.1/Chart.yaml new file mode 100644 index 0000000000..e390657ee0 --- /dev/null +++ b/charts/longhorn-crd/102.4.0+up1.6.1/Chart.yaml @@ -0,0 +1,11 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/release-name: longhorn-crd +apiVersion: v1 +appVersion: v1.6.1 +description: Installs the CRDs for longhorn. +name: longhorn-crd +type: application +version: 102.4.0+up1.6.1 diff --git a/charts/longhorn-crd/102.4.0+up1.6.1/README.md b/charts/longhorn-crd/102.4.0+up1.6.1/README.md new file mode 100644 index 0000000000..d9f7f14b33 --- /dev/null +++ b/charts/longhorn-crd/102.4.0+up1.6.1/README.md @@ -0,0 +1,2 @@ +# longhorn-crd +A Rancher chart that installs the CRDs used by longhorn. diff --git a/charts/longhorn-crd/102.4.0+up1.6.1/templates/_helpers.tpl b/charts/longhorn-crd/102.4.0+up1.6.1/templates/_helpers.tpl new file mode 100644 index 0000000000..3fbc2ac02f --- /dev/null +++ b/charts/longhorn-crd/102.4.0+up1.6.1/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "longhorn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "longhorn.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "longhorn.managerIP" -}} +{{- $fullname := (include "longhorn.fullname" .) -}} +{{- printf "http://%s-backend:9500" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "secret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} +{{- end }} + +{{- /* +longhorn.labels generates the standard Helm labels. +*/ -}} +{{- define "longhorn.labels" -}} +app.kubernetes.io/name: {{ template "longhorn.name" . }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} + + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "registry_url" -}} +{{- if .Values.privateRegistry.registryUrl -}} +{{- printf "%s/" .Values.privateRegistry.registryUrl -}} +{{- else -}} +{{ include "system_default_registry" . }} +{{- end -}} +{{- end -}} + +{{- /* + define the longhorn release namespace +*/ -}} +{{- define "release_namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} diff --git a/charts/longhorn-crd/102.4.0+up1.6.1/templates/crds.yaml b/charts/longhorn-crd/102.4.0+up1.6.1/templates/crds.yaml new file mode 100644 index 0000000000..8255499658 --- /dev/null +++ b/charts/longhorn-crd/102.4.0+up1.6.1/templates/crds.yaml @@ -0,0 +1,3931 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backingimagedatasources.longhorn.io +spec: + group: longhorn.io + names: + kind: BackingImageDataSource + listKind: BackingImageDataSourceList + plural: backingimagedatasources + shortNames: + - lhbids + singular: backingimagedatasource + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The current state of the pod used to provision the backing image file from source + jsonPath: .status.currentState + name: State + type: string + - description: The data source type + jsonPath: .spec.sourceType + name: SourceType + type: string + - description: The node the backing image file will be prepared on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk the backing image file will be prepared on + jsonPath: .spec.diskUUID + name: DiskUUID + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: BackingImageDataSource is where Longhorn stores backing image data source object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The system generated UUID of the provisioned backing image file + jsonPath: .spec.uuid + name: UUID + type: string + - description: The current state of the pod used to provision the backing image file from source + jsonPath: .status.currentState + name: State + type: string + - description: The data source type + jsonPath: .spec.sourceType + name: SourceType + type: string + - description: The backing image file size + jsonPath: .status.size + name: Size + type: string + - description: The node the backing image file will be prepared on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk the backing image file will be prepared on + jsonPath: .spec.diskUUID + name: DiskUUID + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: BackingImageDataSource is where Longhorn stores backing image data source object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackingImageDataSourceSpec defines the desired state of the Longhorn backing image data source + properties: + checksum: + type: string + diskPath: + type: string + diskUUID: + type: string + fileTransferred: + type: boolean + nodeID: + type: string + parameters: + additionalProperties: + type: string + type: object + sourceType: + enum: + - download + - upload + - export-from-volume + - restore + type: string + uuid: + type: string + type: object + status: + description: BackingImageDataSourceStatus defines the observed state of the Longhorn backing image data source + properties: + checksum: + type: string + currentState: + type: string + ip: + type: string + message: + type: string + ownerID: + type: string + progress: + type: integer + runningParameters: + additionalProperties: + type: string + nullable: true + type: object + size: + format: int64 + type: integer + storageIP: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backingimagemanagers.longhorn.io +spec: + group: longhorn.io + names: + kind: BackingImageManager + listKind: BackingImageManagerList + plural: backingimagemanagers + shortNames: + - lhbim + singular: backingimagemanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The current state of the manager + jsonPath: .status.currentState + name: State + type: string + - description: The image the manager pod will use + jsonPath: .spec.image + name: Image + type: string + - description: The node the manager is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk the manager is responsible for + jsonPath: .spec.diskUUID + name: DiskUUID + type: string + - description: The disk path the manager is using + jsonPath: .spec.diskPath + name: DiskPath + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: BackingImageManager is where Longhorn stores backing image manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The current state of the manager + jsonPath: .status.currentState + name: State + type: string + - description: The image the manager pod will use + jsonPath: .spec.image + name: Image + type: string + - description: The node the manager is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk the manager is responsible for + jsonPath: .spec.diskUUID + name: DiskUUID + type: string + - description: The disk path the manager is using + jsonPath: .spec.diskPath + name: DiskPath + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: BackingImageManager is where Longhorn stores backing image manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackingImageManagerSpec defines the desired state of the Longhorn backing image manager + properties: + backingImages: + additionalProperties: + type: string + type: object + diskPath: + type: string + diskUUID: + type: string + image: + type: string + nodeID: + type: string + type: object + status: + description: BackingImageManagerStatus defines the observed state of the Longhorn backing image manager + properties: + apiMinVersion: + type: integer + apiVersion: + type: integer + backingImageFileMap: + additionalProperties: + properties: + currentChecksum: + type: string + message: + type: string + name: + type: string + progress: + type: integer + senderManagerAddress: + type: string + sendingReference: + type: integer + size: + format: int64 + type: integer + state: + type: string + uuid: + type: string + type: object + nullable: true + type: object + currentState: + type: string + ip: + type: string + ownerID: + type: string + storageIP: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backingimages.longhorn.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} + path: /v1/webhook/conversion + port: 9501 + conversionReviewVersions: + - v1beta2 + - v1beta1 + group: longhorn.io + names: + kind: BackingImage + listKind: BackingImageList + plural: backingimages + shortNames: + - lhbi + singular: backingimage + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The backing image name + jsonPath: .spec.image + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: BackingImage is where Longhorn stores backing image object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The system generated UUID + jsonPath: .status.uuid + name: UUID + type: string + - description: The source of the backing image file data + jsonPath: .spec.sourceType + name: SourceType + type: string + - description: The backing image file size in each disk + jsonPath: .status.size + name: Size + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: BackingImage is where Longhorn stores backing image object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackingImageSpec defines the desired state of the Longhorn backing image + properties: + checksum: + type: string + disks: + additionalProperties: + type: string + type: object + sourceParameters: + additionalProperties: + type: string + type: object + sourceType: + enum: + - download + - upload + - export-from-volume + - restore + type: string + type: object + status: + description: BackingImageStatus defines the observed state of the Longhorn backing image status + properties: + checksum: + type: string + diskFileStatusMap: + additionalProperties: + properties: + lastStateTransitionTime: + type: string + message: + type: string + progress: + type: integer + state: + type: string + type: object + nullable: true + type: object + diskLastRefAtMap: + additionalProperties: + type: string + nullable: true + type: object + ownerID: + type: string + size: + format: int64 + type: integer + uuid: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: + longhorn-manager: "" + name: backupbackingimages.longhorn.io +spec: + group: longhorn.io + names: + kind: BackupBackingImage + listKind: BackupBackingImageList + plural: backupbackingimages + shortNames: + - lhbbi + singular: backupbackingimage + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The backing image name + jsonPath: .status.backingImage + name: BackingImage + type: string + - description: The backing image size + jsonPath: .status.size + name: Size + type: string + - description: The backing image backup upload finished time + jsonPath: .status.backupCreatedAt + name: BackupCreatedAt + type: string + - description: The backing image backup state + jsonPath: .status.state + name: State + type: string + - description: The last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: BackupBackingImage is where Longhorn stores backing image backup object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackupBackingImageSpec defines the desired state of the Longhorn backing image backup + properties: + labels: + additionalProperties: + type: string + description: The labels of backing image backup. + type: object + syncRequestedAt: + description: The time to request run sync the remote backing image backup. + format: date-time + nullable: true + type: string + userCreated: + description: Is this CR created by user through API or UI. Required + type: boolean + required: + - userCreated + type: object + status: + description: BackupBackingImageStatus defines the observed state of the Longhorn backing image backup + properties: + backingImage: + description: The backing image name. + type: string + backupCreatedAt: + description: The backing image backup upload finished time. + type: string + checksum: + description: The checksum of the backing image. + type: string + compressionMethod: + description: Compression method + type: string + error: + description: The error message when taking the backing image backup. + type: string + labels: + additionalProperties: + type: string + description: The labels of backing image backup. + nullable: true + type: object + lastSyncedAt: + description: The last time that the backing image backup was synced with the remote backup target. + format: date-time + nullable: true + type: string + managerAddress: + description: The address of the backing image manager that runs backing image backup. + type: string + messages: + additionalProperties: + type: string + description: The error messages when listing or inspecting backing image backup. + nullable: true + type: object + ownerID: + description: The node ID on which the controller is responsible to reconcile this CR. + type: string + progress: + description: The backing image backup progress. + type: integer + size: + description: The backing image size. + format: int64 + type: integer + state: + description: The backing image backup creation state. Can be "", "InProgress", "Completed", "Error", "Unknown". + type: string + url: + description: The backing image backup URL. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backups.longhorn.io +spec: + group: longhorn.io + names: + kind: Backup + listKind: BackupList + plural: backups + shortNames: + - lhb + singular: backup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The snapshot name + jsonPath: .status.snapshotName + name: SnapshotName + type: string + - description: The snapshot size + jsonPath: .status.size + name: SnapshotSize + type: string + - description: The snapshot creation time + jsonPath: .status.snapshotCreatedAt + name: SnapshotCreatedAt + type: string + - description: The backup state + jsonPath: .status.state + name: State + type: string + - description: The backup last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: Backup is where Longhorn stores backup object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The snapshot name + jsonPath: .status.snapshotName + name: SnapshotName + type: string + - description: The snapshot size + jsonPath: .status.size + name: SnapshotSize + type: string + - description: The snapshot creation time + jsonPath: .status.snapshotCreatedAt + name: SnapshotCreatedAt + type: string + - description: The backup state + jsonPath: .status.state + name: State + type: string + - description: The backup last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Backup is where Longhorn stores backup object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackupSpec defines the desired state of the Longhorn backup + properties: + labels: + additionalProperties: + type: string + description: The labels of snapshot backup. + type: object + snapshotName: + description: The snapshot name. + type: string + syncRequestedAt: + description: The time to request run sync the remote backup. + format: date-time + nullable: true + type: string + type: object + status: + description: BackupStatus defines the observed state of the Longhorn backup + properties: + backupCreatedAt: + description: The snapshot backup upload finished time. + type: string + compressionMethod: + description: Compression method + type: string + error: + description: The error message when taking the snapshot backup. + type: string + labels: + additionalProperties: + type: string + description: The labels of snapshot backup. + nullable: true + type: object + lastSyncedAt: + description: The last time that the backup was synced with the remote backup target. + format: date-time + nullable: true + type: string + messages: + additionalProperties: + type: string + description: The error messages when calling longhorn engine on listing or inspecting backups. + nullable: true + type: object + ownerID: + description: The node ID on which the controller is responsible to reconcile this backup CR. + type: string + progress: + description: The snapshot backup progress. + type: integer + replicaAddress: + description: The address of the replica that runs snapshot backup. + type: string + size: + description: The snapshot size. + type: string + snapshotCreatedAt: + description: The snapshot creation time. + type: string + snapshotName: + description: The snapshot name. + type: string + state: + description: The backup creation state. Can be "", "InProgress", "Completed", "Error", "Unknown". + type: string + url: + description: The snapshot backup URL. + type: string + volumeBackingImageName: + description: The volume's backing image name. + type: string + volumeCreated: + description: The volume creation time. + type: string + volumeName: + description: The volume name. + type: string + volumeSize: + description: The volume size. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backuptargets.longhorn.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} + path: /v1/webhook/conversion + port: 9501 + conversionReviewVersions: + - v1beta2 + - v1beta1 + group: longhorn.io + names: + kind: BackupTarget + listKind: BackupTargetList + plural: backuptargets + shortNames: + - lhbt + singular: backuptarget + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The backup target URL + jsonPath: .spec.backupTargetURL + name: URL + type: string + - description: The backup target credential secret + jsonPath: .spec.credentialSecret + name: Credential + type: string + - description: The backup target poll interval + jsonPath: .spec.pollInterval + name: LastBackupAt + type: string + - description: Indicate whether the backup target is available or not + jsonPath: .status.available + name: Available + type: boolean + - description: The backup target last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: BackupTarget is where Longhorn stores backup target object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The backup target URL + jsonPath: .spec.backupTargetURL + name: URL + type: string + - description: The backup target credential secret + jsonPath: .spec.credentialSecret + name: Credential + type: string + - description: The backup target poll interval + jsonPath: .spec.pollInterval + name: LastBackupAt + type: string + - description: Indicate whether the backup target is available or not + jsonPath: .status.available + name: Available + type: boolean + - description: The backup target last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: BackupTarget is where Longhorn stores backup target object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackupTargetSpec defines the desired state of the Longhorn backup target + properties: + backupTargetURL: + description: The backup target URL. + type: string + credentialSecret: + description: The backup target credential secret. + type: string + pollInterval: + description: The interval that the cluster needs to run sync with the backup target. + type: string + syncRequestedAt: + description: The time to request run sync the remote backup target. + format: date-time + nullable: true + type: string + type: object + status: + description: BackupTargetStatus defines the observed state of the Longhorn backup target + properties: + available: + description: Available indicates if the remote backup target is available or not. + type: boolean + conditions: + description: Records the reason on why the backup target is unavailable. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + lastSyncedAt: + description: The last time that the controller synced with the remote backup target. + format: date-time + nullable: true + type: string + ownerID: + description: The node ID on which the controller is responsible to reconcile this backup target CR. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: backupvolumes.longhorn.io +spec: + group: longhorn.io + names: + kind: BackupVolume + listKind: BackupVolumeList + plural: backupvolumes + shortNames: + - lhbv + singular: backupvolume + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The backup volume creation time + jsonPath: .status.createdAt + name: CreatedAt + type: string + - description: The backup volume last backup name + jsonPath: .status.lastBackupName + name: LastBackupName + type: string + - description: The backup volume last backup time + jsonPath: .status.lastBackupAt + name: LastBackupAt + type: string + - description: The backup volume last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: BackupVolume is where Longhorn stores backup volume object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The backup volume creation time + jsonPath: .status.createdAt + name: CreatedAt + type: string + - description: The backup volume last backup name + jsonPath: .status.lastBackupName + name: LastBackupName + type: string + - description: The backup volume last backup time + jsonPath: .status.lastBackupAt + name: LastBackupAt + type: string + - description: The backup volume last synced time + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: BackupVolume is where Longhorn stores backup volume object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BackupVolumeSpec defines the desired state of the Longhorn backup volume + properties: + syncRequestedAt: + description: The time to request run sync the remote backup volume. + format: date-time + nullable: true + type: string + type: object + status: + description: BackupVolumeStatus defines the observed state of the Longhorn backup volume + properties: + backingImageChecksum: + description: the backing image checksum. + type: string + backingImageName: + description: The backing image name. + type: string + createdAt: + description: The backup volume creation time. + type: string + dataStored: + description: The backup volume block count. + type: string + labels: + additionalProperties: + type: string + description: The backup volume labels. + nullable: true + type: object + lastBackupAt: + description: The latest volume backup time. + type: string + lastBackupName: + description: The latest volume backup name. + type: string + lastModificationTime: + description: The backup volume config last modification time. + format: date-time + nullable: true + type: string + lastSyncedAt: + description: The last time that the backup volume was synced into the cluster. + format: date-time + nullable: true + type: string + messages: + additionalProperties: + type: string + description: The error messages when call longhorn engine on list or inspect backup volumes. + nullable: true + type: object + ownerID: + description: The node ID on which the controller is responsible to reconcile this backup volume CR. + type: string + size: + description: The backup volume size. + type: string + storageClassName: + description: the storage class name of pv/pvc binding with the volume. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: engineimages.longhorn.io +spec: + preserveUnknownFields: false + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} + path: /v1/webhook/conversion + port: 9501 + conversionReviewVersions: + - v1beta2 + - v1beta1 + group: longhorn.io + names: + kind: EngineImage + listKind: EngineImageList + plural: engineimages + shortNames: + - lhei + singular: engineimage + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: State of the engine image + jsonPath: .status.state + name: State + type: string + - description: The Longhorn engine image + jsonPath: .spec.image + name: Image + type: string + - description: Number of resources using the engine image + jsonPath: .status.refCount + name: RefCount + type: integer + - description: The build date of the engine image + jsonPath: .status.buildDate + name: BuildDate + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: EngineImage is where Longhorn stores engine image object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Compatibility of the engine image + jsonPath: .status.incompatible + name: Incompatible + type: boolean + - description: State of the engine image + jsonPath: .status.state + name: State + type: string + - description: The Longhorn engine image + jsonPath: .spec.image + name: Image + type: string + - description: Number of resources using the engine image + jsonPath: .status.refCount + name: RefCount + type: integer + - description: The build date of the engine image + jsonPath: .status.buildDate + name: BuildDate + type: date + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: EngineImage is where Longhorn stores engine image object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: EngineImageSpec defines the desired state of the Longhorn engine image + properties: + image: + minLength: 1 + type: string + required: + - image + type: object + status: + description: EngineImageStatus defines the observed state of the Longhorn engine image + properties: + buildDate: + type: string + cliAPIMinVersion: + type: integer + cliAPIVersion: + type: integer + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + controllerAPIMinVersion: + type: integer + controllerAPIVersion: + type: integer + dataFormatMinVersion: + type: integer + dataFormatVersion: + type: integer + gitCommit: + type: string + incompatible: + type: boolean + noRefSince: + type: string + nodeDeploymentMap: + additionalProperties: + type: boolean + nullable: true + type: object + ownerID: + type: string + refCount: + type: integer + state: + type: string + version: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: engines.longhorn.io +spec: + group: longhorn.io + names: + kind: Engine + listKind: EngineList + plural: engines + shortNames: + - lhe + singular: engine + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The current state of the engine + jsonPath: .status.currentState + name: State + type: string + - description: The node that the engine is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The instance manager of the engine + jsonPath: .status.instanceManagerName + name: InstanceManager + type: string + - description: The current image of the engine + jsonPath: .status.currentImage + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Engine is where Longhorn stores engine object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The data engine of the engine + jsonPath: .spec.dataEngine + name: Data Engine + type: string + - description: The current state of the engine + jsonPath: .status.currentState + name: State + type: string + - description: The node that the engine is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The instance manager of the engine + jsonPath: .status.instanceManagerName + name: InstanceManager + type: string + - description: The current image of the engine + jsonPath: .status.currentImage + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Engine is where Longhorn stores engine object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: EngineSpec defines the desired state of the Longhorn engine + properties: + active: + type: boolean + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + backupVolume: + type: string + dataEngine: + enum: + - v1 + - v2 + type: string + desireState: + type: string + disableFrontend: + type: boolean + engineImage: + description: 'Deprecated: Replaced by field `image`.' + type: string + frontend: + enum: + - blockdev + - iscsi + - nvmf + - "" + type: string + image: + type: string + logRequested: + type: boolean + nodeID: + type: string + replicaAddressMap: + additionalProperties: + type: string + type: object + requestedBackupRestore: + type: string + requestedDataSource: + type: string + revisionCounterDisabled: + type: boolean + salvageRequested: + type: boolean + snapshotMaxCount: + type: integer + snapshotMaxSize: + format: int64 + type: string + unmapMarkSnapChainRemovedEnabled: + type: boolean + upgradedReplicaAddressMap: + additionalProperties: + type: string + type: object + volumeName: + type: string + volumeSize: + format: int64 + type: string + type: object + status: + description: EngineStatus defines the observed state of the Longhorn engine + properties: + backupStatus: + additionalProperties: + properties: + backupURL: + type: string + error: + type: string + progress: + type: integer + replicaAddress: + type: string + snapshotName: + type: string + state: + type: string + type: object + nullable: true + type: object + cloneStatus: + additionalProperties: + properties: + error: + type: string + fromReplicaAddress: + type: string + isCloning: + type: boolean + progress: + type: integer + snapshotName: + type: string + state: + type: string + type: object + nullable: true + type: object + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + currentImage: + type: string + currentReplicaAddressMap: + additionalProperties: + type: string + nullable: true + type: object + currentSize: + format: int64 + type: string + currentState: + type: string + endpoint: + type: string + instanceManagerName: + type: string + ip: + type: string + isExpanding: + type: boolean + lastExpansionError: + type: string + lastExpansionFailedAt: + type: string + lastRestoredBackup: + type: string + logFetched: + type: boolean + ownerID: + type: string + port: + type: integer + purgeStatus: + additionalProperties: + properties: + error: + type: string + isPurging: + type: boolean + progress: + type: integer + state: + type: string + type: object + nullable: true + type: object + rebuildStatus: + additionalProperties: + properties: + error: + type: string + fromReplicaAddress: + type: string + isRebuilding: + type: boolean + progress: + type: integer + state: + type: string + type: object + nullable: true + type: object + replicaModeMap: + additionalProperties: + type: string + nullable: true + type: object + replicaTransitionTimeMap: + additionalProperties: + type: string + description: ReplicaTransitionTimeMap records the time a replica in ReplicaModeMap transitions from one mode to another (or from not being in the ReplicaModeMap to being in it). This information is sometimes required by other controllers (e.g. the volume controller uses it to determine the correct value for replica.Spec.lastHealthyAt). + type: object + restoreStatus: + additionalProperties: + properties: + backupURL: + type: string + currentRestoringBackup: + type: string + error: + type: string + filename: + type: string + isRestoring: + type: boolean + lastRestored: + type: string + progress: + type: integer + state: + type: string + type: object + nullable: true + type: object + salvageExecuted: + type: boolean + snapshotMaxCount: + type: integer + snapshotMaxSize: + format: int64 + type: string + snapshots: + additionalProperties: + properties: + children: + additionalProperties: + type: boolean + nullable: true + type: object + created: + type: string + labels: + additionalProperties: + type: string + nullable: true + type: object + name: + type: string + parent: + type: string + removed: + type: boolean + size: + type: string + usercreated: + type: boolean + type: object + nullable: true + type: object + snapshotsError: + type: string + started: + type: boolean + storageIP: + type: string + unmapMarkSnapChainRemovedEnabled: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: instancemanagers.longhorn.io +spec: + group: longhorn.io + names: + kind: InstanceManager + listKind: InstanceManagerList + plural: instancemanagers + shortNames: + - lhim + singular: instancemanager + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The state of the instance manager + jsonPath: .status.currentState + name: State + type: string + - description: The type of the instance manager (engine or replica) + jsonPath: .spec.type + name: Type + type: string + - description: The node that the instance manager is running on + jsonPath: .spec.nodeID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: InstanceManager is where Longhorn stores instance manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The data engine of the instance manager + jsonPath: .spec.dataEngine + name: Data Engine + type: string + - description: The state of the instance manager + jsonPath: .status.currentState + name: State + type: string + - description: The type of the instance manager (engine or replica) + jsonPath: .spec.type + name: Type + type: string + - description: The node that the instance manager is running on + jsonPath: .spec.nodeID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: InstanceManager is where Longhorn stores instance manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: InstanceManagerSpec defines the desired state of the Longhorn instance manager + properties: + dataEngine: + type: string + image: + type: string + nodeID: + type: string + type: + enum: + - aio + - engine + - replica + type: string + type: object + status: + description: InstanceManagerStatus defines the observed state of the Longhorn instance manager + properties: + apiMinVersion: + type: integer + apiVersion: + type: integer + proxyApiMinVersion: + type: integer + proxyApiVersion: + type: integer + currentState: + type: string + instanceEngines: + additionalProperties: + properties: + spec: + properties: + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + dataEngine: + type: string + name: + type: string + type: object + status: + properties: + conditions: + additionalProperties: + type: boolean + nullable: true + type: object + endpoint: + type: string + errorMsg: + type: string + listen: + type: string + portEnd: + format: int32 + type: integer + portStart: + format: int32 + type: integer + resourceVersion: + format: int64 + type: integer + state: + type: string + type: + type: string + type: object + type: object + nullable: true + type: object + instanceReplicas: + additionalProperties: + properties: + spec: + properties: + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + dataEngine: + type: string + name: + type: string + type: object + status: + properties: + conditions: + additionalProperties: + type: boolean + nullable: true + type: object + endpoint: + type: string + errorMsg: + type: string + listen: + type: string + portEnd: + format: int32 + type: integer + portStart: + format: int32 + type: integer + resourceVersion: + format: int64 + type: integer + state: + type: string + type: + type: string + type: object + type: object + nullable: true + type: object + instances: + additionalProperties: + properties: + spec: + properties: + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + dataEngine: + type: string + name: + type: string + type: object + status: + properties: + conditions: + additionalProperties: + type: boolean + nullable: true + type: object + endpoint: + type: string + errorMsg: + type: string + listen: + type: string + portEnd: + format: int32 + type: integer + portStart: + format: int32 + type: integer + resourceVersion: + format: int64 + type: integer + state: + type: string + type: + type: string + type: object + type: object + nullable: true + description: 'Deprecated: Replaced by InstanceEngines and InstanceReplicas' + type: object + ip: + type: string + ownerID: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: nodes.longhorn.io +spec: + preserveUnknownFields: false + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} + path: /v1/webhook/conversion + port: 9501 + conversionReviewVersions: + - v1beta2 + - v1beta1 + group: longhorn.io + names: + kind: Node + listKind: NodeList + plural: nodes + shortNames: + - lhn + singular: node + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Indicate whether the node is ready + jsonPath: .status.conditions['Ready']['status'] + name: Ready + type: string + - description: Indicate whether the user disabled/enabled replica scheduling for the node + jsonPath: .spec.allowScheduling + name: AllowScheduling + type: boolean + - description: Indicate whether Longhorn can schedule replicas on the node + jsonPath: .status.conditions['Schedulable']['status'] + name: Schedulable + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Node is where Longhorn stores Longhorn node object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Indicate whether the node is ready + jsonPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - description: Indicate whether the user disabled/enabled replica scheduling for the node + jsonPath: .spec.allowScheduling + name: AllowScheduling + type: boolean + - description: Indicate whether Longhorn can schedule replicas on the node + jsonPath: .status.conditions[?(@.type=='Schedulable')].status + name: Schedulable + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Node is where Longhorn stores Longhorn node object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeSpec defines the desired state of the Longhorn node + properties: + allowScheduling: + description: Allow scheduling replicas on the node. + type: boolean + disks: + additionalProperties: + properties: + allowScheduling: + type: boolean + diskType: + enum: + - filesystem + - block + type: string + evictionRequested: + type: boolean + path: + type: string + storageReserved: + format: int64 + type: integer + tags: + items: + type: string + type: array + type: object + type: object + evictionRequested: + type: boolean + instanceManagerCPURequest: + type: integer + name: + type: string + tags: + items: + type: string + type: array + type: object + status: + description: NodeStatus defines the observed state of the Longhorn node + properties: + autoEvicting: + type: boolean + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + diskStatus: + additionalProperties: + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + diskType: + type: string + diskUUID: + type: string + filesystemType: + type: string + scheduledReplica: + additionalProperties: + format: int64 + type: integer + nullable: true + type: object + storageAvailable: + format: int64 + type: integer + storageMaximum: + format: int64 + type: integer + storageScheduled: + format: int64 + type: integer + type: object + description: The status of the disks on the node. + nullable: true + type: object + region: + description: The Region of the node. + type: string + snapshotCheckStatus: + description: The status of the snapshot integrity check. + properties: + lastPeriodicCheckedAt: + format: date-time + type: string + type: object + zone: + description: The Zone of the node. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: orphans.longhorn.io +spec: + group: longhorn.io + names: + kind: Orphan + listKind: OrphanList + plural: orphans + shortNames: + - lho + singular: orphan + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The type of the orphan + jsonPath: .spec.orphanType + name: Type + type: string + - description: The node that the orphan is on + jsonPath: .spec.nodeID + name: Node + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: Orphan is where Longhorn stores orphan object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: OrphanSpec defines the desired state of the Longhorn orphaned data + properties: + nodeID: + description: The node ID on which the controller is responsible to reconcile this orphan CR. + type: string + orphanType: + description: The type of the orphaned data. Can be "replica". + type: string + parameters: + additionalProperties: + type: string + description: The parameters of the orphaned data + type: object + type: object + status: + description: OrphanStatus defines the observed state of the Longhorn orphaned data + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + ownerID: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: + longhorn-manager: "" + name: recurringjobs.longhorn.io +spec: + group: longhorn.io + names: + kind: RecurringJob + listKind: RecurringJobList + plural: recurringjobs + shortNames: + - lhrj + singular: recurringjob + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Sets groupings to the jobs. When set to "default" group will be added to the volume label when no other job label exist in volume + jsonPath: .spec.groups + name: Groups + type: string + - description: Should be one of "backup" or "snapshot" + jsonPath: .spec.task + name: Task + type: string + - description: The cron expression represents recurring job scheduling + jsonPath: .spec.cron + name: Cron + type: string + - description: The number of snapshots/backups to keep for the volume + jsonPath: .spec.retain + name: Retain + type: integer + - description: The concurrent job to run by each cron job + jsonPath: .spec.concurrency + name: Concurrency + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Specify the labels + jsonPath: .spec.labels + name: Labels + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: RecurringJob is where Longhorn stores recurring job object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: Sets groupings to the jobs. When set to "default" group will be added to the volume label when no other job label exist in volume + jsonPath: .spec.groups + name: Groups + type: string + - description: Should be one of "snapshot", "snapshot-force-create", "snapshot-cleanup", "snapshot-delete", "backup", "backup-force-create" or "filesystem-trim" + jsonPath: .spec.task + name: Task + type: string + - description: The cron expression represents recurring job scheduling + jsonPath: .spec.cron + name: Cron + type: string + - description: The number of snapshots/backups to keep for the volume + jsonPath: .spec.retain + name: Retain + type: integer + - description: The concurrent job to run by each cron job + jsonPath: .spec.concurrency + name: Concurrency + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Specify the labels + jsonPath: .spec.labels + name: Labels + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: RecurringJob is where Longhorn stores recurring job object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RecurringJobSpec defines the desired state of the Longhorn recurring job + properties: + concurrency: + description: The concurrency of taking the snapshot/backup. + type: integer + cron: + description: The cron setting. + type: string + groups: + description: The recurring job group. + items: + type: string + type: array + labels: + additionalProperties: + type: string + description: The label of the snapshot/backup. + type: object + name: + description: The recurring job name. + type: string + retain: + description: The retain count of the snapshot/backup. + type: integer + task: + description: The recurring job task. Can be "snapshot", "snapshot-force-create", "snapshot-cleanup", "snapshot-delete", "backup", "backup-force-create" or "filesystem-trim" + enum: + - snapshot + - snapshot-force-create + - snapshot-cleanup + - snapshot-delete + - backup + - backup-force-create + - filesystem-trim + type: string + type: object + status: + description: RecurringJobStatus defines the observed state of the Longhorn recurring job + properties: + ownerID: + description: The owner ID which is responsible to reconcile this recurring job CR. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: replicas.longhorn.io +spec: + group: longhorn.io + names: + kind: Replica + listKind: ReplicaList + plural: replicas + shortNames: + - lhr + singular: replica + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The current state of the replica + jsonPath: .status.currentState + name: State + type: string + - description: The node that the replica is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk that the replica is on + jsonPath: .spec.diskID + name: Disk + type: string + - description: The instance manager of the replica + jsonPath: .status.instanceManagerName + name: InstanceManager + type: string + - description: The current image of the replica + jsonPath: .status.currentImage + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Replica is where Longhorn stores replica object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The data engine of the replica + jsonPath: .spec.dataEngine + name: Data Engine + type: string + - description: The current state of the replica + jsonPath: .status.currentState + name: State + type: string + - description: The node that the replica is on + jsonPath: .spec.nodeID + name: Node + type: string + - description: The disk that the replica is on + jsonPath: .spec.diskID + name: Disk + type: string + - description: The instance manager of the replica + jsonPath: .status.instanceManagerName + name: InstanceManager + type: string + - description: The current image of the replica + jsonPath: .status.currentImage + name: Image + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Replica is where Longhorn stores replica object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ReplicaSpec defines the desired state of the Longhorn replica + properties: + active: + type: boolean + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + backingImage: + type: string + dataDirectoryName: + type: string + dataEngine: + enum: + - v1 + - v2 + type: string + desireState: + type: string + diskID: + type: string + diskPath: + type: string + engineImage: + description: 'Deprecated: Replaced by field `image`.' + type: string + engineName: + type: string + evictionRequested: + type: boolean + failedAt: + description: FailedAt is set when a running replica fails or when a running engine is unable to use a replica for any reason. FailedAt indicates the time the failure occurred. When FailedAt is set, a replica is likely to have useful (though possibly stale) data. A replica with FailedAt set must be rebuilt from a non-failed replica (or it can be used in a salvage if all replicas are failed). FailedAt is cleared before a rebuild or salvage. FailedAt may be later than the corresponding entry in an engine's replicaTransitionTimeMap because it is set when the volume controller acknowledges the change. + type: string + hardNodeAffinity: + type: string + healthyAt: + description: HealthyAt is set the first time a replica becomes read/write in an engine after creation or rebuild. HealthyAt indicates the time the last successful rebuild occurred. When HealthyAt is set, a replica is likely to have useful (though possibly stale) data. HealthyAt is cleared before a rebuild. HealthyAt may be later than the corresponding entry in an engine's replicaTransitionTimeMap because it is set when the volume controller acknowledges the change. + type: string + image: + type: string + lastFailedAt: + description: LastFailedAt is always set at the same time as FailedAt. Unlike FailedAt, LastFailedAt is never cleared. LastFailedAt is not a reliable indicator of the state of a replica's data. For example, a replica with LastFailedAt may already be healthy and in use again. However, because it is never cleared, it can be compared to LastHealthyAt to help prevent dangerous replica deletion in some corner cases. LastFailedAt may be later than the corresponding entry in an engine's replicaTransitionTimeMap because it is set when the volume controller acknowledges the change. + type: string + lastHealthyAt: + description: LastHealthyAt is set every time a replica becomes read/write in an engine. Unlike HealthyAt, LastHealthyAt is never cleared. LastHealthyAt is not a reliable indicator of the state of a replica's data. For example, a replica with LastHealthyAt set may be in the middle of a rebuild. However, because it is never cleared, it can be compared to LastFailedAt to help prevent dangerous replica deletion in some corner cases. LastHealthyAt may be later than the corresponding entry in an engine's replicaTransitionTimeMap because it is set when the volume controller acknowledges the change. + type: string + logRequested: + type: boolean + nodeID: + type: string + rebuildRetryCount: + type: integer + revisionCounterDisabled: + type: boolean + salvageRequested: + type: boolean + snapshotMaxCount: + type: integer + snapshotMaxSize: + format: int64 + type: string + unmapMarkDiskChainRemovedEnabled: + type: boolean + volumeName: + type: string + volumeSize: + format: int64 + type: string + type: object + status: + description: ReplicaStatus defines the observed state of the Longhorn replica + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + currentImage: + type: string + currentState: + type: string + evictionRequested: + description: 'Deprecated: Replaced by field `spec.evictionRequested`.' + type: boolean + instanceManagerName: + type: string + ip: + type: string + logFetched: + type: boolean + ownerID: + type: string + port: + type: integer + salvageExecuted: + type: boolean + started: + type: boolean + storageIP: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: settings.longhorn.io +spec: + group: longhorn.io + names: + kind: Setting + listKind: SettingList + plural: settings + shortNames: + - lhs + singular: setting + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The value of the setting + jsonPath: .value + name: Value + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Setting is where Longhorn stores setting object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + value: + type: string + required: + - value + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The value of the setting + jsonPath: .value + name: Value + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Setting is where Longhorn stores setting object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + value: + description: The value of the setting. + type: string + required: + - value + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: sharemanagers.longhorn.io +spec: + group: longhorn.io + names: + kind: ShareManager + listKind: ShareManagerList + plural: sharemanagers + shortNames: + - lhsm + singular: sharemanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The state of the share manager + jsonPath: .status.state + name: State + type: string + - description: The node that the share manager is owned by + jsonPath: .status.ownerID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: ShareManager is where Longhorn stores share manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The state of the share manager + jsonPath: .status.state + name: State + type: string + - description: The node that the share manager is owned by + jsonPath: .status.ownerID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: ShareManager is where Longhorn stores share manager object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ShareManagerSpec defines the desired state of the Longhorn share manager + properties: + image: + description: Share manager image used for creating a share manager pod + type: string + type: object + status: + description: ShareManagerStatus defines the observed state of the Longhorn share manager + properties: + endpoint: + description: NFS endpoint that can access the mounted filesystem of the volume + type: string + ownerID: + description: The node ID on which the controller is responsible to reconcile this share manager resource + type: string + state: + description: The state of the share manager resource + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: snapshots.longhorn.io +spec: + group: longhorn.io + names: + kind: Snapshot + listKind: SnapshotList + plural: snapshots + shortNames: + - lhsnap + singular: snapshot + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The volume that this snapshot belongs to + jsonPath: .spec.volume + name: Volume + type: string + - description: Timestamp when the point-in-time snapshot was taken + jsonPath: .status.creationTime + name: CreationTime + type: string + - description: Indicates if the snapshot is ready to be used to restore/backup a volume + jsonPath: .status.readyToUse + name: ReadyToUse + type: boolean + - description: Represents the minimum size of volume required to rehydrate from this snapshot + jsonPath: .status.restoreSize + name: RestoreSize + type: string + - description: The actual size of the snapshot + jsonPath: .status.size + name: Size + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Snapshot is the Schema for the snapshots API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SnapshotSpec defines the desired state of Longhorn Snapshot + properties: + createSnapshot: + description: require creating a new snapshot + type: boolean + labels: + additionalProperties: + type: string + description: The labels of snapshot + nullable: true + type: object + volume: + description: the volume that this snapshot belongs to. This field is immutable after creation. Required + type: string + required: + - volume + type: object + status: + description: SnapshotStatus defines the observed state of Longhorn Snapshot + properties: + checksum: + type: string + children: + additionalProperties: + type: boolean + nullable: true + type: object + creationTime: + type: string + error: + type: string + labels: + additionalProperties: + type: string + nullable: true + type: object + markRemoved: + type: boolean + ownerID: + type: string + parent: + type: string + readyToUse: + type: boolean + restoreSize: + format: int64 + type: integer + size: + format: int64 + type: integer + userCreated: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: supportbundles.longhorn.io +spec: + group: longhorn.io + names: + kind: SupportBundle + listKind: SupportBundleList + plural: supportbundles + shortNames: + - lhbundle + singular: supportbundle + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The state of the support bundle + jsonPath: .status.state + name: State + type: string + - description: The issue URL + jsonPath: .spec.issueURL + name: Issue + type: string + - description: A brief description of the issue + jsonPath: .spec.description + name: Description + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: SupportBundle is where Longhorn stores support bundle object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SupportBundleSpec defines the desired state of the Longhorn SupportBundle + properties: + description: + description: A brief description of the issue + type: string + issueURL: + description: The issue URL + nullable: true + type: string + nodeID: + description: The preferred responsible controller node ID. + type: string + required: + - description + type: object + status: + description: SupportBundleStatus defines the observed state of the Longhorn SupportBundle + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + filename: + type: string + filesize: + format: int64 + type: integer + image: + description: The support bundle manager image + type: string + managerIP: + description: The support bundle manager IP + type: string + ownerID: + description: The current responsible controller node ID + type: string + progress: + type: integer + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: systembackups.longhorn.io +spec: + group: longhorn.io + names: + kind: SystemBackup + listKind: SystemBackupList + plural: systembackups + shortNames: + - lhsb + singular: systembackup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The system backup Longhorn version + jsonPath: .status.version + name: Version + type: string + - description: The system backup state + jsonPath: .status.state + name: State + type: string + - description: The system backup creation time + jsonPath: .status.createdAt + name: Created + type: string + - description: The last time that the system backup was synced into the cluster + jsonPath: .status.lastSyncedAt + name: LastSyncedAt + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: SystemBackup is where Longhorn stores system backup object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SystemBackupSpec defines the desired state of the Longhorn SystemBackup + properties: + volumeBackupPolicy: + description: The create volume backup policy Can be "if-not-present", "always" or "disabled" + nullable: true + type: string + type: object + status: + description: SystemBackupStatus defines the observed state of the Longhorn SystemBackup + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + createdAt: + description: The system backup creation time. + format: date-time + type: string + gitCommit: + description: The saved Longhorn manager git commit. + nullable: true + type: string + lastSyncedAt: + description: The last time that the system backup was synced into the cluster. + format: date-time + nullable: true + type: string + managerImage: + description: The saved manager image. + type: string + ownerID: + description: The node ID of the responsible controller to reconcile this SystemBackup. + type: string + state: + description: The system backup state. + type: string + version: + description: The saved Longhorn version. + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: systemrestores.longhorn.io +spec: + group: longhorn.io + names: + kind: SystemRestore + listKind: SystemRestoreList + plural: systemrestores + shortNames: + - lhsr + singular: systemrestore + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The system restore state + jsonPath: .status.state + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: SystemRestore is where Longhorn stores system restore object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SystemRestoreSpec defines the desired state of the Longhorn SystemRestore + properties: + systemBackup: + description: The system backup name in the object store. + type: string + required: + - systemBackup + type: object + status: + description: SystemRestoreStatus defines the observed state of the Longhorn SystemRestore + properties: + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + ownerID: + description: The node ID of the responsible controller to reconcile this SystemRestore. + type: string + sourceURL: + description: The source system backup URL. + type: string + state: + description: The system restore state. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: volumes.longhorn.io +spec: + preserveUnknownFields: false + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} + path: /v1/webhook/conversion + port: 9501 + conversionReviewVersions: + - v1beta2 + - v1beta1 + group: longhorn.io + names: + kind: Volume + listKind: VolumeList + plural: volumes + shortNames: + - lhv + singular: volume + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The state of the volume + jsonPath: .status.state + name: State + type: string + - description: The robustness of the volume + jsonPath: .status.robustness + name: Robustness + type: string + - description: The scheduled condition of the volume + jsonPath: .status.conditions['scheduled']['status'] + name: Scheduled + type: string + - description: The size of the volume + jsonPath: .spec.size + name: Size + type: string + - description: The node that the volume is currently attaching to + jsonPath: .status.currentNodeID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Volume is where Longhorn stores volume object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + x-kubernetes-preserve-unknown-fields: true + status: + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The data engine of the volume + jsonPath: .spec.dataEngine + name: Data Engine + type: string + - description: The state of the volume + jsonPath: .status.state + name: State + type: string + - description: The robustness of the volume + jsonPath: .status.robustness + name: Robustness + type: string + - description: The scheduled condition of the volume + jsonPath: .status.conditions[?(@.type=='Schedulable')].status + name: Scheduled + type: string + - description: The size of the volume + jsonPath: .spec.size + name: Size + type: string + - description: The node that the volume is currently attaching to + jsonPath: .status.currentNodeID + name: Node + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Volume is where Longhorn stores volume object. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VolumeSpec defines the desired state of the Longhorn volume + properties: + Standby: + type: boolean + accessMode: + enum: + - rwo + - rwx + type: string + backendStoreDriver: + description: 'Deprecated: Replaced by field `dataEngine`.' + type: string + backingImage: + type: string + backupCompressionMethod: + enum: + - none + - lz4 + - gzip + type: string + dataEngine: + enum: + - v1 + - v2 + type: string + dataLocality: + enum: + - disabled + - best-effort + - strict-local + type: string + dataSource: + type: string + disableFrontend: + type: boolean + diskSelector: + items: + type: string + type: array + encrypted: + type: boolean + engineImage: + description: 'Deprecated: Replaced by field `image`.' + type: string + fromBackup: + type: string + frontend: + enum: + - blockdev + - iscsi + - nvmf + - "" + type: string + image: + type: string + lastAttachedBy: + type: string + migratable: + type: boolean + migrationNodeID: + type: string + nodeID: + type: string + nodeSelector: + items: + type: string + type: array + numberOfReplicas: + type: integer + offlineReplicaRebuilding: + description: OfflineReplicaRebuilding is used to determine if the offline replica rebuilding feature is enabled or not + enum: + - ignored + - disabled + - enabled + type: string + replicaAutoBalance: + enum: + - ignored + - disabled + - least-effort + - best-effort + type: string + replicaDiskSoftAntiAffinity: + description: Replica disk soft anti affinity of the volume. Set enabled to allow replicas to be scheduled in the same disk. + enum: + - ignored + - enabled + - disabled + type: string + replicaSoftAntiAffinity: + description: Replica soft anti affinity of the volume. Set enabled to allow replicas to be scheduled on the same node. + enum: + - ignored + - enabled + - disabled + type: string + replicaZoneSoftAntiAffinity: + description: Replica zone soft anti affinity of the volume. Set enabled to allow replicas to be scheduled in the same zone. + enum: + - ignored + - enabled + - disabled + type: string + restoreVolumeRecurringJob: + enum: + - ignored + - enabled + - disabled + type: string + revisionCounterDisabled: + type: boolean + size: + format: int64 + type: string + snapshotDataIntegrity: + enum: + - ignored + - disabled + - enabled + - fast-check + type: string + snapshotMaxCount: + type: integer + snapshotMaxSize: + format: int64 + type: string + staleReplicaTimeout: + type: integer + unmapMarkSnapChainRemoved: + enum: + - ignored + - disabled + - enabled + type: string + type: object + status: + description: VolumeStatus defines the observed state of the Longhorn volume + properties: + actualSize: + format: int64 + type: integer + cloneStatus: + properties: + snapshot: + type: string + sourceVolume: + type: string + state: + type: string + type: object + conditions: + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + currentImage: + type: string + currentMigrationNodeID: + description: the node that this volume is currently migrating to + type: string + currentNodeID: + type: string + expansionRequired: + type: boolean + frontendDisabled: + type: boolean + isStandby: + type: boolean + kubernetesStatus: + properties: + lastPVCRefAt: + type: string + lastPodRefAt: + type: string + namespace: + description: determine if PVC/Namespace is history or not + type: string + pvName: + type: string + pvStatus: + type: string + pvcName: + type: string + workloadsStatus: + description: determine if Pod/Workload is history or not + items: + properties: + podName: + type: string + podStatus: + type: string + workloadName: + type: string + workloadType: + type: string + type: object + nullable: true + type: array + type: object + lastBackup: + type: string + lastBackupAt: + type: string + lastDegradedAt: + type: string + offlineReplicaRebuildingRequired: + type: boolean + ownerID: + type: string + pendingNodeID: + description: Deprecated. + type: string + remountRequestedAt: + type: string + restoreInitiated: + type: boolean + restoreRequired: + type: boolean + robustness: + type: string + shareEndpoint: + type: string + shareState: + type: string + state: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.7.0 + creationTimestamp: null + labels: {{- include "longhorn.labels" . | nindent 4 }} + longhorn-manager: "" + name: volumeattachments.longhorn.io +spec: + group: longhorn.io + names: + kind: VolumeAttachment + listKind: VolumeAttachmentList + plural: volumeattachments + shortNames: + - lhva + singular: volumeattachment + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: VolumeAttachment stores attachment information of a Longhorn volume + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: VolumeAttachmentSpec defines the desired state of Longhorn VolumeAttachment + properties: + attachmentTickets: + additionalProperties: + properties: + generation: + description: A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. + format: int64 + type: integer + id: + description: The unique ID of this attachment. Used to differentiate different attachments of the same volume. + type: string + nodeID: + description: The node that this attachment is requesting + type: string + parameters: + additionalProperties: + type: string + description: Optional additional parameter for this attachment + type: object + type: + type: string + type: object + type: object + volume: + description: The name of Longhorn volume of this VolumeAttachment + type: string + required: + - volume + type: object + status: + description: VolumeAttachmentStatus defines the observed state of Longhorn VolumeAttachment + properties: + attachmentTicketStatuses: + additionalProperties: + properties: + conditions: + description: Record any error when trying to fulfill this attachment + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + type: string + message: + description: Human-readable message indicating details about last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's last transition. + type: string + status: + description: Status is the status of the condition. Can be True, False, Unknown. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + nullable: true + type: array + generation: + description: A sequence number representing a specific generation of the desired state. Populated by the system. Read-only. + format: int64 + type: integer + id: + description: The unique ID of this attachment. Used to differentiate different attachments of the same volume. + type: string + satisfied: + description: Indicate whether this attachment ticket has been satisfied + type: boolean + required: + - conditions + - satisfied + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/longhorn/102.4.0+up1.6.1/.helmignore b/charts/longhorn/102.4.0+up1.6.1/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/longhorn/102.4.0+up1.6.1/Chart.yaml b/charts/longhorn/102.4.0+up1.6.1/Chart.yaml new file mode 100644 index 0000000000..90969207d5 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/Chart.yaml @@ -0,0 +1,40 @@ +annotations: + catalog.cattle.io/auto-install: longhorn-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Longhorn + catalog.cattle.io/kube-version: '>= 1.21.0-0' + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: longhorn.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: longhorn + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.6.1 +apiVersion: v1 +appVersion: v1.6.1 +description: Longhorn is a distributed block storage system for Kubernetes. +home: https://github.com/longhorn/longhorn +icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/longhorn/icon/color/longhorn-icon-color.png +keywords: +- longhorn +- storage +- distributed +- block +- device +- iscsi +- nfs +kubeVersion: '>=1.21.0-0' +maintainers: +- email: maintainers@longhorn.io + name: Longhorn maintainers +name: longhorn +sources: +- https://github.com/longhorn/longhorn +- https://github.com/longhorn/longhorn-engine +- https://github.com/longhorn/longhorn-instance-manager +- https://github.com/longhorn/longhorn-share-manager +- https://github.com/longhorn/longhorn-manager +- https://github.com/longhorn/longhorn-ui +- https://github.com/longhorn/longhorn-tests +- https://github.com/longhorn/backing-image-manager +version: 102.4.0+up1.6.1 diff --git a/charts/longhorn/102.4.0+up1.6.1/README.md b/charts/longhorn/102.4.0+up1.6.1/README.md new file mode 100644 index 0000000000..adb190be3b --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/README.md @@ -0,0 +1,50 @@ +# Longhorn Chart + +> **Important**: Please install the Longhorn chart in the `longhorn-system` namespace only. + +> **Warning**: Longhorn doesn't support downgrading from a higher version to a lower version. + +> **Note**: Use Helm 3 when installing and upgrading Longhorn. Helm 2 is [no longer supported](https://helm.sh/blog/helm-2-becomes-unsupported/). + +## Source Code + +Longhorn is 100% open source software. Project source code is spread across a number of repos: + +1. Longhorn Engine -- Core controller/replica logic https://github.com/longhorn/longhorn-engine +2. Longhorn Instance Manager -- Controller/replica instance lifecycle management https://github.com/longhorn/longhorn-instance-manager +3. Longhorn Share Manager -- NFS provisioner that exposes Longhorn volumes as ReadWriteMany volumes. https://github.com/longhorn/longhorn-share-manager +4. Backing Image Manager -- Backing image file lifecycle management. https://github.com/longhorn/backing-image-manager +5. Longhorn Manager -- Longhorn orchestration, includes CSI driver for Kubernetes https://github.com/longhorn/longhorn-manager +6. Longhorn UI -- Dashboard https://github.com/longhorn/longhorn-ui + +## Prerequisites + +1. A container runtime compatible with Kubernetes (Docker v1.13+, containerd v1.3.7+, etc.) +2. Kubernetes >= v1.21 +3. Make sure `bash`, `curl`, `findmnt`, `grep`, `awk` and `blkid` has been installed in all nodes of the Kubernetes cluster. +4. Make sure `open-iscsi` has been installed, and the `iscsid` daemon is running on all nodes of the Kubernetes cluster. For GKE, recommended Ubuntu as guest OS image since it contains `open-iscsi` already. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `enablePSP` set to `false` if it has been previously set to `true`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, you may have to clean up your Helm release secrets. +Upon setting `enablePSP` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Longhorn docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. + +## Uninstallation + +To prevent Longhorn from being accidentally uninstalled (which leads to data lost), we introduce a new setting, deleting-confirmation-flag. If this flag is **false**, the Longhorn uninstallation job will fail. Set this flag to **true** to allow Longhorn uninstallation. You can set this flag using setting page in Longhorn UI or `kubectl -n longhorn-system patch -p '{"value": "true"}' --type=merge lhs deleting-confirmation-flag` + +To prevent damage to the Kubernetes cluster, we recommend deleting all Kubernetes workloads using Longhorn volumes (PersistentVolume, PersistentVolumeClaim, StorageClass, Deployment, StatefulSet, DaemonSet, etc). + +From Rancher Cluster Explorer UI, navigate to Apps page, delete app `longhorn` then app `longhorn-crd` in Installed Apps tab. + +--- +Please see [link](https://github.com/longhorn/longhorn) for more information. diff --git a/charts/longhorn/102.4.0+up1.6.1/app-readme.md b/charts/longhorn/102.4.0+up1.6.1/app-readme.md new file mode 100644 index 0000000000..321e5193c4 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/app-readme.md @@ -0,0 +1,27 @@ +# Longhorn + +Longhorn is a lightweight, reliable and easy to use distributed block storage system for Kubernetes. Once deployed, users can leverage persistent volumes provided by Longhorn. + +Longhorn creates a dedicated storage controller for each volume and synchronously replicates the volume across multiple replicas stored on multiple nodes. The storage controller and replicas are themselves orchestrated using Kubernetes. Longhorn supports snapshots, backups and even allows you to schedule recurring snapshots and backups! + +**Important**: Please install Longhorn chart in `longhorn-system` namespace only. + +**Warning**: Longhorn doesn't support downgrading from a higher version to a lower version. + +[Chart Documentation](https://github.com/longhorn/longhorn/blob/master/chart/README.md) + + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `enablePSP` set to `false` if it has been previously set to `true`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `enablePSP` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/questions.yaml b/charts/longhorn/102.4.0+up1.6.1/questions.yaml new file mode 100644 index 0000000000..940d246c56 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/questions.yaml @@ -0,0 +1,920 @@ +categories: +- storage +namespace: longhorn-system +questions: +- variable: image.defaultImage + default: "true" + description: "Use default Longhorn images" + label: Use Default Images + type: boolean + show_subquestion_if: false + group: "Longhorn Images" + subquestions: + - variable: image.longhorn.manager.repository + default: rancher/mirrored-longhornio-longhorn-manager + description: "Repository for the Longhorn Manager image." + type: string + label: Longhorn Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.manager.tag + default: v1.6.1 + description: "Specify Longhorn Manager Image Tag" + type: string + label: Longhorn Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.engine.repository + default: rancher/mirrored-longhornio-longhorn-engine + description: "Repository for the Longhorn Engine image." + type: string + label: Longhorn Engine Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.engine.tag + default: v1.6.1 + description: "Specify Longhorn Engine Image Tag" + type: string + label: Longhorn Engine Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.ui.repository + default: rancher/mirrored-longhornio-longhorn-ui + description: "Repository for the Longhorn UI image." + type: string + label: Longhorn UI Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.ui.tag + default: v1.6.1 + description: "Specify Longhorn UI Image Tag" + type: string + label: Longhorn UI Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.instanceManager.repository + default: rancher/mirrored-longhornio-longhorn-instance-manager + description: "Repository for the Longhorn Instance Manager image." + type: string + label: Longhorn Instance Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.instanceManager.tag + default: v1.6.1 + description: "Specify Longhorn Instance Manager Image Tag" + type: string + label: Longhorn Instance Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.shareManager.repository + default: rancher/mirrored-longhornio-longhorn-share-manager + description: "Repository for the Longhorn Share Manager image." + type: string + label: Longhorn Share Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.shareManager.tag + default: v1.6.1 + description: "Specify Longhorn Share Manager Image Tag" + type: string + label: Longhorn Share Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.backingImageManager.repository + default: rancher/mirrored-longhornio-backing-image-manager + description: "Repository for the Backing Image Manager image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn Backing Image Manager Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.backingImageManager.tag + default: v1.6.1 + description: "Specify Longhorn Backing Image Manager Image Tag" + type: string + label: Longhorn Backing Image Manager Image Tag + group: "Longhorn Images Settings" + - variable: image.longhorn.supportBundleKit.repository + default: rancher/mirrored-longhornio-support-bundle-kit + description: "Repository for the Longhorn Support Bundle Manager image." + type: string + label: Longhorn Support Bundle Kit Image Repository + group: "Longhorn Images Settings" + - variable: image.longhorn.supportBundleKit.tag + default: v0.0.36 + description: "Tag for the Longhorn Support Bundle Manager image." + type: string + label: Longhorn Support Bundle Kit Image Tag + group: "Longhorn Images Settings" + - variable: image.csi.attacher.repository + default: rancher/mirrored-longhornio-csi-attacher + description: "Repository for the CSI attacher image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Attacher Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.attacher.tag + default: v4.4.2 + description: "Tag for the CSI attacher image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Attacher Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.provisioner.repository + default: rancher/mirrored-longhornio-csi-provisioner + description: "Repository for the CSI Provisioner image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Provisioner Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.provisioner.tag + default: v3.6.2 + description: "Tag for the CSI Provisioner image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Provisioner Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.nodeDriverRegistrar.repository + default: rancher/mirrored-longhornio-csi-node-driver-registrar + description: "Repository for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Node Driver Registrar Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.nodeDriverRegistrar.tag + default: v2.9.2 + description: "Tag for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Node Driver Registrar Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.resizer.repository + default: rancher/mirrored-longhornio-csi-resizer + description: "Repository for the CSI Resizer image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Driver Resizer Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.resizer.tag + default: v1.9.2 + description: "Tag for the CSI Resizer image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Driver Resizer Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.snapshotter.repository + default: rancher/mirrored-longhornio-csi-snapshotter + description: "Repository for the CSI Snapshotter image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Driver Snapshotter Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.snapshotter.tag + default: v6.3.2 + description: "Tag for the CSI Snapshotter image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Driver Snapshotter Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.csi.livenessProbe.repository + default: rancher/mirrored-longhornio-livenessprobe + description: "Repository for the CSI liveness probe image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Liveness Probe Image Repository + group: "Longhorn CSI Driver Images" + - variable: image.csi.livenessProbe.tag + default: v2.12.0 + description: "Tag for the CSI liveness probe image. When unspecified, Longhorn uses the default value." + type: string + label: Longhorn CSI Liveness Probe Image Tag + group: "Longhorn CSI Driver Images" + - variable: image.openshift.oauthProxy.repository + default: rancher/mirrored-longhornio-openshift-origin-oauth-proxy + description: "Repository for the OAuth Proxy image. This setting applies only to OpenShift users" + type: string + label: OpenShift OAuth Proxy Image Repository + group: "OpenShift Images" + - variable: image.openshift.oauthProxy.tag + default: 4.14 + description: "Tag for the OAuth Proxy image. This setting applies only to OpenShift users. Specify OCP/OKD version 4.1 or later." + type: string + label: OpenShift OAuth Proxy Image Tag + group: "OpenShift Images" +- variable: privateRegistry.registryUrl + label: Private registry URL + description: "URL of a private registry. When unspecified, Longhorn uses the default system registry." + group: "Private Registry Settings" + type: string + default: "" +- variable: privateRegistry.registrySecret + label: Private registry secret name + description: "Kubernetes secret that allows you to pull images from a private registry. This setting applies only when creation of private registry secrets is enabled. You must include the private registry name in the secret name." + group: "Private Registry Settings" + type: string + default: "" +- variable: privateRegistry.createSecret + default: "true" + description: "Setting that allows you to create a private registry secret." + type: boolean + group: "Private Registry Settings" + label: Create Secret for Private Registry Settings + show_subquestion_if: true + subquestions: + - variable: privateRegistry.registryUser + label: Private registry user + description: "User account used for authenticating with a private registry." + type: string + default: "" + - variable: privateRegistry.registryPasswd + label: Private registry password + description: "Password for authenticating with a private registry." + type: password + default: "" +- variable: longhorn.default_setting + default: "false" + description: "Customize the default settings before installing Longhorn for the first time. This option will only work if the cluster hasn't installed Longhorn." + label: "Customize Default Settings" + type: boolean + show_subquestion_if: true + group: "Longhorn Default Settings" + subquestions: + - variable: csi.kubeletRootDir + default: + description: "kubelet root directory. When unspecified, Longhorn uses the default value." + type: string + label: Kubelet Root Directory + group: "Longhorn CSI Driver Settings" + - variable: csi.attacherReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Replica count of the CSI Attacher. When unspecified, Longhorn uses the default value (\"3\")." + label: Longhorn CSI Attacher replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.provisionerReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Replica count of the CSI Provisioner. When unspecified, Longhorn uses the default value (\"3\")." + label: Longhorn CSI Provisioner replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.resizerReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Replica count of the CSI Resizer. When unspecified, Longhorn uses the default value (\"3\")." + label: Longhorn CSI Resizer replica count + group: "Longhorn CSI Driver Settings" + - variable: csi.snapshotterReplicaCount + type: int + default: 3 + min: 1 + max: 10 + description: "Replica count of the CSI Snapshotter. When unspecified, Longhorn uses the default value (\"3\")." + label: Longhorn CSI Snapshotter replica count + group: "Longhorn CSI Driver Settings" + - variable: defaultSettings.backupTarget + label: Backup Target + description: "Endpoint used to access the backupstore. (Options: \"NFS\", \"CIFS\", \"AWS\", \"GCP\", \"AZURE\")" + group: "Longhorn Default Settings" + type: string + default: + - variable: defaultSettings.backupTargetCredentialSecret + label: Backup Target Credential Secret + description: "Name of the Kubernetes secret associated with the backup target." + group: "Longhorn Default Settings" + type: string + default: + - variable: defaultSettings.allowRecurringJobWhileVolumeDetached + label: Allow Recurring Job While Volume Is Detached + description: 'Setting that allows Longhorn to automatically attach a volume and create snapshots or backups when recurring jobs are run.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.snapshotMaxCount + label: Snapshot Maximum Count + description: 'Maximum snapshot count for a volume. The value should be between 2 to 250.' + group: "Longhorn Default Settings" + type: int + min: 2 + max: 250 + default: 250 + - variable: defaultSettings.createDefaultDiskLabeledNodes + label: Create Default Disk on Labeled Nodes + description: 'Setting that allows Longhorn to automatically create a default disk only on nodes with the label "node.longhorn.io/create-default-disk=true" (if no other disks exist). When this setting is disabled, Longhorn creates a default disk on each node that is added to the cluster.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.defaultDataPath + label: Default Data Path + description: 'Default path for storing data on a host. The default value is "/var/lib/longhorn/".' + group: "Longhorn Default Settings" + type: string + default: "/var/lib/longhorn/" + - variable: defaultSettings.defaultDataLocality + label: Default Data Locality + description: 'Default data locality. A Longhorn volume has data locality if a local replica of the volume exists on the same node as the pod that is using the volume.' + group: "Longhorn Default Settings" + type: enum + options: + - "disabled" + - "best-effort" + default: "disabled" + - variable: defaultSettings.replicaSoftAntiAffinity + label: Replica Node Level Soft Anti-Affinity + description: 'Allow scheduling on nodes with existing healthy replicas of the same volume. By default, false.' + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.replicaAutoBalance + label: Replica Auto Balance + description: 'Enable this setting automatically re-balances replicas when discovered an available node.' + group: "Longhorn Default Settings" + type: enum + options: + - "disabled" + - "least-effort" + - "best-effort" + default: "disabled" + - variable: defaultSettings.storageOverProvisioningPercentage + label: Storage Over Provisioning Percentage + description: "Percentage of storage that can be allocated relative to hard drive capacity. The default value is 100." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 100 + - variable: defaultSettings.storageMinimalAvailablePercentage + label: Storage Minimal Available Percentage + description: "If the minimum available disk capacity exceeds the actual percentage of available disk capacity, the disk becomes unschedulable until more space is freed up. By default, 25." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 100 + default: 25 + - variable: defaultSettings.storageReservedPercentageForDefaultDisk + label: Storage Reserved Percentage For Default Disk + description: "The reserved percentage specifies the percentage of disk space that will not be allocated to the default disk on each new Longhorn node." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 100 + default: 30 + - variable: defaultSettings.upgradeChecker + label: Enable Upgrade Checker + description: 'Upgrade Checker that periodically checks for new Longhorn versions. When a new version is available, a notification appears on the Longhorn UI. This setting is enabled by default.' + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.defaultReplicaCount + label: Default Replica Count + description: "Default number of replicas for volumes created using the Longhorn UI. For Kubernetes configuration, modify the `numberOfReplicas` field in the StorageClass. The default value is \"3\"." + group: "Longhorn Default Settings" + type: int + min: 1 + max: 20 + default: 3 + - variable: defaultSettings.defaultLonghornStaticStorageClass + label: Default Longhorn Static StorageClass Name + description: "Default Longhorn StorageClass. \"storageClassName\" is assigned to PVs and PVCs that are created for an existing Longhorn volume. \"storageClassName\" can also be used as a label, so it is possible to use a Longhorn StorageClass to bind a workload to an existing PV without creating a Kubernetes StorageClass object. The default value is \"longhorn-static\"." + group: "Longhorn Default Settings" + type: string + default: "longhorn-static" + - variable: defaultSettings.backupstorePollInterval + label: Backupstore Poll Interval + description: "Number of seconds that Longhorn waits before checking the backupstore for new backups. The default value is \"300\". When the value is \"0\", polling is disabled." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 300 + - variable: defaultSettings.failedBackupTTL + label: Failed Backup Time to Live + description: "Number of minutes that Longhorn keeps a failed backup resource. When the value is \"0\", automatic deletion is disabled." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1440 + - variable: defaultSettings.restoreVolumeRecurringJobs + label: Restore Volume Recurring Jobs + description: "Restore recurring jobs from the backup volume on the backup target and create recurring jobs if not exist during a backup restoration." + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.recurringSuccessfulJobsHistoryLimit + label: Cronjob Successful Jobs History Limit + description: "This setting specifies how many successful backup or snapshot job histories should be retained. History will not be retained if the value is 0." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.recurringFailedJobsHistoryLimit + label: Cronjob Failed Jobs History Limit + description: 'Maximum number of failed recurring backup and snapshot jobs to be retained. When the value is "0", a history of failed recurring jobs is not retained.' + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.recurringJobMaxRetention + label: Maximum Retention Number for Recurring Job + description: "Maximum number of snapshots or backups to be retained." + group: "Longhorn Default Settings" + type: int + default: 100 + - variable: defaultSettings.supportBundleFailedHistoryLimit + label: SupportBundle Failed History Limit + description: "This setting specifies how many failed support bundles can exist in the cluster. Set this value to **0** to have Longhorn automatically purge all failed support bundles." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 1 + - variable: defaultSettings.autoSalvage + label: Automatic salvage + description: "Setting that allows Longhorn to automatically salvage volumes when all replicas become faulty (for example, when the network connection is interrupted). Longhorn determines which replicas are usable and then uses these replicas for the volume. This setting is enabled by default." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly + label: Automatically Delete Workload Pod when The Volume Is Detached Unexpectedly + description: 'Setting that allows Longhorn to automatically delete a workload pod that is managed by a controller (for example, daemonset) whenever a Longhorn volume is detached unexpectedly (for example, during Kubernetes upgrades). After deletion, the controller restarts the pod and then Kubernetes handles volume reattachment and remounting.' + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.disableSchedulingOnCordonedNode + label: Disable Scheduling On Cordoned Node + description: "Setting that prevents Longhorn Manager from scheduling replicas on a cordoned Kubernetes node. This setting is enabled by default." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.replicaZoneSoftAntiAffinity + label: Replica Zone Level Soft Anti-Affinity + description: "Allow scheduling new Replicas of Volume to the Nodes in the same Zone as existing healthy Replicas. Nodes don't belong to any Zone will be treated as in the same Zone. Notice that Longhorn relies on label `topology.kubernetes.io/zone=` in the Kubernetes node object to identify the zone. By, default true." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.replicaDiskSoftAntiAffinity + label: Replica Disk Level Soft Anti-Affinity + description: 'Allow scheduling on disks with existing healthy replicas of the same volume. By default, true.' + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.allowEmptyNodeSelectorVolume + label: Allow Empty Node Selector Volume + description: "Setting that allows scheduling of empty node selector volumes to any node." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.allowEmptyDiskSelectorVolume + label: Allow Empty Disk Selector Volume + description: "Setting that allows scheduling of empty disk selector volumes to any disk." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.nodeDownPodDeletionPolicy + label: Pod Deletion Policy When Node is Down + description: "Policy that defines the action Longhorn takes when a volume is stuck with a StatefulSet or Deployment pod on a node that failed." + group: "Longhorn Default Settings" + type: enum + options: + - "do-nothing" + - "delete-statefulset-pod" + - "delete-deployment-pod" + - "delete-both-statefulset-and-deployment-pod" + default: "do-nothing" + - variable: defaultSettings.nodeDrainPolicy + label: Node Drain Policy + description: "Policy that defines the action Longhorn takes when a node with the last healthy replica of a volume is drained." + group: "Longhorn Default Settings" + type: enum + options: + - "block-for-eviction" + - "block-for-eviction-if-contains-last-replica" + - "block-if-contains-last-replica" + - "allow-if-replica-is-stopped" + - "always-allow" + default: "block-if-contains-last-replica" + - variable: defaultSettings.detachManuallyAttachedVolumesWhenCordoned + label: Detach Manually Attached Volumes When Cordoned + description: "Setting that allows automatic detaching of manually-attached volumes when a node is cordoned." + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.priorityClass + label: Priority Class + description: "PriorityClass for system-managed Longhorn components. This setting can help prevent Longhorn components from being evicted under Node Pressure. Longhorn system contains user deployed components (E.g, Longhorn manager, Longhorn driver, Longhorn UI) and system managed components (E.g, instance manager, engine image, CSI driver, etc.) Note that this will be applied to Longhorn user-deployed components by default if there are no priority class values set yet, such as `longhornManager.priorityClass`. WARNING: DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES." + group: "Longhorn Default Settings" + type: string + default: "longhorn-critical" + - variable: defaultSettings.replicaReplenishmentWaitInterval + label: Replica Replenishment Wait Interval + description: "The interval in seconds determines how long Longhorn will at least wait to reuse the existing data on a failed replica rather than directly creating a new replica for a degraded volume." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 600 + - variable: defaultSettings.concurrentReplicaRebuildPerNodeLimit + label: Concurrent Replica Rebuild Per Node Limit + description: "Maximum number of replicas that can be concurrently rebuilt on each node. + WARNING: + - The old setting \"Disable Replica Rebuild\" is replaced by this setting. + - Different from relying on replica starting delay to limit the concurrent rebuilding, if the rebuilding is disabled, replica object replenishment will be directly skipped. + - When the value is 0, the eviction and data locality feature won't work. But this shouldn't have any impact to any current replica rebuild and backup restore." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 5 + - variable: defaultSettings.concurrentVolumeBackupRestorePerNodeLimit + label: Concurrent Volume Backup Restore Per Node Limit + description: "Maximum number of volumes that can be concurrently restored on each node using a backup. When the value is \"0\", restoration of volumes using a backup is disabled." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 5 + - variable: defaultSettings.disableRevisionCounter + label: Disable Revision Counter + description: "Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the \"volume-head-xxx.img\" file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery. This setting applies only to volumes created using the Longhorn UI." + group: "Longhorn Default Settings" + type: boolean + default: "false" + - variable: defaultSettings.systemManagedPodsImagePullPolicy + label: System Managed Pod Image Pull Policy + description: "Image pull policy for system-managed pods, such as Instance Manager, engine images, and CSI Driver. Changes to the image pull policy are applied only after the system-managed pods restart." + group: "Longhorn Default Settings" + type: enum + options: + - "if-not-present" + - "always" + - "never" + default: "if-not-present" + - variable: defaultSettings.allowVolumeCreationWithDegradedAvailability + label: Allow Volume Creation with Degraded Availability + description: "Setting that allows you to create and attach a volume without having all replicas scheduled at the time of creation." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.autoCleanupSystemGeneratedSnapshot + label: Automatically Cleanup System Generated Snapshot + description: "Setting that allows Longhorn to automatically clean up the system-generated snapshot after replica rebuilding is completed." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.autoCleanupRecurringJobBackupSnapshot + label: Automatically Cleanup Recurring Job Backup Snapshot + description: "Setting that allows Longhorn to automatically clean up the snapshot generated by a recurring backup job." + group: "Longhorn Default Settings" + type: boolean + default: "true" + - variable: defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit + label: Concurrent Automatic Engine Upgrade Per Node Limit + description: "Maximum number of engines that are allowed to concurrently upgrade on each node after Longhorn Manager is upgraded. When the value is \"0\", Longhorn does not automatically upgrade volume engines to the new default engine image version." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 0 + - variable: defaultSettings.backingImageCleanupWaitInterval + label: Backing Image Cleanup Wait Interval + description: "Number of minutes that Longhorn waits before cleaning up the backing image file when no replicas in the disk are using it." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 60 + - variable: defaultSettings.backingImageRecoveryWaitInterval + label: Backing Image Recovery Wait Interval + description: "Number of seconds that Longhorn waits before downloading a backing image file again when the status of all image disk files changes to \"failed\" or \"unknown\"." + group: "Longhorn Default Settings" + type: int + min: 0 + default: 300 + - variable: defaultSettings.guaranteedInstanceManagerCPU + label: Guaranteed Instance Manager CPU + description: "Percentage of the total allocatable CPU resources on each node to be reserved for each instance manager pod when the V1 Data Engine is enabled. The default value is \"12\". + WARNING: + - Value 0 means removing the CPU requests from spec of instance manager pods. + - Considering the possible number of new instance manager pods in a further system upgrade, this integer value ranges from 0 to 40. + - One more set of instance manager pods may need to be deployed when the Longhorn system is upgraded. If current available CPUs of the nodes are not enough for the new instance manager pods, you need to detach the volumes using the oldest instance manager pods so that Longhorn can clean up the old pods automatically and release the CPU resources. And the new pods with the latest instance manager image will be launched then. + - This global setting will be ignored for a node if the field \"InstanceManagerCPURequest\" on the node is set. + - After this setting is changed, all instance manager pods using this global setting on all the nodes will be automatically restarted. In other words, DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES." + group: "Longhorn Default Settings" + type: int + min: 0 + max: 40 + default: 12 + - variable: defaultSettings.logLevel + label: Log Level + description: 'Log levels that indicate the type and severity of logs in Longhorn Manager. The default value is "Info". (Options: "Panic", "Fatal", "Error", "Warn", "Info", "Debug", "Trace")' + group: "Longhorn Default Settings" + type: string + default: "Info" + - variable: defaultSettings.disableSnapshotPurge + label: Disable Snapshot Purge + description: "Setting that temporarily prevents all attempts to purge volume snapshots." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.kubernetesClusterAutoscalerEnabled + label: Kubernetes Cluster Autoscaler Enabled (Experimental) + description: "Setting that notifies Longhorn that the cluster is using the Kubernetes Cluster Autoscaler. + WARNING: + - Replica rebuilding could be expensive because nodes with reusable replicas could get removed by the Kubernetes Cluster Autoscaler." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.orphanAutoDeletion + label: Orphaned Data Cleanup + description: "Setting that allows Longhorn to automatically delete an orphaned resource and the corresponding data (for example, stale replicas). Orphaned resources on failed or unknown nodes are not automatically cleaned up." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.storageNetwork + label: Storage Network + description: "Longhorn uses the storage network for in-cluster data traffic. Leave this blank to use the Kubernetes cluster network. + WARNING: + - This setting should change after detaching all Longhorn volumes, as some of the Longhorn system component pods will get recreated to apply the setting. Longhorn will try to block this setting update when there are attached volumes." + group: "Longhorn Default Settings" + type: string + default: +- variable: defaultSettings.deletingConfirmationFlag + label: Deleting Confirmation Flag + description: "Flag that prevents accidental uninstallation of Longhorn." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.engineReplicaTimeout + label: Timeout between Engine and Replica + description: "Timeout between the Longhorn Engine and replicas. Specify a value between \"8\" and \"30\" seconds. The default value is \"8\"." + group: "Longhorn Default Settings" + type: int + default: "8" +- variable: defaultSettings.snapshotDataIntegrity + label: Snapshot Data Integrity + description: "This setting allows users to enable or disable snapshot hashing and data integrity checking." + group: "Longhorn Default Settings" + type: string + default: "disabled" +- variable: defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation + label: Immediate Snapshot Data Integrity Check After Creating a Snapshot + description: "Hashing snapshot disk files impacts the performance of the system. The immediate snapshot hashing and checking can be disabled to minimize the impact after creating a snapshot." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.snapshotDataIntegrityCronjob + label: Snapshot Data Integrity Check CronJob + description: "Unix-cron string format. The setting specifies when Longhorn checks the data integrity of snapshot disk files." + group: "Longhorn Default Settings" + type: string + default: "0 0 */7 * *" +- variable: defaultSettings.removeSnapshotsDuringFilesystemTrim + label: Remove Snapshots During Filesystem Trim + description: "This setting allows Longhorn filesystem trim feature to automatically mark the latest snapshot and its ancestors as removed and stops at the snapshot containing multiple children." + group: "Longhorn Default Settings" + type: boolean + default: "false" +- variable: defaultSettings.fastReplicaRebuildEnabled + label: Fast Replica Rebuild Enabled + description: "Setting that allows fast rebuilding of replicas using the checksum of snapshot disk files. Before enabling this setting, you must set the snapshot-data-integrity value to \"enable\" or \"fast-check\"." + group: "Longhorn Default Settings" + type: boolean + default: false +- variable: defaultSettings.replicaFileSyncHttpClientTimeout + label: Timeout of HTTP Client to Replica File Sync Server + description: "In seconds. The setting specifies the HTTP client timeout to the file sync server." + group: "Longhorn Default Settings" + type: int + default: "30" +- variable: defaultSettings.backupCompressionMethod + label: Backup Compression Method + description: "Setting that allows you to specify a backup compression method." + group: "Longhorn Default Settings" + type: string + default: "lz4" +- variable: defaultSettings.backupConcurrentLimit + label: Backup Concurrent Limit Per Backup + description: "Maximum number of worker threads that can concurrently run for each backup." + group: "Longhorn Default Settings" + type: int + min: 1 + default: 2 +- variable: defaultSettings.restoreConcurrentLimit + label: Restore Concurrent Limit Per Backup + description: "This setting controls how many worker threads per restore concurrently." + group: "Longhorn Default Settings" + type: int + min: 1 + default: 2 +- variable: defaultSettings.allowCollectingLonghornUsageMetrics + label: Allow Collecting Longhorn Usage Metrics + description: "Setting that allows Longhorn to periodically collect anonymous usage data for product improvement purposes. Longhorn sends collected data to the [Upgrade Responder](https://github.com/longhorn/upgrade-responder) server, which is the data source of the Longhorn Public Metrics Dashboard (https://metrics.longhorn.io). The Upgrade Responder server does not store data that can be used to identify clients, including IP addresses." + group: "Longhorn Default Settings" + type: boolean + default: true +- variable: defaultSettings.v1DataEngine + label: V1 Data Engine + description: "Setting that allows you to enable the V1 Data Engine." + group: "Longhorn V1 Data Engine Settings" + type: boolean + default: true +- variable: defaultSettings.v2DataEngine + label: V2 Data Engine + description: "Setting that allows you to enable the V2 Data Engine, which is based on the Storage Performance Development Kit (SPDK). The V2 Data Engine is a preview feature and should not be used in production environments. + WARNING: + - DO NOT CHANGE THIS SETTING WITH ATTACHED VOLUMES. Longhorn will block this setting update when there are attached volumes. + - When the V2 Data Engine is enabled, each instance-manager pod utilizes 1 CPU core. This high CPU usage is attributed to the spdk_tgt process running within each instance-manager pod. The spdk_tgt process is responsible for handling input/output (IO) operations and requires intensive polling. As a result, it consumes 100% of a dedicated CPU core to efficiently manage and process the IO requests, ensuring optimal performance and responsiveness for storage operations." + group: "Longhorn V2 Data Engine (Preview Feature) Settings" + type: boolean + default: false +- variable: defaultSettings.v2DataEngineHugepageLimit + label: V2 Data Engine + description: "This allows users to configure maximum huge page size (in MiB) for the V2 Data Engine." + group: "Longhorn V2 Data Engine (Preview Feature) Settings" + type: int + default: "2048" +- variable: defaultSettings.offlineReplicaRebuilding + label: Offline Replica Rebuilding + description: "Setting that allows rebuilding of offline replicas for volumes using the V2 Data Engine." + group: "Longhorn V2 Data Engine (Preview Feature) Settings" + required: true + type: enum + options: + - "enabled" + - "disabled" + default: "enabled" +- variable: persistence.defaultClass + default: "true" + description: "Setting that allows you to specify the default Longhorn StorageClass." + label: Default Storage Class + group: "Longhorn Storage Class Settings" + required: true + type: boolean +- variable: persistence.reclaimPolicy + label: Storage Class Retain Policy + description: "Reclaim policy that provides instructions for handling of a volume after its claim is released. (Options: \"Retain\", \"Delete\")" + group: "Longhorn Storage Class Settings" + required: true + type: enum + options: + - "Delete" + - "Retain" + default: "Delete" +- variable: persistence.defaultClassReplicaCount + description: "Replica count of the default Longhorn StorageClass." + label: Default Storage Class Replica Count + group: "Longhorn Storage Class Settings" + type: int + min: 1 + max: 10 + default: 3 +- variable: persistence.defaultDataLocality + description: "Data locality of the default Longhorn StorageClass. (Options: \"disabled\", \"best-effort\")" + label: Default Storage Class Data Locality + group: "Longhorn Storage Class Settings" + type: enum + options: + - "disabled" + - "best-effort" + default: "disabled" +- variable: persistence.recurringJobSelector.enable + description: "Setting that allows you to enable the recurring job selector for a Longhorn StorageClass." + group: "Longhorn Storage Class Settings" + label: Enable Storage Class Recurring Job Selector + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.recurringJobSelector.jobList + description: 'Recurring job selector for a Longhorn StorageClass. Ensure that quotes are used correctly when specifying job parameters. (Example: `[{"name":"backup", "isGroup":true}]`)' + label: Storage Class Recurring Job Selector List + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.defaultNodeSelector.enable + description: "Setting that allows you to enable the node selector for the default Longhorn StorageClass." + group: "Longhorn Storage Class Settings" + label: Enable Storage Class Node Selector + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.defaultNodeSelector.selector + label: Storage Class Node Selector + description: 'Node selector for the default Longhorn StorageClass. Longhorn uses only nodes with the specified tags for storing volume data. (Examples: "storage,fast")' + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.backingImage.enable + description: "Setting that allows you to use a backing image in a Longhorn StorageClass." + group: "Longhorn Storage Class Settings" + label: Default Storage Class Backing Image + type: boolean + default: false + show_subquestion_if: true + subquestions: + - variable: persistence.backingImage.name + description: 'Backing image to be used for creating and restoring volumes in a Longhorn StorageClass. When no backing images are available, specify the data source type and parameters that Longhorn can use to create a backing image.' + label: Storage Class Backing Image Name + group: "Longhorn Storage Class Settings" + type: string + default: + - variable: persistence.backingImage.expectedChecksum + description: 'Expected SHA-512 checksum of a backing image used in a Longhorn StorageClass. + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - It is not recommended to set this field if the data source type is \"export-from-volume\".' + label: Storage Class Backing Image Expected SHA512 Checksum + group: "Longhorn Storage Class Settings" + type: string + default: + - variable: persistence.backingImage.dataSourceType + description: 'Data source type of a backing image used in a Longhorn StorageClass. If the backing image exists in the cluster, Longhorn uses this setting to verify the image. If the backing image does not exist, Longhorn creates one using the specified data source type. + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - As for backing image creation with data source type \"upload\", it is recommended to do it via UI rather than StorageClass here. Uploading requires file data sending to the Longhorn backend after the object creation, which is complicated if you want to handle it manually.' + label: Storage Class Backing Image Data Source Type + group: "Longhorn Storage Class Settings" + type: enum + options: + - "" + - "download" + - "upload" + - "export-from-volume" + default: "" + - variable: persistence.backingImage.dataSourceParameters + description: "Data source parameters of a backing image used in a Longhorn StorageClass. You can specify a JSON string of a map. (Example: `'{\"url\":\"https://backing-image-example.s3-region.amazonaws.com/test-backing-image\"}'`) + WARNING: + - If the backing image name is not specified, setting this field is meaningless. + - Be careful of the quotes here." + label: Storage Class Backing Image Data Source Parameters + group: "Longhorn Storage Class Settings" + type: string + default: +- variable: persistence.removeSnapshotsDuringFilesystemTrim + description: "Setting that allows you to enable automatic snapshot removal during filesystem trim for a Longhorn StorageClass. (Options: \"ignored\", \"enabled\", \"disabled\")" + label: Default Storage Class Remove Snapshots During Filesystem Trim + group: "Longhorn Storage Class Settings" + type: enum + options: + - "ignored" + - "enabled" + - "disabled" + default: "ignored" +- variable: ingress.enabled + default: "false" + description: "Expose app using Layer 7 Load Balancer - ingress" + type: boolean + group: "Services and Load Balancing" + label: Expose app using Layer 7 Load Balancer + show_subquestion_if: true + subquestions: + - variable: ingress.host + default: "xip.io" + description: "Hostname of the Layer 7 load balancer." + type: hostname + required: true + label: Layer 7 Load Balancer Hostname + - variable: ingress.path + default: "/" + description: "Default ingress path. You can access the Longhorn UI by following the full ingress path {{host}}+{{path}}." + type: string + required: true + label: Ingress Path +- variable: service.ui.type + default: "Rancher-Proxy" + description: "Service type for Longhorn UI. (Options: \"ClusterIP\", \"NodePort\", \"LoadBalancer\", \"Rancher-Proxy\")" + type: enum + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" + - "Rancher-Proxy" + label: Longhorn UI Service + show_if: "ingress.enabled=false" + group: "Services and Load Balancing" + show_subquestion_if: "NodePort" + subquestions: + - variable: service.ui.nodePort + default: "" + description: "NodePort port number for Longhorn UI. When unspecified, Longhorn selects a free port between 30000 and 32767." + type: int + min: 30000 + max: 32767 + show_if: "service.ui.type=NodePort||service.ui.type=LoadBalancer" + label: UI Service NodePort number +- variable: enablePSP + default: "false" + description: "Setting that allows you to enable pod security policies (PSPs) that allow privileged Longhorn pods to start. This setting applies only to clusters running Kubernetes 1.25 and earlier, and with the built-in Pod Security admission controller enabled." + label: Pod Security Policy + type: boolean + group: "Other Settings" +- variable: global.cattle.windowsCluster.enabled + default: "false" + description: "Setting that allows Longhorn to run on a Rancher Windows cluster." + label: Rancher Windows Cluster + type: boolean + group: "Other Settings" +- variable: networkPolicies.enabled + description: "Setting that allows you to enable network policies that control access to Longhorn pods. + Warning: The Rancher Proxy will not work if this feature is enabled and a custom NetworkPolicy must be added." + group: "Other Settings" + label: Network Policies + default: "false" + type: boolean + subquestions: + - variable: networkPolicies.type + label: Network Policies for Ingress + description: "Distribution that determines the policy for allowing access for an ingress. (Options: \"k3s\", \"rke2\", \"rke1\")" + show_if: "networkPolicies.enabled=true&&ingress.enabled=true" + type: enum + default: "rke2" + options: + - "rke1" + - "rke2" + - "k3s" + - variable: defaultSettings.v2DataEngineGuaranteedInstanceManagerCPU + label: Guaranteed Instance Manager CPU for V2 Data Engine + description: 'Number of millicpus on each node to be reserved for each Instance Manager pod when the V2 Data Engine is enabled. The default value is "1250". + WARNING: + - Specifying a value of 0 disables CPU requests for instance manager pods. You must specify an integer between 1000 and 8000. + - This is a global setting. Modifying the value triggers an automatic restart of the instance manager pods. Do not modify the value while volumes are still attached." + group: "Longhorn Default Settings' + type: int + min: 1000 + max: 8000 + default: 1250 \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/NOTES.txt b/charts/longhorn/102.4.0+up1.6.1/templates/NOTES.txt new file mode 100644 index 0000000000..cca7cd77b9 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/NOTES.txt @@ -0,0 +1,5 @@ +Longhorn is now installed on the cluster! + +Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized. + +Visit our documentation at https://longhorn.io/docs/ diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/_helpers.tpl b/charts/longhorn/102.4.0+up1.6.1/templates/_helpers.tpl new file mode 100644 index 0000000000..3fbc2ac02f --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "longhorn.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "longhorn.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "longhorn.managerIP" -}} +{{- $fullname := (include "longhorn.fullname" .) -}} +{{- printf "http://%s-backend:9500" $fullname | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "secret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.privateRegistry.registryUrl (printf "%s:%s" .Values.privateRegistry.registryUser .Values.privateRegistry.registryPasswd | b64enc) | b64enc }} +{{- end }} + +{{- /* +longhorn.labels generates the standard Helm labels. +*/ -}} +{{- define "longhorn.labels" -}} +app.kubernetes.io/name: {{ template "longhorn.name" . }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +{{- end -}} + + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "registry_url" -}} +{{- if .Values.privateRegistry.registryUrl -}} +{{- printf "%s/" .Values.privateRegistry.registryUrl -}} +{{- else -}} +{{ include "system_default_registry" . }} +{{- end -}} +{{- end -}} + +{{- /* + define the longhorn release namespace +*/ -}} +{{- define "release_namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/clusterrole.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/clusterrole.yaml new file mode 100644 index 0000000000..f6e069f004 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/clusterrole.yaml @@ -0,0 +1,77 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: longhorn-role + labels: {{- include "longhorn.labels" . | nindent 4 }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - "*" +- apiGroups: [""] + resources: ["pods", "events", "persistentvolumes", "persistentvolumeclaims","persistentvolumeclaims/status", "nodes", "proxy/nodes", "pods/log", "secrets", "services", "endpoints", "configmaps", "serviceaccounts"] + verbs: ["*"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] +- apiGroups: ["apps"] + resources: ["daemonsets", "statefulsets", "deployments"] + verbs: ["*"] +- apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["*"] +- apiGroups: ["policy"] + resources: ["poddisruptionbudgets", "podsecuritypolicies"] + verbs: ["*"] +- apiGroups: ["scheduling.k8s.io"] + resources: ["priorityclasses"] + verbs: ["watch", "list"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes", "csidrivers"] + verbs: ["*"] +- apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses", "volumesnapshots", "volumesnapshotcontents", "volumesnapshotcontents/status"] + verbs: ["*"] +- apiGroups: ["longhorn.io"] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + {{- if .Values.openshift.enabled }} + "engineimages/finalizers", "nodes/finalizers", "instancemanagers/finalizers", + {{- end }} + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status", "backupbackingimages", "backupbackingimages/status"] + verbs: ["*"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["*"] +- apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list"] +- apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["get", "list", "create", "patch", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings", "clusterrolebindings", "clusterroles"] + verbs: ["*"] +{{- if .Values.openshift.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: longhorn-ocp-privileged-role + labels: {{- include "longhorn.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["anyuid", "privileged"] + verbs: ["use"] +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/clusterrolebinding.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..2e34f014ce --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/clusterrolebinding.yaml @@ -0,0 +1,49 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: longhorn-bind + labels: {{- include "longhorn.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: longhorn-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: longhorn-support-bundle + labels: {{- include "longhorn.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: longhorn-support-bundle + namespace: {{ include "release_namespace" . }} +{{- if .Values.openshift.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: longhorn-ocp-privileged-bind + labels: {{- include "longhorn.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: longhorn-ocp-privileged-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} +- kind: ServiceAccount + name: longhorn-ui-service-account + namespace: {{ include "release_namespace" . }} +- kind: ServiceAccount + name: default # supportbundle-agent-support-bundle uses default sa + namespace: {{ include "release_namespace" . }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/daemonset-sa.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/daemonset-sa.yaml new file mode 100644 index 0000000000..2fa1cbc243 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/daemonset-sa.yaml @@ -0,0 +1,167 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-manager + name: longhorn-manager + namespace: {{ include "release_namespace" . }} +spec: + selector: + matchLabels: + app: longhorn-manager + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-manager + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - name: longhorn-manager + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + privileged: true + command: + - longhorn-manager + - -d + {{- if eq .Values.longhornManager.log.format "json" }} + - -j + {{- end }} + - daemon + - --engine-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.engine.repository }}:{{ .Values.image.longhorn.engine.tag }}" + - --instance-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.instanceManager.repository }}:{{ .Values.image.longhorn.instanceManager.tag }}" + - --share-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.shareManager.repository }}:{{ .Values.image.longhorn.shareManager.tag }}" + - --backing-image-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.backingImageManager.repository }}:{{ .Values.image.longhorn.backingImageManager.tag }}" + - --support-bundle-manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.supportBundleKit.repository }}:{{ .Values.image.longhorn.supportBundleKit.tag }}" + - --manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}" + - --service-account + - longhorn-service-account + {{- if .Values.preUpgradeChecker.upgradeVersionCheck}} + - --upgrade-version-check + {{- end }} + ports: + - containerPort: 9500 + name: manager + - containerPort: 9501 + name: conversion-wh + - containerPort: 9502 + name: admission-wh + - containerPort: 9503 + name: recov-backend + readinessProbe: + httpGet: + path: /v1/healthz + port: 9501 + scheme: HTTPS + volumeMounts: + - name: dev + mountPath: /host/dev/ + - name: proc + mountPath: /host/proc/ + - name: longhorn + mountPath: /var/lib/longhorn/ + mountPropagation: Bidirectional + - name: longhorn-grpc-tls + mountPath: /tls-files/ + {{- if .Values.enableGoCoverDir }} + - name: go-cover-dir + mountPath: /go-cover-dir/ + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.enableGoCoverDir }} + - name: GOCOVERDIR + value: /go-cover-dir/ + {{- end }} + volumes: + - name: dev + hostPath: + path: /dev/ + - name: proc + hostPath: + path: /proc/ + - name: longhorn + hostPath: + path: /var/lib/longhorn/ + {{- if .Values.enableGoCoverDir }} + - name: go-cover-dir + hostPath: + path: /go-cover-dir/ + type: DirectoryOrCreate + {{- end }} + - name: longhorn-grpc-tls + secret: + secretName: longhorn-grpc-tls + optional: true + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: longhorn-service-account + updateStrategy: + rollingUpdate: + maxUnavailable: "100%" +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-manager + name: longhorn-backend + namespace: {{ include "release_namespace" . }} + {{- if .Values.longhornManager.serviceAnnotations }} + annotations: +{{ toYaml .Values.longhornManager.serviceAnnotations | indent 4 }} + {{- end }} +spec: + type: {{ .Values.service.manager.type }} + selector: + app: longhorn-manager + ports: + - name: manager + port: 9500 + targetPort: manager + {{- if .Values.service.manager.nodePort }} + nodePort: {{ .Values.service.manager.nodePort }} + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/default-setting.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/default-setting.yaml new file mode 100644 index 0000000000..5261f7fef8 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/default-setting.yaml @@ -0,0 +1,229 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: longhorn-default-setting + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +data: + default-setting.yaml: |- + {{- if not (kindIs "invalid" .Values.defaultSettings.backupTarget) }} + backup-target: {{ .Values.defaultSettings.backupTarget }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backupTargetCredentialSecret) }} + backup-target-credential-secret: {{ .Values.defaultSettings.backupTargetCredentialSecret }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.allowRecurringJobWhileVolumeDetached) }} + allow-recurring-job-while-volume-detached: {{ .Values.defaultSettings.allowRecurringJobWhileVolumeDetached }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.createDefaultDiskLabeledNodes) }} + create-default-disk-labeled-nodes: {{ .Values.defaultSettings.createDefaultDiskLabeledNodes }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.defaultDataPath) }} + default-data-path: {{ .Values.defaultSettings.defaultDataPath }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaSoftAntiAffinity) }} + replica-soft-anti-affinity: {{ .Values.defaultSettings.replicaSoftAntiAffinity }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaAutoBalance) }} + replica-auto-balance: {{ .Values.defaultSettings.replicaAutoBalance }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.storageOverProvisioningPercentage) }} + storage-over-provisioning-percentage: {{ .Values.defaultSettings.storageOverProvisioningPercentage }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.storageMinimalAvailablePercentage) }} + storage-minimal-available-percentage: {{ .Values.defaultSettings.storageMinimalAvailablePercentage }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.storageReservedPercentageForDefaultDisk) }} + storage-reserved-percentage-for-default-disk: {{ .Values.defaultSettings.storageReservedPercentageForDefaultDisk }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.upgradeChecker) }} + upgrade-checker: {{ .Values.defaultSettings.upgradeChecker }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.defaultReplicaCount) }} + default-replica-count: {{ .Values.defaultSettings.defaultReplicaCount }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.defaultDataLocality) }} + default-data-locality: {{ .Values.defaultSettings.defaultDataLocality }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.defaultLonghornStaticStorageClass) }} + default-longhorn-static-storage-class: {{ .Values.defaultSettings.defaultLonghornStaticStorageClass }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backupstorePollInterval) }} + backupstore-poll-interval: {{ .Values.defaultSettings.backupstorePollInterval }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.failedBackupTTL) }} + failed-backup-ttl: {{ .Values.defaultSettings.failedBackupTTL }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.restoreVolumeRecurringJobs) }} + restore-volume-recurring-jobs: {{ .Values.defaultSettings.restoreVolumeRecurringJobs }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.recurringSuccessfulJobsHistoryLimit) }} + recurring-successful-jobs-history-limit: {{ .Values.defaultSettings.recurringSuccessfulJobsHistoryLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.recurringJobMaxRetention) }} + recurring-job-max-retention: {{ .Values.defaultSettings.recurringJobMaxRetention }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.recurringFailedJobsHistoryLimit) }} + recurring-failed-jobs-history-limit: {{ .Values.defaultSettings.recurringFailedJobsHistoryLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.supportBundleFailedHistoryLimit) }} + support-bundle-failed-history-limit: {{ .Values.defaultSettings.supportBundleFailedHistoryLimit }} + {{- end }} + {{- if or (not (kindIs "invalid" .Values.defaultSettings.taintToleration)) (.Values.global.cattle.windowsCluster.enabled) }} + taint-toleration: {{ $windowsDefaultSettingTaintToleration := list }}{{ $defaultSettingTaintToleration := list -}} + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.defaultSetting.taintToleration -}} + {{- $windowsDefaultSettingTaintToleration = .Values.global.cattle.windowsCluster.defaultSetting.taintToleration -}} + {{- end -}} + {{- if not (kindIs "invalid" .Values.defaultSettings.taintToleration) -}} + {{- $defaultSettingTaintToleration = .Values.defaultSettings.taintToleration -}} + {{- end -}} + {{- $taintToleration := list $windowsDefaultSettingTaintToleration $defaultSettingTaintToleration }}{{ join ";" (compact $taintToleration) -}} + {{- end }} + {{- if or (not (kindIs "invalid" .Values.defaultSettings.systemManagedComponentsNodeSelector)) (.Values.global.cattle.windowsCluster.enabled) }} + system-managed-components-node-selector: {{ $windowsDefaultSettingNodeSelector := list }}{{ $defaultSettingNodeSelector := list -}} + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.defaultSetting.systemManagedComponentsNodeSelector -}} + {{ $windowsDefaultSettingNodeSelector = .Values.global.cattle.windowsCluster.defaultSetting.systemManagedComponentsNodeSelector -}} + {{- end -}} + {{- if not (kindIs "invalid" .Values.defaultSettings.systemManagedComponentsNodeSelector) -}} + {{- $defaultSettingNodeSelector = .Values.defaultSettings.systemManagedComponentsNodeSelector -}} + {{- end -}} + {{- $nodeSelector := list $windowsDefaultSettingNodeSelector $defaultSettingNodeSelector }}{{ join ";" (compact $nodeSelector) -}} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.priorityClass) }} + priority-class: {{ .Values.defaultSettings.priorityClass }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.autoSalvage) }} + auto-salvage: {{ .Values.defaultSettings.autoSalvage }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly) }} + auto-delete-pod-when-volume-detached-unexpectedly: {{ .Values.defaultSettings.autoDeletePodWhenVolumeDetachedUnexpectedly }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.disableSchedulingOnCordonedNode) }} + disable-scheduling-on-cordoned-node: {{ .Values.defaultSettings.disableSchedulingOnCordonedNode }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaZoneSoftAntiAffinity) }} + replica-zone-soft-anti-affinity: {{ .Values.defaultSettings.replicaZoneSoftAntiAffinity }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaDiskSoftAntiAffinity) }} + replica-disk-soft-anti-affinity: {{ .Values.defaultSettings.replicaDiskSoftAntiAffinity }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.nodeDownPodDeletionPolicy) }} + node-down-pod-deletion-policy: {{ .Values.defaultSettings.nodeDownPodDeletionPolicy }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.nodeDrainPolicy) }} + node-drain-policy: {{ .Values.defaultSettings.nodeDrainPolicy }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.detachManuallyAttachedVolumesWhenCordoned) }} + detach-manually-attached-volumes-when-cordoned: {{ .Values.defaultSettings.detachManuallyAttachedVolumesWhenCordoned }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaReplenishmentWaitInterval) }} + replica-replenishment-wait-interval: {{ .Values.defaultSettings.replicaReplenishmentWaitInterval }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.concurrentReplicaRebuildPerNodeLimit) }} + concurrent-replica-rebuild-per-node-limit: {{ .Values.defaultSettings.concurrentReplicaRebuildPerNodeLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.concurrentVolumeBackupRestorePerNodeLimit) }} + concurrent-volume-backup-restore-per-node-limit: {{ .Values.defaultSettings.concurrentVolumeBackupRestorePerNodeLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.disableRevisionCounter) }} + disable-revision-counter: {{ .Values.defaultSettings.disableRevisionCounter }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.systemManagedPodsImagePullPolicy) }} + system-managed-pods-image-pull-policy: {{ .Values.defaultSettings.systemManagedPodsImagePullPolicy }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.allowVolumeCreationWithDegradedAvailability) }} + allow-volume-creation-with-degraded-availability: {{ .Values.defaultSettings.allowVolumeCreationWithDegradedAvailability }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.autoCleanupSystemGeneratedSnapshot) }} + auto-cleanup-system-generated-snapshot: {{ .Values.defaultSettings.autoCleanupSystemGeneratedSnapshot }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.autoCleanupRecurringJobBackupSnapshot) }} + auto-cleanup-recurring-job-backup-snapshot: {{ .Values.defaultSettings.autoCleanupRecurringJobBackupSnapshot }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit) }} + concurrent-automatic-engine-upgrade-per-node-limit: {{ .Values.defaultSettings.concurrentAutomaticEngineUpgradePerNodeLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backingImageCleanupWaitInterval) }} + backing-image-cleanup-wait-interval: {{ .Values.defaultSettings.backingImageCleanupWaitInterval }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backingImageRecoveryWaitInterval) }} + backing-image-recovery-wait-interval: {{ .Values.defaultSettings.backingImageRecoveryWaitInterval }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.guaranteedInstanceManagerCPU) }} + guaranteed-instance-manager-cpu: {{ .Values.defaultSettings.guaranteedInstanceManagerCPU }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.kubernetesClusterAutoscalerEnabled) }} + kubernetes-cluster-autoscaler-enabled: {{ .Values.defaultSettings.kubernetesClusterAutoscalerEnabled }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.orphanAutoDeletion) }} + orphan-auto-deletion: {{ .Values.defaultSettings.orphanAutoDeletion }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.storageNetwork) }} + storage-network: {{ .Values.defaultSettings.storageNetwork }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.deletingConfirmationFlag) }} + deleting-confirmation-flag: {{ .Values.defaultSettings.deletingConfirmationFlag }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.engineReplicaTimeout) }} + engine-replica-timeout: {{ .Values.defaultSettings.engineReplicaTimeout }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrity) }} + snapshot-data-integrity: {{ .Values.defaultSettings.snapshotDataIntegrity }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation) }} + snapshot-data-integrity-immediate-check-after-snapshot-creation: {{ .Values.defaultSettings.snapshotDataIntegrityImmediateCheckAfterSnapshotCreation }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.snapshotDataIntegrityCronjob) }} + snapshot-data-integrity-cronjob: {{ .Values.defaultSettings.snapshotDataIntegrityCronjob }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.removeSnapshotsDuringFilesystemTrim) }} + remove-snapshots-during-filesystem-trim: {{ .Values.defaultSettings.removeSnapshotsDuringFilesystemTrim }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.fastReplicaRebuildEnabled) }} + fast-replica-rebuild-enabled: {{ .Values.defaultSettings.fastReplicaRebuildEnabled }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.replicaFileSyncHttpClientTimeout) }} + replica-file-sync-http-client-timeout: {{ .Values.defaultSettings.replicaFileSyncHttpClientTimeout }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.logLevel) }} + log-level: {{ .Values.defaultSettings.logLevel }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backupCompressionMethod) }} + backup-compression-method: {{ .Values.defaultSettings.backupCompressionMethod }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.backupConcurrentLimit) }} + backup-concurrent-limit: {{ .Values.defaultSettings.backupConcurrentLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.restoreConcurrentLimit) }} + restore-concurrent-limit: {{ .Values.defaultSettings.restoreConcurrentLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.v1DataEngine) }} + v1-data-engine: {{ .Values.defaultSettings.v1DataEngine }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.v2DataEngine) }} + v2-data-engine: {{ .Values.defaultSettings.v2DataEngine }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.v2DataEngineHugepageLimit) }} + v2-data-engine-hugepage-limit: {{ .Values.defaultSettings.v2DataEngineHugepageLimit }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.offlineReplicaRebuilding) }} + offline-replica-rebuilding: {{ .Values.defaultSettings.offlineReplicaRebuilding }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.allowEmptyNodeSelectorVolume) }} + allow-empty-node-selector-volume: {{ .Values.defaultSettings.allowEmptyNodeSelectorVolume }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.allowEmptyDiskSelectorVolume) }} + allow-empty-disk-selector-volume: {{ .Values.defaultSettings.allowEmptyDiskSelectorVolume }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.allowCollectingLonghornUsageMetrics) }} + allow-collecting-longhorn-usage-metrics: {{ .Values.defaultSettings.allowCollectingLonghornUsageMetrics }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.disableSnapshotPurge) }} + disable-snapshot-purge: {{ .Values.defaultSettings.disableSnapshotPurge }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.v2DataEngineGuaranteedInstanceManagerCPU) }} + v2-data-engine-guaranteed-instance-manager-cpu: {{ .Values.defaultSettings.v2DataEngineGuaranteedInstanceManagerCPU }} + {{- end }} + {{- if not (kindIs "invalid" .Values.defaultSettings.snapshotMaxCount) }} + snapshot-max-count: {{ .Values.defaultSettings.snapshotMaxCount }} + {{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/deployment-driver.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/deployment-driver.yaml new file mode 100644 index 0000000000..cd2ab3a344 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/deployment-driver.yaml @@ -0,0 +1,132 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: longhorn-driver-deployer + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + app: longhorn-driver-deployer + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-driver-deployer + spec: + initContainers: + - name: wait-longhorn-manager + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done'] + containers: + - name: longhorn-driver-deployer + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - -d + - deploy-driver + - --manager-image + - "{{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }}" + - --manager-url + - http://longhorn-backend:9500/v1 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.csi.kubeletRootDir }} + - name: KUBELET_ROOT_DIR + value: {{ .Values.csi.kubeletRootDir }} + {{- end }} + {{- if and .Values.image.csi.attacher.repository .Values.image.csi.attacher.tag }} + - name: CSI_ATTACHER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.attacher.repository }}:{{ .Values.image.csi.attacher.tag }}" + {{- end }} + {{- if and .Values.image.csi.provisioner.repository .Values.image.csi.provisioner.tag }} + - name: CSI_PROVISIONER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.provisioner.repository }}:{{ .Values.image.csi.provisioner.tag }}" + {{- end }} + {{- if and .Values.image.csi.nodeDriverRegistrar.repository .Values.image.csi.nodeDriverRegistrar.tag }} + - name: CSI_NODE_DRIVER_REGISTRAR_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.nodeDriverRegistrar.repository }}:{{ .Values.image.csi.nodeDriverRegistrar.tag }}" + {{- end }} + {{- if and .Values.image.csi.resizer.repository .Values.image.csi.resizer.tag }} + - name: CSI_RESIZER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.resizer.repository }}:{{ .Values.image.csi.resizer.tag }}" + {{- end }} + {{- if and .Values.image.csi.snapshotter.repository .Values.image.csi.snapshotter.tag }} + - name: CSI_SNAPSHOTTER_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.snapshotter.repository }}:{{ .Values.image.csi.snapshotter.tag }}" + {{- end }} + {{- if and .Values.image.csi.livenessProbe.repository .Values.image.csi.livenessProbe.tag }} + - name: CSI_LIVENESS_PROBE_IMAGE + value: "{{ template "registry_url" . }}{{ .Values.image.csi.livenessProbe.repository }}:{{ .Values.image.csi.livenessProbe.tag }}" + {{- end }} + {{- if .Values.csi.attacherReplicaCount }} + - name: CSI_ATTACHER_REPLICA_COUNT + value: {{ .Values.csi.attacherReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.provisionerReplicaCount }} + - name: CSI_PROVISIONER_REPLICA_COUNT + value: {{ .Values.csi.provisionerReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.resizerReplicaCount }} + - name: CSI_RESIZER_REPLICA_COUNT + value: {{ .Values.csi.resizerReplicaCount | quote }} + {{- end }} + {{- if .Values.csi.snapshotterReplicaCount }} + - name: CSI_SNAPSHOTTER_REPLICA_COUNT + value: {{ .Values.csi.snapshotterReplicaCount | quote }} + {{- end }} + {{- if .Values.enableGoCoverDir }} + - name: GOCOVERDIR + value: /go-cover-dir/ + volumeMounts: + - name: go-cover-dir + mountPath: /go-cover-dir/ + {{- end }} + + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornDriver.priorityClass }} + priorityClassName: {{ .Values.longhornDriver.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornDriver.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornDriver.tolerations }} +{{ toYaml .Values.longhornDriver.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornDriver.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornDriver.nodeSelector }} +{{ toYaml .Values.longhornDriver.nodeSelector | indent 8 }} + {{- end }} + {{- end }} + serviceAccountName: longhorn-service-account + securityContext: + runAsUser: 0 + {{- if .Values.enableGoCoverDir }} + volumes: + - name: go-cover-dir + hostPath: + path: /go-cover-dir/ + type: DirectoryOrCreate + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/deployment-ui.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/deployment-ui.yaml new file mode 100644 index 0000000000..0ee86c7904 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/deployment-ui.yaml @@ -0,0 +1,182 @@ +{{- if .Values.openshift.enabled }} +{{- if .Values.openshift.ui.route }} +# https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml +# Create a proxy service account and ensure it will use the route "proxy" +# Create a secure connection to the proxy via a route +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + name: {{ .Values.openshift.ui.route }} + namespace: {{ include "release_namespace" . }} +spec: + to: + kind: Service + name: longhorn-ui + tls: + termination: reencrypt +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + name: longhorn-ui + namespace: {{ include "release_namespace" . }} + annotations: + service.alpha.openshift.io/serving-cert-secret-name: longhorn-ui-tls +spec: + ports: + - name: longhorn-ui + port: {{ .Values.openshift.ui.port | default 443 }} + targetPort: {{ .Values.openshift.ui.proxy | default 8443 }} + selector: + app: longhorn-ui +--- +{{- end }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + name: longhorn-ui + namespace: {{ include "release_namespace" . }} +spec: + replicas: {{ .Values.longhornUI.replicas }} + selector: + matchLabels: + app: longhorn-ui + template: + metadata: + labels: {{- include "longhorn.labels" . | nindent 8 }} + app: longhorn-ui + spec: + serviceAccountName: longhorn-ui-service-account + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - longhorn-ui + topologyKey: kubernetes.io/hostname + containers: + {{- if .Values.openshift.enabled }} + {{- if .Values.openshift.ui.route }} + - name: oauth-proxy + image: {{ template "registry_url" . }}{{ .Values.image.openshift.oauthProxy.repository }}:{{ .Values.image.openshift.oauthProxy.tag }} + imagePullPolicy: IfNotPresent + ports: + - containerPort: {{ .Values.openshift.ui.proxy | default 8443 }} + name: public + args: + - --https-address=:{{ .Values.openshift.ui.proxy | default 8443 }} + - --provider=openshift + - --openshift-service-account=longhorn-ui-service-account + - --upstream=http://localhost:8000 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret=SECRET + - --openshift-sar={"namespace":"{{ include "release_namespace" . }}","group":"longhorn.io","resource":"setting","verb":"delete"} + volumeMounts: + - mountPath: /etc/tls/private + name: longhorn-ui-tls + {{- end }} + {{- end }} + - name: longhorn-ui + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.ui.repository }}:{{ .Values.image.longhorn.ui.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name : nginx-cache + mountPath: /var/cache/nginx/ + - name : nginx-config + mountPath: /var/config/nginx/ + - name: var-run + mountPath: /var/run/ + ports: + - containerPort: 8000 + name: http + env: + - name: LONGHORN_MANAGER_IP + value: "http://longhorn-backend:9500" + - name: LONGHORN_UI_PORT + value: "8000" + volumes: + {{- if .Values.openshift.enabled }} + {{- if .Values.openshift.ui.route }} + - name: longhorn-ui-tls + secret: + secretName: longhorn-ui-tls + {{- end }} + {{- end }} + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-config + - emptyDir: {} + name: var-run + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornUI.priorityClass }} + priorityClassName: {{ .Values.longhornUI.priorityClass | quote }} + {{- end }} + {{- if or .Values.longhornUI.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornUI.tolerations }} +{{ toYaml .Values.longhornUI.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornUI.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornUI.nodeSelector }} +{{ toYaml .Values.longhornUI.nodeSelector | indent 8 }} + {{- end }} + {{- end }} +--- +kind: Service +apiVersion: v1 +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ui + {{- if eq .Values.service.ui.type "Rancher-Proxy" }} + kubernetes.io/cluster-service: "true" + {{- end }} + name: longhorn-frontend + namespace: {{ include "release_namespace" . }} +spec: + {{- if eq .Values.service.ui.type "Rancher-Proxy" }} + type: ClusterIP + {{- else }} + type: {{ .Values.service.ui.type }} + {{- end }} + {{- if and .Values.service.ui.loadBalancerIP (eq .Values.service.ui.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.service.ui.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.ui.type "LoadBalancer") .Values.service.ui.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.ui.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + selector: + app: longhorn-ui + ports: + - name: http + port: 80 + targetPort: http + {{- if .Values.service.ui.nodePort }} + nodePort: {{ .Values.service.ui.nodePort }} + {{- else }} + nodePort: null + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/ingress.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/ingress.yaml new file mode 100644 index 0000000000..9038ff0cc1 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/ingress.yaml @@ -0,0 +1,37 @@ +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: longhorn-ingress + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-ingress + annotations: + {{- if .Values.ingress.secureBackends }} + ingress.kubernetes.io/secure-backends: "true" + {{- end }} + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} + rules: + - host: {{ .Values.ingress.host }} + http: + paths: + - path: {{ default "" .Values.ingress.path }} + pathType: ImplementationSpecific + backend: + service: + name: longhorn-frontend + port: + number: 80 +{{- if .Values.ingress.tls }} + tls: + - hosts: + - {{ .Values.ingress.host }} + secretName: {{ .Values.ingress.tlsSecret }} +{{- end }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-data-source-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-data-source-network-policy.yaml new file mode 100644 index 0000000000..7204d63caa --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-data-source-network-policy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backing-image-data-source + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-manager-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-manager-network-policy.yaml new file mode 100644 index 0000000000..119ebf08a1 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/backing-image-manager-network-policy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: backing-image-manager + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/instance-manager-networking.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/instance-manager-networking.yaml new file mode 100644 index 0000000000..332aa2c2fe --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/instance-manager-networking.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: instance-manager + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + longhorn.io/component: instance-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + longhorn.io/component: instance-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-manager + - podSelector: + matchLabels: + longhorn.io/component: backing-image-data-source +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/manager-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/manager-network-policy.yaml new file mode 100644 index 0000000000..6f94029a53 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/manager-network-policy.yaml @@ -0,0 +1,35 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-manager + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: longhorn-manager + - podSelector: + matchLabels: + app: longhorn-ui + - podSelector: + matchLabels: + app: longhorn-csi-plugin + - podSelector: + matchLabels: + longhorn.io/managed-by: longhorn-manager + matchExpressions: + - { key: recurring-job.longhorn.io, operator: Exists } + - podSelector: + matchExpressions: + - { key: longhorn.io/job-task, operator: Exists } + - podSelector: + matchLabels: + app: longhorn-driver-deployer +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/recovery-backend-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/recovery-backend-network-policy.yaml new file mode 100644 index 0000000000..6e34dadfc2 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/recovery-backend-network-policy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-recovery-backend + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9503 +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/ui-frontend-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/ui-frontend-network-policy.yaml new file mode 100644 index 0000000000..6f37065980 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/ui-frontend-network-policy.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.networkPolicies.enabled .Values.ingress.enabled (not (eq .Values.networkPolicies.type "")) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-ui-frontend + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + app: longhorn-ui + policyTypes: + - Ingress + ingress: + - from: + {{- if eq .Values.networkPolicies.type "rke1"}} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + {{- else if eq .Values.networkPolicies.type "rke2" }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: rke2-ingress-nginx + app.kubernetes.io/name: rke2-ingress-nginx + {{- else if eq .Values.networkPolicies.type "k3s" }} + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ports: + - port: 8000 + protocol: TCP + - port: 80 + protocol: TCP + {{- end }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/webhook-network-policy.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/webhook-network-policy.yaml new file mode 100644 index 0000000000..3575763d39 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/network-policies/webhook-network-policy.yaml @@ -0,0 +1,33 @@ +{{- if .Values.networkPolicies.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9501 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: longhorn-admission-webhook + namespace: {{ include "release_namespace" . }} +spec: + podSelector: + matchLabels: + app: longhorn-manager + policyTypes: + - Ingress + ingress: + - ports: + - protocol: TCP + port: 9502 +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/postupgrade-job.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/postupgrade-job.yaml new file mode 100644 index 0000000000..bb25a54d4e --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/postupgrade-job.yaml @@ -0,0 +1,56 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + name: longhorn-post-upgrade + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-post-upgrade + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-post-upgrade + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - post-upgrade + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/preupgrade-job.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/preupgrade-job.yaml new file mode 100644 index 0000000000..ef0fe02f43 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/preupgrade-job.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.preUpgradeChecker.jobEnabled .Values.preUpgradeChecker.upgradeVersionCheck}} +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed + name: longhorn-pre-upgrade + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-pre-upgrade + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-pre-upgrade + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - pre-upgrade + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/priorityclass.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/priorityclass.yaml new file mode 100644 index 0000000000..208adc84a2 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/priorityclass.yaml @@ -0,0 +1,9 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: "longhorn-critical" + labels: {{- include "longhorn.labels" . | nindent 4 }} +description: "Ensure Longhorn pods have the highest priority to prevent any unexpected eviction by the Kubernetes scheduler under node pressure" +globalDefault: false +preemptionPolicy: PreemptLowerPriority +value: 1000000000 diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/psp.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/psp.yaml new file mode 100644 index 0000000000..a2dfc05bef --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/psp.yaml @@ -0,0 +1,66 @@ +{{- if .Values.enablePSP }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: longhorn-psp + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + privileged: true + allowPrivilegeEscalation: true + requiredDropCapabilities: + - NET_RAW + allowedCapabilities: + - SYS_ADMIN + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + fsGroup: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + - hostPath +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: longhorn-psp-role + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ include "release_namespace" . }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - longhorn-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: longhorn-psp-binding + labels: {{- include "longhorn.labels" . | nindent 4 }} + namespace: {{ include "release_namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: longhorn-psp-role +subjects: +- kind: ServiceAccount + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} +- kind: ServiceAccount + name: default + namespace: {{ include "release_namespace" . }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/registry-secret.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/registry-secret.yaml new file mode 100644 index 0000000000..3c6b1dc510 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/registry-secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.privateRegistry.createSecret }} +{{- if .Values.privateRegistry.registrySecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.privateRegistry.registrySecret }} + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ template "secret" . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/serviceaccount.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b0d6dd505b --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/serviceaccount.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-service-account + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-ui-service-account + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.openshift.enabled }} + {{- if .Values.openshift.ui.route }} + {{- if not .Values.serviceAccount.annotations }} + annotations: + {{- end }} + serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"longhorn-ui"}}' + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: longhorn-support-bundle + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/servicemonitor.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/servicemonitor.yaml new file mode 100644 index 0000000000..fd11fe9d47 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{- if .Values.metrics.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: longhorn-prometheus-servicemonitor + namespace: {{ include "release_namespace" . }} + labels: + {{- include "longhorn.labels" . | nindent 4 }} + name: longhorn-prometheus-servicemonitor +spec: + selector: + matchLabels: + app: longhorn-manager + namespaceSelector: + matchNames: + - {{ include "release_namespace" . }} + endpoints: + - port: manager +{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/services.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/services.yaml new file mode 100644 index 0000000000..8baef021f3 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/services.yaml @@ -0,0 +1,71 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-conversion-webhook + name: longhorn-conversion-webhook + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + selector: + app: longhorn-manager + ports: + - name: conversion-webhook + port: 9501 + targetPort: conversion-wh +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-admission-webhook + name: longhorn-admission-webhook + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + selector: + app: longhorn-manager + ports: + - name: admission-webhook + port: 9502 + targetPort: admission-wh +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + app: longhorn-recovery-backend + name: longhorn-recovery-backend + namespace: {{ include "release_namespace" . }} +spec: + type: ClusterIP + selector: + app: longhorn-manager + ports: + - name: recovery-backend + port: 9503 + targetPort: recov-backend +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + name: longhorn-engine-manager + namespace: {{ include "release_namespace" . }} +spec: + clusterIP: None + selector: + longhorn.io/component: instance-manager + longhorn.io/instance-manager-type: engine +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "longhorn.labels" . | nindent 4 }} + name: longhorn-replica-manager + namespace: {{ include "release_namespace" . }} +spec: + clusterIP: None + selector: + longhorn.io/component: instance-manager + longhorn.io/instance-manager-type: replica diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/storageclass.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/storageclass.yaml new file mode 100644 index 0000000000..f79699f5e0 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/storageclass.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: longhorn-storageclass + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +data: + storageclass.yaml: | + kind: StorageClass + apiVersion: storage.k8s.io/v1 + metadata: + name: longhorn + annotations: + storageclass.kubernetes.io/is-default-class: {{ .Values.persistence.defaultClass | quote }} + provisioner: driver.longhorn.io + allowVolumeExpansion: true + reclaimPolicy: "{{ .Values.persistence.reclaimPolicy }}" + volumeBindingMode: Immediate + parameters: + numberOfReplicas: "{{ .Values.persistence.defaultClassReplicaCount }}" + staleReplicaTimeout: "30" + fromBackup: "" + {{- if .Values.persistence.defaultFsType }} + fsType: "{{ .Values.persistence.defaultFsType }}" + {{- end }} + {{- if .Values.persistence.defaultMkfsParams }} + mkfsParams: "{{ .Values.persistence.defaultMkfsParams }}" + {{- end }} + {{- if .Values.persistence.migratable }} + migratable: "{{ .Values.persistence.migratable }}" + {{- end }} + {{- if .Values.persistence.nfsOptions }} + nfsOptions: "{{ .Values.persistence.nfsOptions }}" + {{- end }} + {{- if .Values.persistence.backingImage.enable }} + backingImage: {{ .Values.persistence.backingImage.name }} + backingImageDataSourceType: {{ .Values.persistence.backingImage.dataSourceType }} + backingImageDataSourceParameters: {{ .Values.persistence.backingImage.dataSourceParameters }} + backingImageChecksum: {{ .Values.persistence.backingImage.expectedChecksum }} + {{- end }} + {{- if .Values.persistence.recurringJobSelector.enable }} + recurringJobSelector: '{{ .Values.persistence.recurringJobSelector.jobList }}' + {{- end }} + dataLocality: {{ .Values.persistence.defaultDataLocality | quote }} + {{- if .Values.persistence.defaultNodeSelector.enable }} + nodeSelector: "{{ .Values.persistence.defaultNodeSelector.selector }}" + {{- end }} + {{- if .Values.persistence.removeSnapshotsDuringFilesystemTrim }} + unmapMarkSnapChainRemoved: "{{ .Values.persistence.removeSnapshotsDuringFilesystemTrim }}" + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/tls-secrets.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/tls-secrets.yaml new file mode 100644 index 0000000000..74c43426de --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/tls-secrets.yaml @@ -0,0 +1,16 @@ +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "release_namespace" $ }} + labels: {{- include "longhorn.labels" $ | nindent 4 }} + app: longhorn +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/uninstall-job.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/uninstall-job.yaml new file mode 100644 index 0000000000..968f420616 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/uninstall-job.yaml @@ -0,0 +1,57 @@ +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + name: longhorn-uninstall + namespace: {{ include "release_namespace" . }} + labels: {{- include "longhorn.labels" . | nindent 4 }} +spec: + activeDeadlineSeconds: 900 + backoffLimit: 1 + template: + metadata: + name: longhorn-uninstall + labels: {{- include "longhorn.labels" . | nindent 8 }} + spec: + containers: + - name: longhorn-uninstall + image: {{ template "registry_url" . }}{{ .Values.image.longhorn.manager.repository }}:{{ .Values.image.longhorn.manager.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - longhorn-manager + - uninstall + - --force + env: + - name: LONGHORN_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: Never + {{- if .Values.privateRegistry.registrySecret }} + imagePullSecrets: + - name: {{ .Values.privateRegistry.registrySecret }} + {{- end }} + {{- if .Values.longhornManager.priorityClass }} + priorityClassName: {{ .Values.longhornManager.priorityClass | quote }} + {{- end }} + serviceAccountName: longhorn-service-account + {{- if or .Values.longhornManager.tolerations .Values.global.cattle.windowsCluster.enabled }} + tolerations: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.tolerations }} +{{ toYaml .Values.global.cattle.windowsCluster.tolerations | indent 6 }} + {{- end }} + {{- if .Values.longhornManager.tolerations }} +{{ toYaml .Values.longhornManager.tolerations | indent 6 }} + {{- end }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector .Values.global.cattle.windowsCluster.enabled }} + nodeSelector: + {{- if and .Values.global.cattle.windowsCluster.enabled .Values.global.cattle.windowsCluster.nodeSelector }} +{{ toYaml .Values.global.cattle.windowsCluster.nodeSelector | indent 8 }} + {{- end }} + {{- if or .Values.longhornManager.nodeSelector }} +{{ toYaml .Values.longhornManager.nodeSelector | indent 8 }} + {{- end }} + {{- end }} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/userroles.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/userroles.yaml new file mode 100644 index 0000000000..1dbb6be90e --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/userroles.yaml @@ -0,0 +1,53 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-admin" + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", "backupbackingimages", "backupbackingimages/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-edit" + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", "backupbackingimages", "backupbackingimages/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "longhorn-view" + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: [ "longhorn.io" ] + resources: ["volumes", "volumes/status", "engines", "engines/status", "replicas", "replicas/status", "settings", + "engineimages", "engineimages/status", "nodes", "nodes/status", "instancemanagers", "instancemanagers/status", + "sharemanagers", "sharemanagers/status", "backingimages", "backingimages/status", + "backingimagemanagers", "backingimagemanagers/status", "backingimagedatasources", "backingimagedatasources/status", "backupbackingimages", "backupbackingimages/status", + "backuptargets", "backuptargets/status", "backupvolumes", "backupvolumes/status", "backups", "backups/status", + "recurringjobs", "recurringjobs/status", "orphans", "orphans/status", "snapshots", "snapshots/status", + "supportbundles", "supportbundles/status", "systembackups", "systembackups/status", "systemrestores", "systemrestores/status", + "volumeattachments", "volumeattachments/status"] + verbs: [ "get", "list", "watch" ] diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/validate-install-crd.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..aac4dd9c53 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/validate-install-crd.yaml @@ -0,0 +1,35 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "longhorn.io/v1beta1/BackingImageDataSource" false -}} +# {{- set $found "longhorn.io/v1beta1/BackingImageManager" false -}} +# {{- set $found "longhorn.io/v1beta1/BackingImage" false -}} +# {{- set $found "longhorn.io/v1beta1/Backup" false -}} +# {{- set $found "longhorn.io/v1beta2/BackupBackingImage" false -}} +# {{- set $found "longhorn.io/v1beta1/BackupTarget" false -}} +# {{- set $found "longhorn.io/v1beta1/BackupVolume" false -}} +# {{- set $found "longhorn.io/v1beta1/EngineImage" false -}} +# {{- set $found "longhorn.io/v1beta1/Engine" false -}} +# {{- set $found "longhorn.io/v1beta1/InstanceManager" false -}} +# {{- set $found "longhorn.io/v1beta1/Node" false -}} +# {{- set $found "longhorn.io/v1beta2/Orphan" false -}} +# {{- set $found "longhorn.io/v1beta1/RecurringJob" false -}} +# {{- set $found "longhorn.io/v1beta1/Replica" false -}} +# {{- set $found "longhorn.io/v1beta1/Setting" false -}} +# {{- set $found "longhorn.io/v1beta1/ShareManager" false -}} +# {{- set $found "longhorn.io/v1beta2/Snapshot" false -}} +# {{- set $found "longhorn.io/v1beta2/SupportBundle" false -}} +# {{- set $found "longhorn.io/v1beta2/SystemBackup" false -}} +# {{- set $found "longhorn.io/v1beta2/SystemRestore" false -}} +# {{- set $found "longhorn.io/v1beta1/Volume" false -}} +# {{- set $found "longhorn.io/v1beta2/VolumeAttachment" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} diff --git a/charts/longhorn/102.4.0+up1.6.1/templates/validate-psp-install.yaml b/charts/longhorn/102.4.0+up1.6.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..0df98e3657 --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.enablePSP }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} \ No newline at end of file diff --git a/charts/longhorn/102.4.0+up1.6.1/values.yaml b/charts/longhorn/102.4.0+up1.6.1/values.yaml new file mode 100644 index 0000000000..64058d287e --- /dev/null +++ b/charts/longhorn/102.4.0+up1.6.1/values.yaml @@ -0,0 +1,483 @@ +# Default values for longhorn. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + cattle: + # -- Default system registry. + systemDefaultRegistry: "" + windowsCluster: + # -- Setting that allows Longhorn to run on a Rancher Windows cluster. + enabled: false + # -- Toleration for Linux nodes that can run user-deployed Longhorn components. + tolerations: + - key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + # -- Node selector for Linux nodes that can run user-deployed Longhorn components. + nodeSelector: + kubernetes.io/os: "linux" + defaultSetting: + # -- Toleration for system-managed Longhorn components. + taintToleration: cattle.io/os=linux:NoSchedule + # -- Node selector for system-managed Longhorn components. + systemManagedComponentsNodeSelector: kubernetes.io/os:linux + +networkPolicies: + # -- Setting that allows you to enable network policies that control access to Longhorn pods. + enabled: false + # -- Distribution that determines the policy for allowing access for an ingress. (Options: "k3s", "rke2", "rke1") + type: "k3s" + +image: + longhorn: + engine: + # -- Repository for the Longhorn Engine image. + repository: rancher/mirrored-longhornio-longhorn-engine + # -- Specify Longhorn engine image tag + tag: v1.6.1 + manager: + # -- Repository for the Longhorn Manager image. + repository: rancher/mirrored-longhornio-longhorn-manager + # -- Specify Longhorn manager image tag + tag: v1.6.1 + ui: + # -- Repository for the Longhorn UI image. + repository: rancher/mirrored-longhornio-longhorn-ui + # -- Specify Longhorn ui image tag + tag: v1.6.1 + instanceManager: + # -- Repository for the Longhorn Instance Manager image. + repository: rancher/mirrored-longhornio-longhorn-instance-manager + # -- Specify Longhorn instance manager image tag + tag: v1.6.1 + shareManager: + # -- Repository for the Longhorn Share Manager image. + repository: rancher/mirrored-longhornio-longhorn-share-manager + # -- Specify Longhorn share manager image tag + tag: v1.6.1 + backingImageManager: + # -- Repository for the Backing Image Manager image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-backing-image-manager + # -- Specify Longhorn backing image manager image tag + tag: v1.6.1 + supportBundleKit: + # -- Repository for the Longhorn Support Bundle Manager image. + repository: rancher/mirrored-longhornio-support-bundle-kit + # -- Tag for the Longhorn Support Bundle Manager image. + tag: v0.0.36 + csi: + attacher: + # -- Repository for the CSI attacher image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-csi-attacher + # -- Tag for the CSI attacher image. When unspecified, Longhorn uses the default value. + tag: v4.4.2 + provisioner: + # -- Repository for the CSI Provisioner image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-csi-provisioner + # -- Tag for the CSI Provisioner image. When unspecified, Longhorn uses the default value. + tag: v3.6.2 + nodeDriverRegistrar: + # -- Repository for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-csi-node-driver-registrar + # -- Tag for the CSI Node Driver Registrar image. When unspecified, Longhorn uses the default value. + tag: v2.9.2 + resizer: + # -- Repository for the CSI Resizer image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-csi-resizer + # -- Tag for the CSI Resizer image. When unspecified, Longhorn uses the default value. + tag: v1.9.2 + snapshotter: + # -- Repository for the CSI Snapshotter image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-csi-snapshotter + # -- Tag for the CSI Snapshotter image. When unspecified, Longhorn uses the default value. + tag: v6.3.2 + livenessProbe: + # -- Repository for the CSI liveness probe image. When unspecified, Longhorn uses the default value. + repository: rancher/mirrored-longhornio-livenessprobe + # -- Tag for the CSI liveness probe image. When unspecified, Longhorn uses the default value. + tag: v2.12.0 + openshift: + oauthProxy: + # -- Repository for the OAuth Proxy image. This setting applies only to OpenShift users. + repository: rancher/mirrored-longhornio-openshift-origin-oauth-proxy + # -- Tag for the OAuth Proxy image. This setting applies only to OpenShift users. Specify OCP/OKD version 4.1 or later. The latest stable version is 4.14. + tag: 4.14 + # -- Image pull policy that applies to all user-deployed Longhorn components, such as Longhorn Manager, Longhorn driver, and Longhorn UI. + pullPolicy: IfNotPresent + +service: + ui: + # -- Service type for Longhorn UI. (Options: "ClusterIP", "NodePort", "LoadBalancer", "Rancher-Proxy") + type: ClusterIP + # -- NodePort port number for Longhorn UI. When unspecified, Longhorn selects a free port between 30000 and 32767. + nodePort: null + manager: + # -- Service type for Longhorn Manager. + type: ClusterIP + # -- NodePort port number for Longhorn Manager. When unspecified, Longhorn selects a free port between 30000 and 32767. + nodePort: "" + +persistence: + # -- Setting that allows you to specify the default Longhorn StorageClass. + defaultClass: true + # -- Filesystem type of the default Longhorn StorageClass. + defaultFsType: ext4 + # -- mkfs parameters of the default Longhorn StorageClass. + defaultMkfsParams: "" + # -- Replica count of the default Longhorn StorageClass. + defaultClassReplicaCount: 3 + # -- Data locality of the default Longhorn StorageClass. (Options: "disabled", "best-effort") + defaultDataLocality: disabled + # -- Reclaim policy that provides instructions for handling of a volume after its claim is released. (Options: "Retain", "Delete") + reclaimPolicy: Delete + # -- Setting that allows you to enable live migration of a Longhorn volume from one node to another. + migratable: false + # -- Set NFS mount options for Longhorn StorageClass for RWX volumes + nfsOptions: "" + recurringJobSelector: + # -- Setting that allows you to enable the recurring job selector for a Longhorn StorageClass. + enable: false + # -- Recurring job selector for a Longhorn StorageClass. Ensure that quotes are used correctly when specifying job parameters. (Example: `[{"name":"backup", "isGroup":true}]`) + jobList: [] + backingImage: + # -- Setting that allows you to use a backing image in a Longhorn StorageClass. + enable: false + # -- Backing image to be used for creating and restoring volumes in a Longhorn StorageClass. When no backing images are available, specify the data source type and parameters that Longhorn can use to create a backing image. + name: ~ + # -- Data source type of a backing image used in a Longhorn StorageClass. + # If the backing image exists in the cluster, Longhorn uses this setting to verify the image. + # If the backing image does not exist, Longhorn creates one using the specified data source type. + dataSourceType: ~ + # -- Data source parameters of a backing image used in a Longhorn StorageClass. + # You can specify a JSON string of a map. (Example: `'{\"url\":\"https://backing-image-example.s3-region.amazonaws.com/test-backing-image\"}'`) + dataSourceParameters: ~ + # -- Expected SHA-512 checksum of a backing image used in a Longhorn StorageClass. + expectedChecksum: ~ + defaultNodeSelector: + # -- Setting that allows you to enable the node selector for the default Longhorn StorageClass. + enable: false + # -- Node selector for the default Longhorn StorageClass. Longhorn uses only nodes with the specified tags for storing volume data. (Examples: "storage,fast") + selector: "" + # -- Setting that allows you to enable automatic snapshot removal during filesystem trim for a Longhorn StorageClass. (Options: "ignored", "enabled", "disabled") + removeSnapshotsDuringFilesystemTrim: ignored + +preUpgradeChecker: + # -- Setting that allows Longhorn to perform pre-upgrade checks. Disable this setting when installing Longhorn using Argo CD or other GitOps solutions. + jobEnabled: true + # -- Setting that allows Longhorn to perform upgrade version checks after starting the Longhorn Manager DaemonSet Pods. Disabling this setting also disables `preUpgradeChecker.jobEnabled`. Longhorn recommends keeping this setting enabled. + upgradeVersionCheck: true + +csi: + # -- kubelet root directory. When unspecified, Longhorn uses the default value. + kubeletRootDir: ~ + # -- Replica count of the CSI Attacher. When unspecified, Longhorn uses the default value ("3"). + attacherReplicaCount: ~ + # -- Replica count of the CSI Provisioner. When unspecified, Longhorn uses the default value ("3"). + provisionerReplicaCount: ~ + # -- Replica count of the CSI Resizer. When unspecified, Longhorn uses the default value ("3"). + resizerReplicaCount: ~ + # -- Replica count of the CSI Snapshotter. When unspecified, Longhorn uses the default value ("3"). + snapshotterReplicaCount: ~ + +defaultSettings: + # -- Endpoint used to access the backupstore. (Options: "NFS", "CIFS", "AWS", "GCP", "AZURE") + backupTarget: ~ + # -- Name of the Kubernetes secret associated with the backup target. + backupTargetCredentialSecret: ~ + # -- Setting that allows Longhorn to automatically attach a volume and create snapshots or backups when recurring jobs are run. + allowRecurringJobWhileVolumeDetached: ~ + # -- Setting that allows Longhorn to automatically create a default disk only on nodes with the label "node.longhorn.io/create-default-disk=true" (if no other disks exist). When this setting is disabled, Longhorn creates a default disk on each node that is added to the cluster. + createDefaultDiskLabeledNodes: ~ + # -- Default path for storing data on a host. The default value is "/var/lib/longhorn/". + defaultDataPath: ~ + # -- Default data locality. A Longhorn volume has data locality if a local replica of the volume exists on the same node as the pod that is using the volume. + defaultDataLocality: ~ + # -- Setting that allows scheduling on nodes with healthy replicas of the same volume. This setting is disabled by default. + replicaSoftAntiAffinity: ~ + # -- Setting that automatically rebalances replicas when an available node is discovered. + replicaAutoBalance: ~ + # -- Percentage of storage that can be allocated relative to hard drive capacity. The default value is "100". + storageOverProvisioningPercentage: ~ + # -- Percentage of minimum available disk capacity. When the minimum available capacity exceeds the total available capacity, the disk becomes unschedulable until more space is made available for use. The default value is "25". + storageMinimalAvailablePercentage: ~ + # -- Percentage of disk space that is not allocated to the default disk on each new Longhorn node. + storageReservedPercentageForDefaultDisk: ~ + # -- Upgrade Checker that periodically checks for new Longhorn versions. When a new version is available, a notification appears on the Longhorn UI. This setting is enabled by default + upgradeChecker: ~ + # -- Default number of replicas for volumes created using the Longhorn UI. For Kubernetes configuration, modify the `numberOfReplicas` field in the StorageClass. The default value is "3". + defaultReplicaCount: ~ + # -- Default Longhorn StorageClass. "storageClassName" is assigned to PVs and PVCs that are created for an existing Longhorn volume. "storageClassName" can also be used as a label, so it is possible to use a Longhorn StorageClass to bind a workload to an existing PV without creating a Kubernetes StorageClass object. The default value is "longhorn-static". + defaultLonghornStaticStorageClass: ~ + # -- Number of seconds that Longhorn waits before checking the backupstore for new backups. The default value is "300". When the value is "0", polling is disabled. + backupstorePollInterval: ~ + # -- Number of minutes that Longhorn keeps a failed backup resource. When the value is "0", automatic deletion is disabled. + failedBackupTTL: ~ + # -- Setting that restores recurring jobs from a backup volume on a backup target and creates recurring jobs if none exist during backup restoration. + restoreVolumeRecurringJobs: ~ + # -- Maximum number of successful recurring backup and snapshot jobs to be retained. When the value is "0", a history of successful recurring jobs is not retained. + recurringSuccessfulJobsHistoryLimit: ~ + # -- Maximum number of failed recurring backup and snapshot jobs to be retained. When the value is "0", a history of failed recurring jobs is not retained. + recurringFailedJobsHistoryLimit: ~ + # -- Maximum number of snapshots or backups to be retained. + recurringJobMaxRetention: ~ + # -- Maximum number of failed support bundles that can exist in the cluster. When the value is "0", Longhorn automatically purges all failed support bundles. + supportBundleFailedHistoryLimit: ~ + # -- Taint or toleration for system-managed Longhorn components. + taintToleration: ~ + # -- Node selector for system-managed Longhorn components. + systemManagedComponentsNodeSelector: ~ + # -- PriorityClass for system-managed Longhorn components. + # This setting can help prevent Longhorn components from being evicted under Node Pressure. + # Notice that this will be applied to Longhorn user-deployed components by default if there are no priority class values set yet, such as `longhornManager.priorityClass`. + priorityClass: &defaultPriorityClassNameRef "longhorn-critical" + # -- Setting that allows Longhorn to automatically salvage volumes when all replicas become faulty (for example, when the network connection is interrupted). Longhorn determines which replicas are usable and then uses these replicas for the volume. This setting is enabled by default. + autoSalvage: ~ + # -- Setting that allows Longhorn to automatically delete a workload pod that is managed by a controller (for example, daemonset) whenever a Longhorn volume is detached unexpectedly (for example, during Kubernetes upgrades). After deletion, the controller restarts the pod and then Kubernetes handles volume reattachment and remounting. + autoDeletePodWhenVolumeDetachedUnexpectedly: ~ + # -- Setting that prevents Longhorn Manager from scheduling replicas on a cordoned Kubernetes node. This setting is enabled by default. + disableSchedulingOnCordonedNode: ~ + # -- Setting that allows Longhorn to schedule new replicas of a volume to nodes in the same zone as existing healthy replicas. Nodes that do not belong to any zone are treated as existing in the zone that contains healthy replicas. When identifying zones, Longhorn relies on the label "topology.kubernetes.io/zone=" in the Kubernetes node object. + replicaZoneSoftAntiAffinity: ~ + # -- Setting that allows scheduling on disks with existing healthy replicas of the same volume. This setting is enabled by default. + replicaDiskSoftAntiAffinity: ~ + # -- Policy that defines the action Longhorn takes when a volume is stuck with a StatefulSet or Deployment pod on a node that failed. + nodeDownPodDeletionPolicy: ~ + # -- Policy that defines the action Longhorn takes when a node with the last healthy replica of a volume is drained. + nodeDrainPolicy: ~ + # -- Setting that allows automatic detaching of manually-attached volumes when a node is cordoned. + detachManuallyAttachedVolumesWhenCordoned: ~ + # -- Number of seconds that Longhorn waits before reusing existing data on a failed replica instead of creating a new replica of a degraded volume. + replicaReplenishmentWaitInterval: ~ + # -- Maximum number of replicas that can be concurrently rebuilt on each node. + concurrentReplicaRebuildPerNodeLimit: ~ + # -- Maximum number of volumes that can be concurrently restored on each node using a backup. When the value is "0", restoration of volumes using a backup is disabled. + concurrentVolumeBackupRestorePerNodeLimit: ~ + # -- Setting that disables the revision counter and thereby prevents Longhorn from tracking all write operations to a volume. When salvaging a volume, Longhorn uses properties of the "volume-head-xxx.img" file (the last file size and the last time the file was modified) to select the replica to be used for volume recovery. This setting applies only to volumes created using the Longhorn UI. + disableRevisionCounter: ~ + # -- Image pull policy for system-managed pods, such as Instance Manager, engine images, and CSI Driver. Changes to the image pull policy are applied only after the system-managed pods restart. + systemManagedPodsImagePullPolicy: ~ + # -- Setting that allows you to create and attach a volume without having all replicas scheduled at the time of creation. + allowVolumeCreationWithDegradedAvailability: ~ + # -- Setting that allows Longhorn to automatically clean up the system-generated snapshot after replica rebuilding is completed. + autoCleanupSystemGeneratedSnapshot: ~ + # -- Setting that allows Longhorn to automatically clean up the snapshot generated by a recurring backup job. + autoCleanupRecurringJobBackupSnapshot: ~ + # -- Maximum number of engines that are allowed to concurrently upgrade on each node after Longhorn Manager is upgraded. When the value is "0", Longhorn does not automatically upgrade volume engines to the new default engine image version. + concurrentAutomaticEngineUpgradePerNodeLimit: ~ + # -- Number of minutes that Longhorn waits before cleaning up the backing image file when no replicas in the disk are using it. + backingImageCleanupWaitInterval: ~ + # -- Number of seconds that Longhorn waits before downloading a backing image file again when the status of all image disk files changes to "failed" or "unknown". + backingImageRecoveryWaitInterval: ~ + # -- Percentage of the total allocatable CPU resources on each node to be reserved for each instance manager pod when the V1 Data Engine is enabled. The default value is "12". + guaranteedInstanceManagerCPU: ~ + # -- Setting that notifies Longhorn that the cluster is using the Kubernetes Cluster Autoscaler. + kubernetesClusterAutoscalerEnabled: ~ + # -- Setting that allows Longhorn to automatically delete an orphaned resource and the corresponding data (for example, stale replicas). Orphaned resources on failed or unknown nodes are not automatically cleaned up. + orphanAutoDeletion: ~ + # -- Storage network for in-cluster traffic. When unspecified, Longhorn uses the Kubernetes cluster network. + storageNetwork: ~ + # -- Flag that prevents accidental uninstallation of Longhorn. + deletingConfirmationFlag: ~ + # -- Timeout between the Longhorn Engine and replicas. Specify a value between "8" and "30" seconds. The default value is "8". + engineReplicaTimeout: ~ + # -- Setting that allows you to enable and disable snapshot hashing and data integrity checks. + snapshotDataIntegrity: ~ + # -- Setting that allows disabling of snapshot hashing after snapshot creation to minimize impact on system performance. + snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~ + # -- Setting that defines when Longhorn checks the integrity of data in snapshot disk files. You must use the Unix cron expression format. + snapshotDataIntegrityCronjob: ~ + # -- Setting that allows Longhorn to automatically mark the latest snapshot and its parent files as removed during a filesystem trim. Longhorn does not remove snapshots containing multiple child files. + removeSnapshotsDuringFilesystemTrim: ~ + # -- Setting that allows fast rebuilding of replicas using the checksum of snapshot disk files. Before enabling this setting, you must set the snapshot-data-integrity value to "enable" or "fast-check". + fastReplicaRebuildEnabled: ~ + # -- Number of seconds that an HTTP client waits for a response from a File Sync server before considering the connection to have failed. + replicaFileSyncHttpClientTimeout: ~ + # -- Log levels that indicate the type and severity of logs in Longhorn Manager. The default value is "Info". (Options: "Panic", "Fatal", "Error", "Warn", "Info", "Debug", "Trace") + logLevel: ~ + # -- Setting that allows you to specify a backup compression method. + backupCompressionMethod: ~ + # -- Maximum number of worker threads that can concurrently run for each backup. + backupConcurrentLimit: ~ + # -- Maximum number of worker threads that can concurrently run for each restore operation. + restoreConcurrentLimit: ~ + # -- Setting that allows you to enable the V1 Data Engine. + v1DataEngine: ~ + # -- Setting that allows you to enable the V2 Data Engine, which is based on the Storage Performance Development Kit (SPDK). The V2 Data Engine is a preview feature and should not be used in production environments. + v2DataEngine: ~ + # -- Setting that allows you to configure maximum huge page size (in MiB) for the V2 Data Engine. + v2DataEngineHugepageLimit: ~ + # -- Setting that allows rebuilding of offline replicas for volumes using the V2 Data Engine. + offlineReplicaRebuilding: ~ + # -- Number of millicpus on each node to be reserved for each Instance Manager pod when the V2 Data Engine is enabled. The default value is "1250". + v2DataEngineGuaranteedInstanceManagerCPU: ~ + # -- Setting that allows scheduling of empty node selector volumes to any node. + allowEmptyNodeSelectorVolume: ~ + # -- Setting that allows scheduling of empty disk selector volumes to any disk. + allowEmptyDiskSelectorVolume: ~ + # -- Setting that allows Longhorn to periodically collect anonymous usage data for product improvement purposes. Longhorn sends collected data to the [Upgrade Responder](https://github.com/longhorn/upgrade-responder) server, which is the data source of the Longhorn Public Metrics Dashboard (https://metrics.longhorn.io). The Upgrade Responder server does not store data that can be used to identify clients, including IP addresses. + allowCollectingLonghornUsageMetrics: ~ + # -- Setting that temporarily prevents all attempts to purge volume snapshots. + disableSnapshotPurge: ~ + # -- Maximum snapshot count for a volume. The value should be between 2 to 250 + snapshotMaxCount: ~ + +privateRegistry: + # -- Setting that allows you to create a private registry secret. + createSecret: ~ + # -- URL of a private registry. When unspecified, Longhorn uses the default system registry. + registryUrl: ~ + # -- User account used for authenticating with a private registry. + registryUser: ~ + # -- Password for authenticating with a private registry. + registryPasswd: ~ + # -- Kubernetes secret that allows you to pull images from a private registry. This setting applies only when creation of private registry secrets is enabled. You must include the private registry name in the secret name. + registrySecret: ~ + +longhornManager: + log: + # -- Format of Longhorn Manager logs. (Options: "plain", "json") + format: plain + # -- PriorityClass for Longhorn Manager. + priorityClass: *defaultPriorityClassNameRef + # -- Toleration for Longhorn Manager on nodes allowed to run Longhorn Manager. + tolerations: [] + ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + # -- Node selector for Longhorn Manager. Specify the nodes allowed to run Longhorn Manager. + nodeSelector: {} + ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + # -- Annotation for the Longhorn Manager service. + serviceAnnotations: {} + ## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above + ## and uncomment this example block + # annotation-key1: "annotation-value1" + # annotation-key2: "annotation-value2" + +longhornDriver: + # -- PriorityClass for Longhorn Driver. + priorityClass: *defaultPriorityClassNameRef + # -- Toleration for Longhorn Driver on nodes allowed to run Longhorn components. + tolerations: [] + ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + # -- Node selector for Longhorn Driver. Specify the nodes allowed to run Longhorn Driver. + nodeSelector: {} + ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + +longhornUI: + # -- Replica count for Longhorn UI. + replicas: 2 + # -- PriorityClass for Longhorn UI. + priorityClass: *defaultPriorityClassNameRef + # -- Toleration for Longhorn UI on nodes allowed to run Longhorn components. + tolerations: [] + ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above + ## and uncomment this example block + # - key: "key" + # operator: "Equal" + # value: "value" + # effect: "NoSchedule" + # -- Node selector for Longhorn UI. Specify the nodes allowed to run Longhorn UI. + nodeSelector: {} + ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above + ## and uncomment this example block + # label-key1: "label-value1" + # label-key2: "label-value2" + +ingress: + # -- Setting that allows Longhorn to generate ingress records for the Longhorn UI service. + enabled: false + + # -- IngressClass resource that contains ingress configuration, including the name of the Ingress controller. + # ingressClassName can replace the kubernetes.io/ingress.class annotation used in earlier Kubernetes releases. + ingressClassName: ~ + + # -- Hostname of the Layer 7 load balancer. + host: sslip.io + + # -- Setting that allows you to enable TLS on ingress records. + tls: false + + # -- Setting that allows you to enable secure connections to the Longhorn UI service via port 443. + secureBackends: false + + # -- TLS secret that contains the private key and certificate to be used for TLS. This setting applies only when TLS is enabled on ingress records. + tlsSecret: longhorn.local-tls + + # -- Default ingress path. You can access the Longhorn UI by following the full ingress path {{host}}+{{path}}. + path: / + + ## If you're using kube-lego, you will want to add: + ## kubernetes.io/tls-acme: true + ## + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md + ## + ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set + # -- Ingress annotations in the form of key-value pairs. + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: true + + # -- Secret that contains a TLS private key and certificate. Use secrets if you want to use your own certificates to secure ingresses. + secrets: + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + # - name: longhorn.local-tls + # key: + # certificate: + +# -- Setting that allows you to enable pod security policies (PSPs) that allow privileged Longhorn pods to start. This setting applies only to clusters running Kubernetes 1.25 and earlier, and with the built-in Pod Security admission controller enabled. +enablePSP: false + +# -- Specify override namespace, specifically this is useful for using longhorn as sub-chart and its release namespace is not the `longhorn-system`. +namespaceOverride: "" + +# -- Annotation for the Longhorn Manager DaemonSet pods. This setting is optional. +annotations: {} + +serviceAccount: + # -- Annotations to add to the service account + annotations: {} + +metrics: + serviceMonitor: + # -- Setting that allows the creation of a Prometheus ServiceMonitor resource for Longhorn Manager components. + enabled: false + +## openshift settings +openshift: + # -- Setting that allows Longhorn to integrate with OpenShift. + enabled: false + ui: + # -- Route for connections between Longhorn and the OpenShift web console. + route: "longhorn-ui" + # -- Port for accessing the OpenShift web console. + port: 443 + # -- Port for proxy that provides access to the OpenShift web console. + proxy: 8443 + +# -- Setting that allows Longhorn to generate code coverage profiles. +enableGoCoverDir: false diff --git a/index.yaml b/index.yaml index 3e319f99f6..c2423e3d6f 100755 --- a/index.yaml +++ b/index.yaml @@ -3227,6 +3227,50 @@ entries: urls: - assets/longhorn/longhorn-103.0.0+up1.3.3.tgz version: 103.0.0+up1.3.3 + - annotations: + catalog.cattle.io/auto-install: longhorn-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Longhorn + catalog.cattle.io/kube-version: '>= 1.21.0-0' + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: longhorn.io/v1beta1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: longhorn + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 1.6.1 + apiVersion: v1 + appVersion: v1.6.1 + created: "2024-04-17T17:57:18.149651-03:00" + description: Longhorn is a distributed block storage system for Kubernetes. + digest: ae815601b510c7e72c56e0f04d90fea21a8b734187d477249a29108a9863d7a7 + home: https://github.com/longhorn/longhorn + icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/longhorn/icon/color/longhorn-icon-color.png + keywords: + - longhorn + - storage + - distributed + - block + - device + - iscsi + - nfs + kubeVersion: '>=1.21.0-0' + maintainers: + - email: maintainers@longhorn.io + name: Longhorn maintainers + name: longhorn + sources: + - https://github.com/longhorn/longhorn + - https://github.com/longhorn/longhorn-engine + - https://github.com/longhorn/longhorn-instance-manager + - https://github.com/longhorn/longhorn-share-manager + - https://github.com/longhorn/longhorn-manager + - https://github.com/longhorn/longhorn-ui + - https://github.com/longhorn/longhorn-tests + - https://github.com/longhorn/backing-image-manager + urls: + - assets/longhorn/longhorn-102.4.0+up1.6.1.tgz + version: 102.4.0+up1.6.1 - annotations: catalog.cattle.io/auto-install: longhorn-crd=match catalog.cattle.io/certified: rancher @@ -4832,6 +4876,21 @@ entries: urls: - assets/longhorn-crd/longhorn-crd-103.0.0+up1.3.3.tgz version: 103.0.0+up1.3.3 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: longhorn-system + catalog.cattle.io/release-name: longhorn-crd + apiVersion: v1 + appVersion: v1.6.1 + created: "2024-04-17T17:59:07.371996-03:00" + description: Installs the CRDs for longhorn. + digest: 6356a0c0c97c750904adcd08c2bf95769c3cfee2511d88f8495d21f7cf40f3f1 + name: longhorn-crd + type: application + urls: + - assets/longhorn-crd/longhorn-crd-102.4.0+up1.6.1.tgz + version: 102.4.0+up1.6.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 8b13789179..c2c7c38fbb 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,6 @@ - +neuvector: + - 103.0.3+up2.7.6 +neuvector-crd: + - 103.0.3+up2.7.6 +longhorn: + - 102.4.0+up1.6.1 From 0a2147eb07252494a960aec5033aa0836dd0d9f7 Mon Sep 17 00:00:00 2001 From: Lucas Machado Date: Wed, 17 Apr 2024 18:28:21 -0300 Subject: [PATCH 3/4] [dev-v2.8] Forward ports neuvector 102.0.9+up2.7.6 (#3797) --- .../neuvector-crd-102.0.9+up2.7.6.tgz | Bin 0 -> 3444 bytes .../neuvector/neuvector-102.0.9+up2.7.6.tgz | Bin 0 -> 23522 bytes .../neuvector-crd/102.0.9+up2.7.6/Chart.yaml | 16 + .../neuvector-crd/102.0.9+up2.7.6/README.md | 14 + .../102.0.9+up2.7.6/templates/_helpers.tpl | 32 + .../102.0.9+up2.7.6/templates/crd.yaml | 975 ++++++++++++++++++ .../neuvector-crd/102.0.9+up2.7.6/values.yaml | 9 + charts/neuvector/102.0.9+up2.7.6/.helmignore | 21 + charts/neuvector/102.0.9+up2.7.6/Chart.yaml | 27 + charts/neuvector/102.0.9+up2.7.6/README.md | 285 +++++ .../neuvector/102.0.9+up2.7.6/app-readme.md | 35 + .../102.0.9+up2.7.6/crds/_helpers.tpl | 32 + .../neuvector/102.0.9+up2.7.6/questions.yaml | 283 +++++ .../102.0.9+up2.7.6/templates/NOTES.txt | 23 + .../102.0.9+up2.7.6/templates/_helpers.tpl | 55 + .../templates/admission-webhook-service.yaml | 18 + .../templates/cert-manager-secret.yaml | 33 + .../templates/clusterrole.yaml | 121 +++ .../templates/clusterrolebinding-least.yaml | 150 +++ .../templates/clusterrolebinding.yaml | 147 +++ .../templates/controller-deployment.yaml | 275 +++++ .../templates/controller-ingress.yaml | 219 ++++ .../templates/controller-route.yaml | 98 ++ .../templates/controller-secret.yaml | 20 + .../templates/controller-service.yaml | 127 +++ .../templates/crd-role-least.yaml | 417 ++++++++ .../102.0.9+up2.7.6/templates/crd-role.yaml | 417 ++++++++ .../templates/enforcer-daemonset.yaml | 180 ++++ .../templates/init-configmap.yaml | 13 + .../templates/init-secret.yaml | 15 + .../templates/manager-deployment.yaml | 122 +++ .../templates/manager-ingress.yaml | 71 ++ .../templates/manager-route.yaml | 33 + .../templates/manager-secret.yaml | 20 + .../templates/manager-service.yaml | 26 + .../102.0.9+up2.7.6/templates/psp.yaml | 160 +++ .../102.0.9+up2.7.6/templates/pvc.yaml | 27 + .../templates/registry-adapter-ingress.yaml | 109 ++ .../templates/registry-adapter-secret.yaml | 15 + .../templates/registry-adapter.yaml | 192 ++++ .../102.0.9+up2.7.6/templates/role-least.yaml | 29 + .../102.0.9+up2.7.6/templates/role.yaml | 24 + .../templates/rolebinding-least.yaml | 169 +++ .../templates/rolebinding.yaml | 88 ++ .../templates/scanner-deployment.yaml | 102 ++ .../templates/serviceaccount-least.yaml | 72 ++ .../templates/serviceaccount.yaml | 13 + .../templates/updater-cronjob.yaml | 79 ++ .../templates/validate-psp-install.yaml | 7 + charts/neuvector/102.0.9+up2.7.6/values.yaml | 536 ++++++++++ index.yaml | 51 + release.yaml | 4 +- 52 files changed, 6004 insertions(+), 2 deletions(-) create mode 100644 assets/neuvector-crd/neuvector-crd-102.0.9+up2.7.6.tgz create mode 100644 assets/neuvector/neuvector-102.0.9+up2.7.6.tgz create mode 100644 charts/neuvector-crd/102.0.9+up2.7.6/Chart.yaml create mode 100644 charts/neuvector-crd/102.0.9+up2.7.6/README.md create mode 100644 charts/neuvector-crd/102.0.9+up2.7.6/templates/_helpers.tpl create mode 100644 charts/neuvector-crd/102.0.9+up2.7.6/templates/crd.yaml create mode 100644 charts/neuvector-crd/102.0.9+up2.7.6/values.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/.helmignore create mode 100644 charts/neuvector/102.0.9+up2.7.6/Chart.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/README.md create mode 100644 charts/neuvector/102.0.9+up2.7.6/app-readme.md create mode 100644 charts/neuvector/102.0.9+up2.7.6/crds/_helpers.tpl create mode 100644 charts/neuvector/102.0.9+up2.7.6/questions.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/NOTES.txt create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/_helpers.tpl create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/admission-webhook-service.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/cert-manager-secret.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/clusterrole.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding-least.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/controller-deployment.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/controller-ingress.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/controller-route.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/controller-secret.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/controller-service.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/crd-role-least.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/crd-role.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/enforcer-daemonset.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/init-configmap.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/init-secret.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/manager-deployment.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/manager-ingress.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/manager-route.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/manager-secret.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/manager-service.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/psp.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/pvc.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-ingress.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-secret.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/role-least.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/role.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/rolebinding-least.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/rolebinding.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/scanner-deployment.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount-least.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/updater-cronjob.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/templates/validate-psp-install.yaml create mode 100644 charts/neuvector/102.0.9+up2.7.6/values.yaml diff --git a/assets/neuvector-crd/neuvector-crd-102.0.9+up2.7.6.tgz b/assets/neuvector-crd/neuvector-crd-102.0.9+up2.7.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c2018db409f2a6e74d3c6f93e04df02dcd4152ca GIT binary patch literal 3444 zcmV-)4U6(0iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI~~bKJHO_cK4m_T1EVVp4aKEHyWETUSb3PZC9AXPoJij3bwK zs6m1Oz>`(W-@OBX_g5syJDsIC#=eLGmW##W&;9`H5jmDqj1?DQERwyG2@xu~A{l$I zL+bbY{iDM}^S9scum9~I9}ON14v+drgZ|*?aQ{JnaB%$W*#qeBQi&!ir6S@%|JG%# zSMD<*lIL6zMR_iV0YFR?VSF6LL@9<5<$Ey-MN^8&5CqBN35r^_2~85rhtN}^#9l2+ zPBN4QiE#)vFO%Qr^UBMB$3PC=rW(imkh;ku-WQiUAu?afP!Vx9#w){L=p2`VXiduUb#2;_TcDv|M=P8-%4hC~F@CJT=e8p+-T)7eaz5%@KNwNknt^AY9~|`6jYp^Gu71-dM+@ zIe(g>5Hvx!)=@0co&?R@MkPERT^Vbf zp1sz*G#`U3Fn$sRFH@)>j1{5*0-?FAkcdg63N9&Qde$uUoJsU_tCg>`br@H3ts0o7 zb9>G*=Qf@3G%|EDI+F`Ye>4>sKJVVHOM1?2VWmW`tfB17b6rC~zLMcr zvbQG9mb*z$YkFSkflE!RhfD>=bhDb~t@?`PVq}EO*~Esg*I1!td)wy<1j985EEtIq zdf)V*chTFZruRKHdAb8?^8c|&cD4*~`~Tzp&ueUsP3(Po6B7dEh8B=gO${q_+5PZ(BM|>#Mc3;Ex|yb}UFi@x8)a|0kn&f0hyD zd(*+fg>~Z}p(2C%%>D6W@Q&um5Kc;|c=ie>>cur9G{scAaM!6NFXcO$SzU6w~?g*d!<}jA2d6r|Qq9q?gbbA@BG9etA|GBa;9NoeaBnqr=1n5$-nPG$y(1yv|0aS3W^&aNt3dWVgc z+fa2&yx6HYv(dOii2{Eusldc7GSp^i;owCJgHhedW3}d^|6;6KJ5KZ9gO&jZT@Azq z9n+k!iycU7Gqm+c&N16)7? zgiLAk1nKsD8PBQW;v$}qeB9LHA&eN0-(8S6Mk%-T1u10;8`W%mU1$&|>9oa_jW}mW z>Ux;FW6sQ2n`u?wUH_xG$3HXj_{Za)Ci3{FhCKf9_@|RD%}rAX9)A)3M@zmai-f4H zVZ&|x2T_wPU*57O-L6ku6oS{oV|N!A5s8fE4Tfs&0P|zyhFm$J$dZQ45s@@*$on4( z9wvgO^^%>ocbHHSF~%BK>b6e78I7+po@`;CQz~OVZGZ9Y4AK#4bXc*vjOxG`PD3@Fhuoce_cxyM2o8R$tq&0&zjBjFrTt z^V={CzqGi5*hX-FzTpK`2)Z-MpoXU=*r3i7hGjYCpoVD?dQg?);|_e>!Kc~x@cZt5 z-+e2UE%|--8uI(@e&4;5EEjN3+yVHwgBkg_gAFD5xPzPI4}#a|%Q^`5aR&|LyPJG$&Mj+8ZNAx32&G^hxF$%FhL!dzu;<)qOT4R5s%G7#eqFZMyQ(K}jPE<}J^F*;e6-7Y{I2)*!`b+9a_#H{;Fh3s zHu-!C*y&nL*DAF!*0gTOW6ce)CP^|XwOrjx1!tcx@O&|=$%(Cr6NS2%Yapr9N;mMS zi`#?Mdk3pA&r>?y7_2gixw_cyT%r0pe?x8)UTSf8_8W)WEaCySt48KL|0o>iAI_?{ z9D}W7O@^*PP4ZGRZL(F?uqybSozb=&2DQK6auC$AEa|o+X|uZvABZ2;Q4Ek8CC*>NSXk<@Ohffi)EU}{+sbXyd32K?QEeqav4 zE({vlMQ=51yAaf&O*fHru_MLWyG2WfaCU{ZPSBzG+ZsNh(q1a!eBTvpLtEZ;#Y$?2 z=>S7*KCahm%yNN@Hki@L2QDr!su$5R`?_~j!leQnOnOOn(TNj_31%n=>%xBP2;QwD z>Sm6uCUdJGDZg%auiGz4`uQ%^e<7)Jb-tEgvmjru{*5*G8iQYU-}|!LpAoev)k(Fg zAb&=*%IMFC8pxj!)ssIX@@GU&86ImczJtQEf>DykSp8t(^Fo^^bM?=y`Zw_A4UW1m zpxiLR4a|9i#iP!9N1gLa!8Qe+)%MDTz1(@bQx?pXXarZcMv{s&#p!k^V7UU__5xe> zAQeh=k(b%1`FH0XOKf*fOJ&`)6RMiDyC3q-#qC_CCCgFRDqMY*{^iYb4Vqj`9aD{$ zskO!pM^ne;ea*f5nk|3M`Dwkxu0BYRkSnJ%X+JVBQg}w_t@kZ<=(cD^#_sKpyVd8u ze|PfRahy#HxMFFBbqaAg*=6T89aMhnbrq#k8S4u^%O%C;^FJS3q-fhk8K^^C5?)`oFxoJUv-3 z$0UalLV^Y3SLVL{F{%j)xTI=gZ(*NTX!-k3Q4stCV^T^qOu8D4GDnzlfh*OHbwVL{ zQpQTFMkPorh|m+&WMNt=AvQP0ClUOU3scmH#P2SNNHpvyh@uvvfp=iHQR(g|S%>{5(NOIb-~i=3`J=jzREpW@yW-leH}}R463y)MPJpF=HFuA=Ct^ zn0<1??gHzUIiI}@*Kmq57PL_IzWdXP^%~B&La7~Wa`Dekw43tuvn*dl_RYZh$vj!&_sgw{RW2U7N(UtXL#arI|@zzfdhOUY_fh?t2dK WQN&gQ30RR6PQF&AVk^le-8KNQp literal 0 HcmV?d00001 diff --git a/assets/neuvector/neuvector-102.0.9+up2.7.6.tgz b/assets/neuvector/neuvector-102.0.9+up2.7.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ad3b8a622a12945b4d4a993e7cae85d8950a5400 GIT binary patch literal 23522 zcmV*VKw7^aiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POu~ciT9&FpTzR{R&*A>Sicw@>s3gb?)PGTva}mLCbbhr&phT z5{QH(v?+oOfO6DHy}$ikm`IQWDQd86Ct~-i$Rx0_u>tG}8yg{tXUOA(cFrb{^7b4~ zgTHL}>2|x_-LTh_y5xE9qjjde*xW1BjS2u#v%Pn zckQp$0TI^1^^!9Fd*Z$2RRQ=8fw+Pxp! z-BuU;4fNUvUGej&v!;N~BIuz$P%m3)H`ttUG<8-ZtPcVl#-E&DBSfc|v(|!Al+3V? zSZh3^7WLX5nRaG9XBADaOjp5v`$Ttjzx`u*PbmrzWJuF9Y0g=e&m%#QAZ8rV7AGWd z7KkJ`wbs4kK%~SSHGcP3PuR>m?Gc_P6I}S zrXvnK5^{(`L;*uyOfjE>D1dxK=(OFK5Ye3p=Mn37IvFZ9uqWV~Z*T@Vq-?)E#(WYF zV}_`Jj6yC+9(Q_wJvctuKRNpUv!C|6-T&|Gr^Ch#n%@%YvwowMG~Sp(tPzs$(G=pK z4_F*Ug!2EBMF9Xs?;-LqXMBPvYUD?Nk(hc&!ZNrj6eV6M7fx#=^zL={+uinGe~2SR z`HimswB;ELV#Mx3095n;gM*XaexCmy9-i#@|2Cc{;3XQtIN(5yzg(8-^lm%>*AvVD zW&nb}pT2(85-SpNj(jk}0TKmXA}@dxff=M24g%R|EZW zib4+9gv5ald_8oWX#9n+{uPCYLXOT5<%(F1hA#LX2H3}ZK0p)`zYh+Mj~WdeazsPb zY1IU{ouCj15#E}@5RMTQ`i>~q6;+3_-BF}K9z{IIC0hn! zqanC9B|)G-JOLLYRe2AjU%)L60uT}|W?O<@!)j0V9spa(0iXYD0Km8)(Ri-#Q=;&a z1OX1m?;;;^g(S7#n6a6{PggM&bEcQRc^ASN#DQqG54sHi@Dz@96^bIlFehTD^+f7S zF{Oke-_k_Vekq*Nxi9{lKsFKJD2f8?LDmNc4FG)1Xe>qSF!slYtG1apL4F({`bLnq z0YF4C5mN0efQ%(CiT?@?QD8_C5&yJ6Clt>5;2-}KG#rg^h`FYiEX?s~=A~!|jS!{C ze;HF8j;|CVI2>P$Lz28c|Af3)>IJ$Q04;Ef@OZ+7wCg5sRXe(kYec7g>k|NhK>rE_ zl787wVo#`E6=5>27q(hv#mh)HKcm|PozF>n$HRMeozp$LhOvfY+rC6>tzn)mt&yI%Tg zU%wJl2}YRBJZs*|U&R$7s=kd-cqO)Y=gPzg=Gst^f&x z`5s^dAb%{lKb_)G@lCO0bz$V|l@_Nf%)u^zUB53y3!hLDk0<)GpqQ!818ZcSSj?#p zzNGH~Xo=_N^ItFCfV1<<>x*A5&Q7n-<=aBB^EWRm3VHBs3$6HwaZQ4=(`_^;*GC!b z!R5vK)9Z8a`}yC?VLJ+G7RVT>DQ2@GM6>kB%wfl5L7%W7)c7obcxr!uo`)EFP5gA} zw!kHV{vQ-`^cse9C7U>*aEv6kROLJvK~M8J_@9`fUvPk~CXk{90?sg70GKFk{5w!uK!h@za7;#a4y z&%xQLtOA2TzVpa5A|VPn1J60T2-A{|o~d zdWc>O%v)_9r!NHW9T1^eJpr#Z9#C*s?1MMSw*z4Uv<~)9j!z6v`=s!?rb3W<0}@~_ z5t{~S=f@}Dm!u!ywd?}82**OMCDr9$DbI5OwtJ%C51zL-3^W>Q6e zN)?B65CMoFpY%bq(*#d|R0%Nyo>WYS2sAq|!p%J}j5(MJ(GEg{e9)xmRxGv_hjfg1 z(~>+1+?-F!JmDCJpV}Iuc2-~xp?8BqzZFr!iARDyXi6c}wCXr%IsSL0fgi>K!zj6Rx$z>p}r5 z7@aV_{725|WFK~{ZpZ3&tZv8Z+^jCc4jdCz7Z2$cW-TIP7+($(t#fN;lX3$zS(hWBpo~c!(7$_M8>>f9%SNiiJ#J zR64dk;SVujxl>PM7}aDZ@#xi=ci-HdeVJprKIZYO_GQnO&-!>Cq4f_<;7pk0o^ zX;7=&oYg57GeoP)X%kG-`_0?y^S<=oGvK2U4v`Ngh$1k7Gn6>-LJt8lL(11nLaQte zwUwyHNPsU|>Z=S@&4H>pOldLTV=Db+^S+c;uU?)Gtgn@0XqCHQEJiflZnW!x>Jct0 zmm6VcvBLN!98!E?wj1@AI0%$i9r{yjyDkTs?6#P@BtcTLVeI(4!`-~E?QUP*_idU` zyvgnPj-?m=s)pl!6Yg%?>)KGHMWYe&cptnW+OKVt4JqD)y4(^IHOGII(_t+T+5^*y z0vMtP!k-_T=Lw{QzI)eG!`l6_SCZLHySs&?Tc}z`&eb6%zS0C(kTfq}n@xu&hQlcC za`x`(`t9ovgVSHnKm2xn`ttnp!`a(cZ!go5dXuCNnooX_PqP}zFK^#o*MySYz(}l7 z!A>VeD`QCRi?+a-F>GZGm+|Y+#4O`R`g>D;t#*{#L&RZjnaYAK(LigcTWF=rq$!Bn zTo+D@#luj}Xc$FI|D_1K$OwA^Uc(y%SWHne5m7i3BQ6%N+G!SZId6nDGA37kjxMmY zQY*`{u-w*FEwiJB$x&ueZ4CZmD{5m+Wh|#!R?`BDX>&UdTeiIJ#%9WvH&8se^8=>y zmV};^u4?Ocf;kE><1HneTNH+4(T`qR{;ydJN|}SEx|X73%Tx}?xWI2n7|hk`4*eD< zEfo4DUoVR$uTI%HkQCX4*hC~5e ztPpN^^PR@wDSO9+36WVEa%6N25tu;gBS~r{xf%^`CKsz#eM;Ayr7qM~7);nzO9R)n zrS8xb^R~rIn2S*$N>qr#AZMhgJvg}LCE4Xe%v3G4~Desv{RW9J6V+d!z9aL7=|_cC7qj5(P?jy)Izb1>G? zVZKsAhf*8&+Zv_;t>eY|;8{pQbT=Ej6G(?C=~5OgZR<<})+TyxM`J0~uWaYT>4Q&( zGOq$|P6@mVHL#vH-W_d|D0I7Eo3AF=rm$n?+$~vpx2$5XEUU1UtgiL;x0X}eHl?_& zs=BSMyxooZ=GgM9R^c9`&&Mg2Tz;QY*;MNLStIaBxhkpAPOaGG88RPBoj@**ERUri zd$c_0$@uQh4AKsb!;b1Q>trXFmM>5Rz;{$nT*_iD7QMFqsC#3pjWWic7nDX5mD~r- zF6e?6;(yI5b+WdqcCV_Ko}^{Yk!-v+(1#laib<;OXJgUJqtQ#^(OnVg?wItA4Z7}g zjX}S2OTjV=S1}b5N|qqW$OQY~ARzh#5~K+DD5A)dHXR%ZdLOk9+TC_T3Le>KRY_=O zV(f*?fn0tu2Z#*3JvrcTNM;B;wNQI1>?sx@50B=uqN&hsD266C79>+k1d=|+B^qxu zZVp(#;m|(q?gLrv=74pQ!=S$PQ$rdO&I3ecmuiAkn6L?+Y8WX{Cxl!_s<81WCbeKt zOyqxbJ?KxdJeP8dh7&?=1PsOZQ=7HnQQ!KUmo53?tDXN#&wnPz^Ez+dUY}pJ`6s@i zGlmP!|L-54gu-+VM>j_tQZ_F6;{m(xezfdv- zB<2kJip^^IvnT&ZPkFz)d<8J;Hzu4%{Z8le=ThLpBo&YaekfpQT_nrC^MI|0KU=;7 zg7cd4$q86d=vTxYEe+>_nT0|S@Cjm4;!a`cvwlMlo90IhG>s#ySwM)*ytb4de+rTI z=IzV#4}-Ut*FSytOqdED55O34&}t=F5`gH{rOG7Gev`cY^H0zs;9rb{g17zD{M;4- zp)KP$|Iz(t+r$h1*)(1)W*vmnuUfZg7~|&#k&8hN4FQC$gbe0rD)C?(@|d-u?~8Fj z@}2(U&!%V@c@vUE@O-E7=zo_`CNpFyg%eJ@h{R{F-d$avUlu#JGL4hi?3%RA_Ate# z|Ks7|K}q*sS-#Q5lj!=q4=y;E!a3mZ1_200=oU`DiXHWg7HVN6xt4YS&G6FqqGyu3dzkGjj=9qxB8z_NZ7(X=|ZO^k|5n^KE z$TcTZ?5q(B{e+#UpBv%-F8Tjqf`SN9*5=VhQb8<`{|EcMlbrlNI_~cB|7_*?{JHZ2 z%<#0YY)Kp-vCMxGCKL1~s1IIrt@OLJIoc}Wlvq>=yAdVd&Jd+S4u27vZs>vI1NjqAuj0`Ne*(=`3QQ~o@mpbd zMiJzK8JRXlaS+VGzhfB4WJCZ)k;J{-_yZ~EvOE`Uh<-3IL>?425F=9reouU9s>dUY z0-s5vOB#mA2Qs$>X5iUS8AdPPT#2%RaS7J_yxq7M0iBjd0ZCY{N`oWcVV>EJ1CR-h z8V7;Kwt~1L9q^gb1dkGWnvV%hO_|aHwTLc+hxy|>*@6B~^~cr1GogiolHs%|u9>$> zBN$N}@)2l$&syKJW)7NacbS=1_B%5Jt)Uf5MyK)-!zzbY&lOclW-+K7Vp*bK6s1inc3qYzllADW=~p}E4EdPT@h9BJ1~C7Rj;-40}p6yA5zizTK=(|V~&zl0o$ zFV9pZ(46&}pm`;~H902WF=0UY}1 zQ=w>fB8l~sCQyly3r@Dc7r@CCr-BK50mI`%6nf6NgGUBJacrCUPh}I(41`K9^Fbr> z!FYF_d_kqTFPYLV38 zC1!my6pXH9jEmftZM9nUkhMa)wv4f_L-P8dcXG7foq#7`AIuS?Omrt6{tJ0J%8t-6 z4Do-mQBQgE5~Fsu^&Kj+P^~qripLkE>#p!$OQrJB!NAk1UTwu9Eqr zwhXk$Q|tSZ1l2135Qjbv$1Rm1b9*W~jRTb_8%Fq7!T7cCkYQ?>D4mwtFl;ED-d8`& z4q3yTGnJB8{5eB(sOyboOlu1Sn5iGPI+uM*2WU2=3bC6NrL#gbd>_*y$FVZ|=!GdG z10FMDQ=CGwj7oA}Z<1J~D>PU-9L08peAUEc$qV(%lE9e~*86&>?k4d9)@Cg92f^SH zY_#*Xdj7~%Y>?w{tlbNlgFb4)Ok-YIq8>-|uFpeWz^jOrW?yC0ANtuw@GSN4U zB-JyQI@ECv=4M*V)GZF`aw56S+RvWp>X(7)TWwn%`-U~bWhV6Yt(*Is(Xy|*DgCui z>3gzu?vYa`9o|juuYGdQFuMIZ=e6wFS2Tgw^bagEDYoqj#Z(P))1EW@mZqJVl%G6z!({S3K=^-lW|E_@)=Y&g1koP4b;r>dw7V z8=5FP&(bCzr~fBCe&(YnAoD2-*Es=J?f=<7>>eKH{Xa+Dlb!!(8;^9UL=+tzbV2_o zeG7~g4o}e-eR?g^^EChOKf0~I{_}_b{oi)(M|v)t!?9VM2I@}*E#PlQ?frJIEA#-X z-t)|1@Zy>EbXFz@(kwhT>g~zvJ5j`{lnV5Tqfq=5rG|(@hm!F!SxA*KB75@l0UoCn z9lOPR;u;n!)wkA3?A+f1A@X-P4L}=wk%<>V4i0my+?5$`s2Xl|Q086>H#?Mdt;lb{im}zXo6pyLf^Oti{mOvv9m* za@mSOO0wGKD_DaQYC`;&FOw*W<^>)BLY-7q$A5GxTqr8y!4L zQfwrrtz%Ap)z@2`A`v^Rf z`7*$F?Q1>y?Vll&*+@att|aAY^SPuqo51~}V-`;<>0O0zk(i}8r#GuEhj!Y;>X;?qjS1o9V>)D>fWg9#k)hq_|R$EBH`aGGRi!{UW(c z*NU*}0x0$f`Zz?44Ja9+EM?HAR2-Q{XD`mbmS?0Ocf9TJY19#|%rhT_Ai^+si2|5v z{72bgMidj@`7ycaHf=}WMXS@~{`cF9Hy=)4zP!v~r0=24WvdOrA_`q$+So_nTj$=kKy>H^55(9vk~!=OVHei{Cx3dyC_sleRY`yW5lJ*+Q?s? zzB&8t{PM%q)m!&qHLcs5Toum;CG{+BludOP(*XSWXLHfosI-lunO9}=$cx{8!2!CO zK#CU8;OzSH)rZ0P<<-U2^@p>!Z+^M>wGJ&xu`aV4Q8+WUy2Dbe#V}?hh^Oea5K$Q} zxD{$mMYDtSR)%C9=cuJ+;jG03yxd2@jNXR9JbQ1}qFLY+Q;zwsZo69y#IMXvMe1SkP*rqmx_0aO&ZDyV5;H`td;FFj%}T`8_1-HYuJ2^p6yo;M zUfFfDxq+)FqbKA&3`#|r<&knTyP6tKW$r+iZD*G+EIhCztqiozYRk`w%z|~8+{U}< zanJT;=@seh%Yvo3g}%VH1NJIiQ5U>zv?qlrZry8=(x~($hwZijewV9!3geb#|qmaLsoj401&e?#Tcvb0=6Tm-V z#&I~7^}(0qmVk6ivgJb#n+0EYUZY!1<4?+DQ7%biSq?m{ke_an!plH1<@12bY>JZ2 z2lsx2!^CJ+YnMW$Q@0LgSHV&?N#t6(x{ADR(Cvn*si_yCi^BEbR+u*hu%fJWYv5ww zbu5}fE161*n_C1H3vm*qn7nEN?$l;8~{FN0j^v zc^u_@hz`f9f~MfShLOufm3MmM5Eq@00FX$?02nxgpGr0;Hz6MYeCwj_8ZE55A=`3m zmo9W|rt92e$Y8$2wo$dg)+#qT7Gb&A(8)JfBRFES>T#i)WoplAeXZ4aF;;8L!806k z7epU38q1kDjQug<&w-RytyZflgloUIp%|`6>St9^TuF(N2(AI~UnYI{S@xlJD3?E6 zGB@}Xho|Y~-R?2UQ*x4S$4y_IKikZolo zuH!D?3U1!pR77rw_${F~I2;!aWn3tXDp|9%*&}Rb_Y#K>%67*L9X1dGyZy^?77wrf zHy2xze_O6hltB3c{v8u;!V(sSeOq@nD+G9;v#1L5Be~qC8VUPe=IUmOwtpSH$yL`a zQ~}U=Wlawj0X3-0f#f`~YJ{0(T?^tg%5$LdW~2D~T3%l?plF0YB_D>+yFuBY4IONh zRViK9Ls@bJMmTF35?U~7!gxAFv=4gS%q_)>gY9<<|IQZvZmDg2sgvVxVBCg&Q@>Q242b*B)Hk^k70C)0_$Vm$>Sea*b5(Af>@Pm5u%qd*m)ug^9M zAeZEuh5BnV&IJ%R$vI0qzbV#PXyAU-D2c`zKAsKhQ9EvSm)vZ}6COEFSW}LStn~Ge7qD8s`rUR3GHxyXc?FmN$$+hq=KbNI613iq#P%zYncRpjT*|K zqG75Ea!ALBD?w2x#tj9n==)kYTji};NT^I0v`pnDMJV*>JmSsg%U4GJ7&V_S(j&9= zgZv5qa{cggE`6o8?W$L*)6MdAuiK2z=dmr{it(zqm}>yo%+k(~*}cL?QcGNBSyy1c z>>{rTs?L(H3#uLisDic{J6MeyBv!(=zz&Sb@~HViZp2n#2qh3U$q@{t?}R1f@L!83 zRKQxADOAB)fh**}t;QB|EWu@XFR=ftM0u;*7z^yb-ckPkr{2kN_jqUjZR1%S|7!`9 zrB4fqdf#~==>KG~%x3xpQ7*oXQFw)d(G?zt$QPAmr4R?;S%8`R>p6IqoP1M9NZ-Q% z`LYh#F694G_}}gQf5%6?JpVsA*`5E`%2SX3mvB_27*?^= ztb+Ie`KdW@r|-PH81%s#5+bd>COcY@+S&Lq&HE5h!ih(MK4@N_4NPh^)&Hi3*5Y2& zl9ieTIK5Ti^lHI*_p%I5>|1cMCj}QD3#@cE3c2Lk#$98!Ea88x;ck1B`?CNjd0*)Q zHKcb>S-BZkXR2lBzWn@H)fIUc6K81$;L_fjuW&Y1j?U-eHL;7T1_b&)!vKb!V5>`c z)?};AR~CS#)*7=wm+DFmpS2E2B+^1*WeJZZ5Xt~q9T)UT9o4_4a5Tc6N<^gaa(-G0 z$5PG7p_95Ru;^^No8r-B7_AqLy%v{tLsir=e?emDUnlA9dh?DD1IGvC%N$@OlzjTt9XbGL|(y|fkR$o?7IJT*>QZE0juF?_4L@;Q8N8cc z>s_Y&Ag0;<-AZ5D|Jv6wFYTWHyt&)Dt+w;Qjf=RjQoGEtN13V=F(wv`I+F2iE}dFy zCY+gDtrVpm0!Ox5Ak!i%E}|^nY11tK$>PmpxryHb0cPrlj{?NeQv7%~)7E9u_d4P3 zk2mML{f)3>KZw5d#Zhxr_(AjtIk5xl)i`eH41)d?GeKyx5_a>c)_h9nrpfjQC)c7b z+>LDCO}MqB`~C8<`xNkno_}33ez$J!blp54etn;dsG1C4*NQ4#O1E(ItuLOMtL7Gt z9-(66!1``W!fQP;jRFiqPj0e+h>{WhW*1A%Rg%&yA=jhe zyH33ChV$;G)yh2hzGv5ca$!f`zY#t>i-QnRHDBkuHB*-rXUO)rxN#Zkcf*i(^J^WR z`~areeX?bD_a8H7{_MEWuPXj?{m4)CEQtR+JSfC}9vvU=^8an+u~ybD26Pt#x{Cqb z#ehDD`L&Ay-DV7^b;yNfN~8^MQGKbzW)~;Aixb_&i9Vj0wu=+JyExIWpKb4ANq4cN zyI9g)Ea@(m^zlx(T`cKc$C7?EdcbaN?cz-zO}yz>v+8!Cgu9s3T}*k1PHc zg(E^eL|Z;YQxdXuFMz9#|Lq-h4~qBy?00wZzuS0Zlx;-O(LopVe*z;YIIoo`o}w}O z^cr$+0-FE#AKlhp|M|oJ{%DV^zTMj_vlek+?<(25Pfv23ihVVJq= zKF7Pf-xo#^t5WCE*z3-$H$)sd)Vr5b{#-4%wlNV`5!uECzd1c_q3&m{c2FVWSDZqQ z#xhraE4hRsKUUeY;0p-tJ1X+||7~)%1~o5glf9v4mc&PW~~R+tZB$Ej7*DQN7FH>YLLv9T)>AXb50y>!LEn%1fub>HoX!+4rUMNjD#G0 z;(hCroE~cId~2E+Mr3(qY%bxNfk|PIy%!CGfJ03V$>Ss842PkdM(zo zYt|Y&ssJc=zfDfzE{x?=G@yD}L*I5yZL2}sKB{bKtyY}I&fRt_V;aQpO$IC z9<}dsmVY@Og2cLTp2q8uvt)#_tp|A6nG#<|augfZ-_{|tm`CC4gO7&s*x5!nYq>tA z4M^Wlk;f34s-gPIuC|9LSNjmDU0Iauc4<7q9^^=0>0V7O#Jx`HmlU;G#{lb?3+8j( zVDV7ZcIp@|Om5Kp7aSB;ry-ZABX5Uabx;=fBtp}*dlI4PJ@*8*9k7@0hzB>`kHYfg zh)!`R?U`RG^w0oNO#Cb4k5}fUaTcqi= z%0;Sc8kp9yvbj|yH!H!gIqQsARuQ%yWh|w*{ z!PWvcr)p%8R`1FkB(<8(`Hpuxq~Frx+W*BN<}HteBRrnM=&tYo>~@cOhxz^A?&0qK z&#gQTWkb7&(g|S6R_7JqXR_pL7*%f5h*`CT?U`lca1^>lmz|RmqHyZM+y4q!X6gD@ zQeq=1;1;d_<6bv^|L?&r|J!z+^7XGLz@o*kcBCHj%5MP*!!ZKi-Jtm%_-+OR(Eq7| zB9aM6kV3z`L2_#Yd;uvBkubi1;qf5~z5MR&!&0|g>tAcMEgwYznNLx8xA9-y{r!Uc zKiNOot^aL2x%HnnW*$?pNHSY1nUR^?+X)s~mM57&0*ayldyw@(Z-sD=Y#-N(_Q--# z&uYOQW@>FV)+1|}TW#2}9?#IfL6g%MHNi7Zt~kZvIH?0;PJTt9%(r-kC|9#n6QdX# zk~F&%OuHZ61bH_so+f-&TlRvSIP`+pN8njRamc}U?Q1=F?VlktaeUc&k~cS>OS-WM z+&?;I@wAd|1s7up*-FNzy3#U(=Zv5!#SV^SV#B#LJo=4Ge=pQ3#;%l4sXUNX0%%-y z*TEqqKDyG3AT4aat->NxdlfY9IFhM89aat-ssUgT4$DLi4I#sx^LzH&{Y4Gcr#X$o zQ}&J_YPVJrpp%q!65j!7#o#5EWLhtF$>6vkbSYb`5V;f)nvLT~k)Lp$-vv+lIv_%= z`0?=YAXg%ygcFYheQl zdVTul^w;yt4_8;O+=w;FXw)n;=Gb5_)h`4FD4ek+!g5v%%*i*riEVDil;6MR4!5i6 z1^e2Y-ULoCuD6rz!g#^{_0rqDdP8ev1#NRfRZ-^tMx&z4iUiLuoH{|6i9o21!7LWr zVhHB)5dh2agqEA&OYHR3X=fvAVntMo;#z&(Z9P7ar^^3_!!bpSt-S}Z!2f@6yq~}S z)@df-lCftZ-_esS( z5N=$AJkaSgCWIMHyj9h_C|9F_R8S>esA?(euILtG0O&*_2JuRW24gv9oJU5YMvzYu z9ivr@Kg+|(2cn6;ujdi!g8@Y&{3-b`gx(Db{eDK4OD92AnCDlKE~HjdHh@YPuz7tl zo(>V!X6+Kr{oShG_^RHmruA1-`J%~dyJgEnzqgz{j{dg({Bvvaze@k3B<7pA1aN`= z*E{a+=i@(4x<@Ze8>B_I|39MUo3ioNM3Q<0N7d{Kd&Rmz%Ogvx!~ z#Z{UVq0poAh&P|tt%Ce9N>h6{l>=QX$UCY^bpQa${;)ayJ$pN<`2VIt02lH9!;?J! zKj|L!cKm-EPyP6xrCo=j-gjOo(>5j3EKO|VAs;$5`>dU+-kKRSj6ULpKAUu#r$3Se|!6fM+N_HZ|DEr%2R{?mvB_29#*l` zyqdU{Z-&jh$LW^=Kyhw|x-0r5K3ZC?%MmY%1qAv(!vKaJq89_FTAM&?zOo88HRH_! zC`BjNPM&yHa7#<6{dUNTKEavj{lF2vl8t4ph&KJ|SnY#+T>L*`8#wf5Jq!5%@zG&E z{{QggXm|c+E02Tii~}-+LED3z2dFJ3Ly{^ppUAb>-alH^!IKv)k&Lp)Z2=5qY6cl- zsG=}x<@b(Qlot-#AMKH8)Hb1uZ5Tuo*uIH}h=zzGxu*z&fZQT~pps&%oYdgyi>LRJ zGt!ah%tYc`62gDM0n*8`lk6=L|0G29oOv+N{uT{DchDXrhMvze{}n9b=08my|?Bn5VB^H8Qa>EltY_Vf>BS&`mIt z2lI`9X@MyY`#>e*n8HteaC~%haHNY}49>FEtc-(c0IDK%9H2gUdMVzXhV!RV2ED>z z{HgqV97O?|qL9NNy#l~lbi`DicK3H-J=9KoZ`_nM?@CaU{Gnw#ExSEIt#0`<-R~>j zq7V_^tWH@2=WkGm8M12Wl<}GC88QS~aR8RNOyGfzgSlQ{xw{19?5pl;dP~5<;P?gC z2w2H8>zW3}*}t6&3havmsymvSW}B5|R($roOCcj>Ru@B=5;-{p!Z-+45h`Aifx1Kq4@y4SwAzlSdf=mTS5nLFcI|6!mL^qRW;_D-h133@ zdE2!Adk4pP|L@_+!7lz|E05zSmvtIU%mnlaGmgWtl#}*`VE)DrT_+zloCmkavpjIh z=PLFl-ao(%JEJ~9&qIv8CO&eW6VB1cDxLFUrw7t})CZ~3l~+%502wC~j**PT)q8N( zn?iKng4)@byzDt2p|v6AunclAJs3eRbC6rNQiX_J$#G=X0Ox|cNMK2r*e@IF?t-V)wdA}>au2y<*U_rHt!vl_*^$!q~t<_ChvbF5LH4g$T zj{iT%*?--W-to@<+s0GV{=5G(0Crq=8H>>|OD(IU^pMHOMo(Rn-wucegJvCY&25}J zC|PU|Al$zMvqup3UmNq?0f0LEf8EWXYX09l?(QGt zxg^rgnyX|_wgIh@OuDT8y11;CRJs(xqf9KFnTx9?m#zt95iZLlm@aXm=hHx!6m#sM zKbW-B8L!FOsizk}D+dT!6+#8qKGdbz@SseITJvAe*d8!y>dydhq{K zSyVS%o0uylFJFLR9m3b5d;Vp48ghME|9`)|cvE^=|GJsTO=G{EUjF>{(qug!T)w@2 z>u#=u3=>F)L~w3(ST)~F#oW?0i#t;#DE@qUb#eCL^xgGuAKqP^U%okgeeS~a7fPo2 zO;EGj^*fsDAldv=kcvxTsvhZDiW#B;Sk0acPOq;1czgNs0rn(JY-|C1wjP&vurLQ{0yu0WY)69d_FPY9p z5!AY8x||6ucjy0V?8J%W0=}}+#sAB9W_d2-?92jovxUyUwgdJ`eevMNyHc3_t6#EE zUrMfj(L&v}HX*#^2N@Dwmf-v|hxKk@5Rlv72;(m?Rhj7q zK|IDuM%(1Ol?XO@m&+KNyti`1rtjolll`_Lk8bw6e`aErGvA$AcI|nYWW>*NU>$aP z>boFVX=c^dpUE-X7%N*1{NtbLL0CIv`;3H)Q;0)eos@-nc1UQ$1lH^Jt8);S=MYvI zgfkg=bNK6AyjFmDzJN0sZ?2GFFp3CC9D|*yIGd-~%2HgGqu9<+Z09FVvJ)4#wQDdO zd!^N6IHd#h5PSp9xx6SRZ=oMW=Yj<4sTtu}^S6-xccoESf$djd|E&puQc`Rs*Y9KA z2Uy_$*~m7)0{_q9;Yl~Y|9iN*|8qM}ng8dRoe?TZzrii?j3MY{QH5bu5XUr{`gMdNz9z)MHlkOCFd0uXiz8 zX>8PbX27ET-~C?x{?C)${hwQU97k&O@PEbmpUec`PTHqcuU%uDLXO6ziD}F@nR12e zLejiZxq}a;rYWF`FPm5@OU1SFNo7H$$8`#)WDMq;%@9@9j5DW^BjMBH#+OT2WKdW> zVNs#xs!4(jpj8tVx$3Wr%jyY>oDd#u!lGn`u9L8+29QlAEJ|ZViY4-2A9{MCgoSP- zJy8X;71I;BIO_TdW(=M+63k?a781-Pv)_5{7u<7VnTi4TiFbqOAeX7%#_#Iv^v#>| z%MUN#p8bA)`QhE=D>s5A1S@NxG;Khs^jeUyq)u7_Ya6VZtJchWu;MA>WHLSE6bF?^ zKDHDGm7RHHDGn<8a^EQqwzVp9sT4MT6n`mXzHXn&V|twapNz9~{UZPi{6G7L$H)2m zANEgn{-3Qp3)T6mBpJrrTJ*IHA;aDS^ieNP{88Sg2OVLvPREuEhkPvEdbmdu*6G!9 z5&n;*SC8PTt*=v4SuFq84*^>s|GP)M{Qd7Iy`$azPg{9D7w>;B>Hww?Ds!EgD|DJG zD-0XhsNE(r_-YIo*ZS8YrsYu*{)-IPW&qXezt=rH%*TJ8>>upz|K7^u@O0|oue<-d z-`mgz@DOruvdw@o)1bAP?AUkKrS@SEOlj?rhe*Q^=6Wz1s_F?)W;Plx$BdhgZdh zDX6vcS_{x(oXU1zLCJn;YCO726-yNNVas6G*jRNnSgTs;;wl**$37~k+L;BFyR!?R zI+1hj(gNpBZ5d-*f4A1)U1PU4TePrS3u^7y)`%r5K=sIU3bR+7D>8M4IP9=V;eE?1 zu-!WdOv|=fG1KIfa%>+}RPms^_O?)^1v)XKvfo}z1JIg*R!bKy8Lk8rX#EcuoL-;( z23o&?=BXWT+y5CsiYWN*nFl%O%pmR1IPB|NE=&|MT%_^H1?S z1y5y)-G0aJq+U547-81YF^8Q*BV(O1jjUs33hX%JES@^1K#_Hpjr4B(9_08HFNs-d zU~hIK`*=onH?DU-uEi+syBOk9ebE)*WQS(FL9=X1m;3h5-1Xz~|IJ{4#aOo@7PWB5 zI1GY2-2d+$o%9O(|J~jF-&=XKo;v2>S%5KP`2X|gpliDd zjk-Dx$Pfl?4{{!$cElpv7O-|7o@JHu)4_#S$XWY0$UrlaD>Pvm1LB*UGHUIrixdRF z5ySy#UQZC4Z2!L4O>bMXN$9sUH z0CGG-AcA~iy@#RScmhH+mfQq9izpi5Psmpe(*Mu%Hh3Ebb3j5_Q=kMQL_vT<)NZt2 zUVXUYgrde1a7Lz65`y<f8Mt_P&Khlp zlr_D~ldk{E^V65F&)ZXf<84&0|C5vBZZ7_>w|{iB+yC3j^8~y>@q6VO{|yCGa3;iB zqalAQ5jP^#DwH@j6L0EM20Xzvv?asZjmDEF;A}z&6YL|cK;w|(DQXNTCRDJSqxON> zzuA-WIA(}~36#7@m@s%Wm+w77De`y`mQ1-ObHQN2kBE1JxMVzSa1jdl?QXUO6YB;r z15&1Q0$|L^6msmrAeaLmanY1&Hs2iNvLS8Km<9u)46`;6S_ea%<8aIX83A>eqmuyg zJ08WPbMqtX42jT)sDdy=9+@KGqlh98a^$zc#i#@a-6&SN3{ zmgDhM!x=z6c?w1t1->MffHFl;e%ni$RsoNx>ZG&k$?rLYH~~YXV)&5{U^oX;LXn;g zGV5KeP60L=f=nY41msp=#N|K)m~m#>RfWat2vRsj98pP6@!6V-a(;@@=M#i!LWG%8 zJsXXIsSLh=mxy^3M^gBRzf{pL;0@u3HCpBYUqGwn_{;oid`z+ud<0*_C@I@ibOeXs zZG^%r@o`Vg1Enc)B2Nf_FW{q0P52RfX?!%EdjZ6?x{`~?zkrWw7PT>vH8~uMO41(> zI2_9bYK>Jg#r4?%0YMseTvjJ&DyqLde{EKV+>#KbLLA5<`3=0ZxhM_-eG0&?AgqOK zM=pOpJp->{h(|~aE2Ic$OHxRDp>=K6F1W|Ar^9c$$ zHcRbG<7334Y^wv}C#fcZ*63wp5sQGbAaYHn1Crf+5^#0U641UGMW#GAoJJ%>A!l-& z)TEN&vRiWk+&hMVd<)V{7KUjiZDdf&UlJ*xoMxESSbqi9X$wH8T&gKS8y~CAlnAKe zb<4~b%&f5z{S~XuK(Je4S#+I^sL3KoCx=RqP_JV>jTGC6S)I00*N-V88`gAx4+HEA zQw~u~WVfy@&N$Owg;t4)pSCE^7UhJ1p{oy``Ebsji^dO*k7R3Ei#Dc#nk$MAo7pPn z4x-@Q|ql!g2rgij2Afl;|dIM5J==;zd6pjm%=DgfC{s+SSVx-ZC(SRLa!=dME*}(byC9tg-Yc5_3?3Y*7+u zq0WhBN7mx8@{43TsMo@qcsfK>&iOyCfY}vRZ&T(2evxuSmSOQQtbK_(*PqJjKqIZP3N72Ns{sx1>1v>K)8)CrkcOfNyO#+Y8t7 z-g+!D;ohsGp@m_weIXca!M7rOACGnYViW4y+LX*~th?Kif>%qhFW}?F=ndfmiWmx) z@7#Z4imJJYD6wfiB4KWmlgMsvY&A;sYtnX8D{|>JSvy%?A3PR)h=|{|6;0PNP1Q^m zGZX~gh)@Yqjg=fK)rO~4(9Pl}KP<&VT6*HNB;?j`-V&I%g23B2aw{$W&5>n8Twwu1 zR&E3rSJ3OwvM_AT(yHtf3~8-u0X-YS{?By3wi|NN(b!4LxI z6P!k(e>epH(8l~6PJ@3wGaB+3^GQ5xdt};isTLCyOgo$+)Y)&Jw2wQ|QNTJLp{QfQ zd!Ffv9VRL;IhSieVsD%%nMhI3lMa0*nYP)Hbje~Yox1tqFV4!fOO>Elo(Fljg2Pm9jNfG=N1P67$$8DSCMJZT^(rU&3hr@g66U%Iqw*U!vM1hfSID+1Y$Ksbby)KiK&IAj|5Yb zRnAV=!8`lPm) zuBouPz0?mQI_mtmkxrYPEoZaNj~i)rvG!6uY3nI8&ZgH^Z|W_lGDW8XCtH)qqaeOX za#yrhm-rh|vT9LbGwN1VC$fr?OBq_L11pf#tytwSD=1L+fu&0s+pxlQ58Ya%yse_3 zZLJ$P98<*HyY8Aj=_0cI6ozKQrp-NDK1)unDoHjXHIR(QCb8}@6S|@)ZF|41D2@8v z;L1UlbU`o|D(2dpJ~CWR7Ko^}$-;5g-vsg1GZ!R`7z zG(20X0Z9y&MP`ef*;t@ur-c4D<9EGIMX?wi1byR~Ftt4CJW6G&x_%E_Sill@mUh^D z0Uw*qrBKVdY8FS`T)(<%Y1W^y%7EIzRC70Vz5#|JNFhhT96Wo4_)|egS$j`t+c6A+ zc?}KAU>iX`Ni`fbG%|Yp%g2sAvoHr!Jf28QLgXRF#Ny^^K|w%~+}4qMBLIgPw{d-B z7AryqMfr0S#L^EtL=!l}L`9~Iarh|#m_1ZCgx(Db{Z>Q?Cmspgk5N(t!STZ7{v!;pl!Ba_h+GPq95y+XsY%5wb2S4S;I(E{keN9t$_0) zGtFJ$PVBToQxC{cE8zC9Ewuu=_iCyYu=zG^wI%r-MS`bAczfJ!H9ltWyc_OS!Kdzo zBRve>^I*BmeesiTn{%j>wNn_md51oCYoDx8!RqOmW);K$^?}~kFiLqwNlQND@MHdv zYkC-15a92puU{EGUm2v?U}`z%)Bs^LOxvaS6t;C*5+fEzRXq2_> z!K7((-nvR2Cug$lqZ3I**TIQ2Q9We_fx4Rm6G_`DH|dqWlsa)CCrGI8 z$?ewKYy1U#yd?5e&pY`&+aG6$djjze1Kd*#mJ4sU>#Y{tZq2G?LfcI>W=FOsu$Dja z(E?~RLLTpfH{?nmT>1F7A^oq9H)!6MHRaj7ocvR6Y|(~_y3)Ws7)r;l?;{_;kudnJ zL!=t{|g(nxqo%TtMUF?2o%`w8hk%#us+v! zBvHsSeJlS)!t+fv7t2rbFH~}TUCIH?@cS&ByJ7dHWhZAg2;3oKPTF6NFI&}CW6SBV z&)SRydf25#xtH`??s5k5pba1)5Sl+w$7gJNPZ|Wy$svHFa3=A3EBU9B;j45*X&#+a z5G z$A`-N4#=43W8P5!=YpX#0Kq}G3qFA#yCA}!P{088UN)(LjL9L+v`nZ zo4{NP+a!656$2m)Z8O0$hhjz&s!aL!dwRVQDInBZ(xd3M1?jFy@{Bi@_^7DIGw`(kZ=$D zO2{}s*&Y`|0`SP)b<8r&?`dxtOG3}>Bxae2fu{^y3|tJY-Y#z*oBPsq4AyJ!4J$yB zzj-8NBtUlG3LJ9jZQnA;dGc>$pSQfpH8yv17_PpDyAnY*w?Dgb^Y^&-x+>1wKDM+O z{Hu>S8P@Y|{nJgZ1|3J6N?I&C(d2^aIL=f8wd@pAqH5RPe7WQOmOMi1?_T5~-ow^K z9)&Gz4}i0nQWSETdpMY<*^NJTJ{A%BhV~8eU9Yj5msp+~+re|r@^%rqhq1wxNPwl? zSB7#Aza|+@5x_{Uebn6gjWJwWy5n;G+v{Uns=05$wI^FLMmW$ zmsxCVWR^^0ldZa99-GXhTgKaOYS~$AEMR%_y+G8j&yLS`-)YNN(_w=~eIA>|+CwR7 z_m&{b>cRxlArT8!DJKG(-{h+lZ7tq_DFgl?F#00V`lslG{8b>1hMbk+dDyz}QwD~R zVGqDe4y80Lbq@Bnd=tesH|U=z0)L1;3I~>V?Wb@zxm9092?`J1U*X34arrFlK2-ZH z3Y>NA+$<$cJ3JVbZI@A=sTuPl3&ex|n3Ev3S^6M%WVmoYzRiPUrj-#7s{Y$LYH4$#h2`#X zE+LWe2U;olEz0Cl@^g|p(@a#mm9M`9bSC?{1GwAEs7sX~?7ng;JEqnZQ$+wt_V%RC z795NQ1$TmM3;R3vEhcy@?_0F0uI^h*7MO|O72T&K{1+K!$Y8#U>Rr$UFU0=}P&Oig z46qd?kiPia&2eT3=(g9B}h$`y#Fgd=@}Wpe4{2%KGX&R$B@V60C?g)*sz2SYXP%v_4iCulB1QKOhm zly^%3POqGC4axG>gX!YE8x8rc*k*%4vf5fOHP^Ei43v%V>SSEjL3I)>~1S&l8Av_ z!lHgQLAFgn&$_2LZL)%(?Z!usVzL@7DQ=O4WYi7V-In#rdMrQI>nz1Y{%1i4t&z#~ zFBwu{L*JnN8l4fqax3LxBw?&MgrY|`2W+Jww6CHr>uRziFRvK2@2+0l=?wg0?=#Rg zKnBGJ*aS}(^c(t9%orx&EgDV;xk-X0k`F+CNv{8}BNxQf^i5TZY+A~C)Vkg`^b=PI z6&g(-aY;3sj9rpKH3*4Hm8dj~Kt|A;q?cyvF%xU>W2+_k44VHWRhED3B|rc95kNYQ zrQ*a1_$ZZXy(#mt4Spfis8D;2#>bBz^?qFAJ7AXt(|OC>DBWraLCzxRA&{t1pq*E# zfWj$vsOl#&8i{5ajnhDi9gb%xnC}6oGX+S$%>?pfUrt#aI#;B*j0g_NEOURjK7DE~ z3Iewi93Zj|EJn6jG`7r(4V6A)Zb_u-EOyge0V7T?RLBQ ze~%A)Cx7W39(Rv>-QMxx{$IMigX8^!zku#Wu_$?B#v%PnckQ!@3r=8U7Mj2F^P3tl;kgAh?T#DN4Plu;QCMy5k)BI_%?klN6c0_qi< zBMMHec1D<@TNngw(=otM$gqrX^C5={iq(a*YSIT2+SazaZ;W5Tckp<^gSi4_E_V|> zutMl$G!aLkFEJj*IN&WDrfrN6Su6^{0%$GlSmOsd1#>ejgMWzlEulAiW?reQ z?Ci-kB_ZZSUKA%jrE{(EgFHfuLq8V1eah5)3QDJvicFCi43h{qJ`sW)_{g5X`Z{^J zeL5DshPu5|e+EMj`37y%V>5OF$(OGNDY(5viI^hkl}j8iGW|`c8yyD3yGeQorHbUi zNKT8!4|0u5+Lg=%nL+vD3Jg)`O{S3Eutww5_pyKt1Mr4$#QKdNz<{C|CNay5=ZKQ2 znfz&lrhH3c3I>pJ>5Y}L)%J91No{g0rz`9?A!B9ny>vfX&x2qteN!`~%Mt3UOQCgM z5$$9O(QUd+eX~G}biYCfI9xya+Q;Ny%vg+A=iub<@T4tgV&06AYeoN-3aLDK9dn|` zPvMyMOKP4#uuf^p zrkB5;?<=Ntz$~*=$LkrMshKUn&se zGDbWsnS@dY!nvG2scBXm6C8pOoC!k8D@fHfuzDXzg6~)LwB5+!JOXnPCsdmYj%l*t zx@M>Gu1jR(6{lAN24)xns4X`Q>LYk2WV4{8Xu!nk053o=1aXvh@wu2kSZC)CqbtHAtg5`l=q4vNiMxdlw|J}tY4CL6jQl^B@7Z7U$$yOFgPjuo@sQ%7?hN~Yi51Q802b{HoYhzW=WoPB^up2yerY&I?n-{kT~$u%XJ3}MnY;+MC!I2 z;vh3LNoK!v%#*=M3~i}g%c+!D1oFOMXD^jv7Dd54Ti}Yr(1+A#?RzxD@9D8F;HN(8 ze3+mhLX@?66l|=G1@`}b_uwFB{~sP5^mg|DHlEL)J1@WtPy14=3Zse7BlMHdxuG{f zeek05=bsHxs&W1)g4%|)Z(P<~N0(~>wTlg!$;@ht(oN7xzf1PjK9dz?ylVTsQej2O zw=+a3_7V6Z?E26H#|QE!o?gYH5&i_4trVCrs>N@G;h8zlW7-(SLg4*7hJlLShfySP zZ#Vux3c4)MMH`|Yf&+U{sMw55Gb)$tv6Ssf36h)7W=|V4@J!!i^YYD=C@W7BM96#I zZd{BqY|9vxMoCde404y2%1lZEd5vuaaYd;tf$=Dzr}>!B)RZYLP>bjROCfzHJJA2B z{XIVWxq2s&>C9l%~JNB z7*;vFdakHaa?ibTh-JBEX@_ijtKaW+dtZze0GdBELGwd%sh-|9YuY_qcvAT$zfjp?{^P(@_!poGV1-t6XmGQ_;XmJm4u-6?JLXjL5&Sy1VGQC&1&>H9B1$@;Ft?|PU_c3@LD!e55Kb9pe3}`#S2K6r4cPfTKnr(A!!chB?)S3 z*TifYT9)S4E+M8VU%-x~MHf(5i^$5}NAb1*FRYpG(m; ze&kiwyenjS8Jg3xU+GV{<}Qd$acxd#h z4|vp<=!tLXYu0Z7P}O;XWdnfxsO7r8+=+NuKR2GGUH;7=u&~Qj-G~%NvAfZ6^do=x zeJM-_rovj7T4yzK2!H<5f$_3O;uBwZtdq(-J@+vOkjap?r^yDj-cT`K@^=>k9Q1v& z%Vfe2q5y#ahlt5Ns05Lv2zQ$6@&fvmsnVNSu1j83R=##^6?|*Ux8ydlt*&54$5&g# zCD(LqdL29PU2Q2>U+?v`u4V`MHnX5BZ^wUttNfSr{?peIUvQ-ZrtW3^SCWqhx%p^_ zS4O@iu6|{XG$hsxN=djH5d|g*Ay;3amE^fkp1GI;Yje}ezTYv6UEIC3nQvwH^68cq z5A$6lW7-_GE?oV&6UwFeeHPPf+3Y`?qsLVi%R8aOwf@>xu*43_dma!xvVW2bjt&J9waNr4ux<>4?B5U;KBBtG6E zjy(O7Bo^M&q1{OWn@l`lazThWbED7bSgE@8;b(mS5Ev@#W%KIGV_t?HB?Ivb^79Jk zgBpv3F)TkAY8|aH8U}=p;7f*=#WGC)&PF540PcG@V1$=r5N8!R!!;CF-(A(VPJ<`u zIRSl!EJK#k^B@_@NS(hxmgX-39IMN#&B zY~qlP5l>H#=wpUv-eU%6td4zJ5zg{((VjXgBvfs4o^qmcZN?}$-_mZTL)6sCE*!Wu z-4w`MCg}*~$m|Y|O0rNb*wHS{PnDp6Ltd0V33yeqCUVX+S(`=B#F?y)U?Jz?W)U>u h8ubyp@7TxPvwL>W?)jFV|2F^t|Nn_SKy&~g0{{$A-H8AI literal 0 HcmV?d00001 diff --git a/charts/neuvector-crd/102.0.9+up2.7.6/Chart.yaml b/charts/neuvector-crd/102.0.9+up2.7.6/Chart.yaml new file mode 100644 index 0000000000..13eb969aa3 --- /dev/null +++ b/charts/neuvector-crd/102.0.9+up2.7.6/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd +apiVersion: v1 +appVersion: 5.3.2 +description: Helm chart for NeuVector's CRD services +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-crd +type: application +version: 102.0.9+up2.7.6 diff --git a/charts/neuvector-crd/102.0.9+up2.7.6/README.md b/charts/neuvector-crd/102.0.9+up2.7.6/README.md new file mode 100644 index 0000000000..a5379e6ba6 --- /dev/null +++ b/charts/neuvector-crd/102.0.9+up2.7.6/README.md @@ -0,0 +1,14 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's CRD services. NeuVector's CRD (Custom Resource Definition) capture and declare application security policies early in the pipeline, then defined policies can be deployed together with the container applications. + +Because the CRD policies can be deployed before NeuVector's core product, this separate helm chart is created. For the backward compatibility reason, crd.yaml is not removed in the 'core' chart. If you use this 'crd' chart, please set `crdwebhook.enabled` to false in the 'core' chart. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | diff --git a/charts/neuvector-crd/102.0.9+up2.7.6/templates/_helpers.tpl b/charts/neuvector-crd/102.0.9+up2.7.6/templates/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector-crd/102.0.9+up2.7.6/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector-crd/102.0.9+up2.7.6/templates/crd.yaml b/charts/neuvector-crd/102.0.9+up2.7.6/templates/crd.yaml new file mode 100644 index 0000000000..e3a0bfdb17 --- /dev/null +++ b/charts/neuvector-crd/102.0.9+up2.7.6/templates/crd.yaml @@ -0,0 +1,975 @@ +{{- if .Values.crdwebhook.enabled -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvSecurityRule + listKind: NvSecurityRuleList + plural: nvsecurityrules + singular: nvsecurityrule + scope: Namespaced +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvclustersecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvClusterSecurityRule + listKind: NvClusterSecurityRuleList + plural: nvclustersecurityrules + singular: nvclustersecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + egress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + file: + items: + properties: + app: + items: + type: string + type: array + behavior: + enum: + - monitor_change + - block_access + type: string + filter: + type: string + recursive: + type: boolean + required: + - behavior + - filter + type: object + type: array + ingress: + items: + properties: + action: + enum: + - allow + - deny + type: string + applications: + items: + type: string + type: array + name: + type: string + ports: + type: string + priority: + type: integer + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - action + - name + - selector + type: object + type: array + process: + items: + properties: + action: + enum: + - allow + - deny + type: string + allow_update: + type: boolean + name: + type: string + path: + type: string + required: + - action + type: object + type: array + process_profile: + properties: + baseline: + enum: + - default + - shield + - basic + - zero-drift + type: string + type: object + target: + properties: + policymode: + enum: + - Discover + - Monitor + - Protect + - N/A + type: string + selector: + properties: + comment: + type: string + criteria: + items: + properties: + key: + type: string + op: + type: string + value: + type: string + required: + - key + - op + - value + type: object + type: array + name: + type: string + original_name: + type: string + required: + - name + type: object + required: + - selector + type: object + dlp: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + waf: + properties: + settings: + items: + properties: + action: + enum: + - allow + - deny + type: string + name: + type: string + required: + - name + - action + type: object + type: array + status: + type: boolean + type: object + required: + - target + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvdlpsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvDlpSecurityRule + listKind: NvDlpSecurityRuleList + plural: nvdlpsecurityrules + singular: nvdlpsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvadmissioncontrolsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvAdmissionControlSecurityRule + listKind: NvAdmissionControlSecurityRuleList + plural: nvadmissioncontrolsecurityrules + singular: nvadmissioncontrolsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + config: + properties: + client_mode: + enum: + - service + - url + type: string + enable: + type: boolean + mode: + enum: + - monitor + - protect + type: string + required: + - enable + - mode + - client_mode + type: object + rules: + items: + properties: + action: + enum: + - allow + - deny + type: string + comment: + type: string + criteria: + items: + properties: + name: + type: string + op: + type: string + path: + type: string + sub_criteria: + items: + properties: + name: + type: string + op: + type: string + value: + type: string + required: + - name + - op + - value + type: object + type: array + template_kind: + type: string + type: + type: string + value: + type: string + value_type: + type: string + required: + - name + - op + - value + type: object + type: array + disabled: + type: boolean + id: + type: integer + rule_mode: + enum: + - "" + - monitor + - protect + type: string + containers: + items: + enum: + - containers + - init_containers + - ephemeral_containers + type: string + type: array + required: + - action + - criteria + type: object + type: array + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvwafsecurityrules.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvWafSecurityRule + listKind: NvWafSecurityRuleList + plural: nvwafsecurityrules + singular: nvwafsecurityrule + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + sensor: + properties: + comment: + type: string + name: + type: string + rules: + items: + properties: + name: + type: string + patterns: + items: + properties: + context: + enum: + - url + - header + - body + - packet + type: string + key: + enum: + - pattern + type: string + op: + enum: + - regex + - '!regex' + type: string + value: + type: string + required: + - key + - op + - value + - context + type: object + type: array + required: + - name + - patterns + type: object + type: array + required: + - name + type: object + required: + - sensor + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvcomplianceprofiles.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvComplianceProfile + listKind: NvComplianceProfileList + plural: nvcomplianceprofiles + singular: nvcomplianceprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + templates: + properties: + disable_system: + type: boolean + entries: + items: + properties: + tags: + items: + type: string + type: array + test_number: + type: string + required: + - test_number + type: object + type: array + required: + - entries + type: object + type: object + type: object +{{- end }} +--- +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apiextensions.k8s.io/v1 +{{- else }} +apiVersion: apiextensions.k8s.io/v1beta1 +{{- end }} +kind: CustomResourceDefinition +metadata: + name: nvvulnerabilityprofiles.neuvector.com + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + group: neuvector.com + names: + kind: NvVulnerabilityProfile + listKind: NvVulnerabilityProfileList + plural: nvvulnerabilityprofiles + singular: nvvulnerabilityprofile + scope: Cluster +{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + version: v1 +{{- end }} + versions: + - name: v1 + served: true + storage: true +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + schema: + openAPIV3Schema: + properties: + spec: + properties: + profile: + properties: + entries: + items: + properties: + comment: + type: string + days: + type: integer + domains: + items: + type: string + type: array + images: + items: + type: string + type: array + name: + type: string + required: + - name + type: object + type: array + required: + - entries + type: object + required: + - profile + type: object + type: object +{{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-crd-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + ports: + - port: 443 + targetPort: 30443 + protocol: TCP + name: crd-webhook + type: {{ .Values.crdwebhook.type }} + selector: + app: neuvector-controller-pod +{{- end }} diff --git a/charts/neuvector-crd/102.0.9+up2.7.6/values.yaml b/charts/neuvector-crd/102.0.9+up2.7.6/values.yaml new file mode 100644 index 0000000000..e899decf01 --- /dev/null +++ b/charts/neuvector-crd/102.0.9+up2.7.6/values.yaml @@ -0,0 +1,9 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +crdwebhook: + type: ClusterIP + enabled: true diff --git a/charts/neuvector/102.0.9+up2.7.6/.helmignore b/charts/neuvector/102.0.9+up2.7.6/.helmignore new file mode 100644 index 0000000000..f0c1319444 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/neuvector/102.0.9+up2.7.6/Chart.yaml b/charts/neuvector/102.0.9+up2.7.6/Chart.yaml new file mode 100644 index 0000000000..35385db215 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.30.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.7.6 +apiVersion: v1 +appVersion: 5.3.2 +description: Helm feature chart for NeuVector container security platform. +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector +sources: +- https://github.com/neuvector/neuvector +version: 102.0.9+up2.7.6 diff --git a/charts/neuvector/102.0.9+up2.7.6/README.md b/charts/neuvector/102.0.9+up2.7.6/README.md new file mode 100644 index 0000000000..c84153e8e3 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/README.md @@ -0,0 +1,285 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector container security's core services. + +## Choosing container runtime +Prior to 5.3 release, the user has to specify the correct container runtime type and its socket path. In 5.3.0 release, the enforcer is able to automatically detect the container runtime at its default socket location. The settings of docker/containerd/crio/k8s/bottlerocket become deprecated. If the container runtime socket is not at the default location, please specify it using 'runtimePath' field. In the meantime, the controller does not require the runtime socket to be mounted any more. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`openshift` | If deploying in OpenShift, set this to true | `false` | +`registry` | NeuVector container registry | `docker.io` | +`tag` | image tag for controller enforcer manager | `latest` | +`oem` | OEM release name | `nil` | +`imagePullSecrets` | image pull secret | `nil` | +`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. | +`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` | +`serviceAccount` | Service account name for NeuVector components | `default` | +`leastPrivilege` | Use least privileged service account | `false` | +`autoGenerateCert` | Automatically generate certificate or not | `true` | +`internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` | +`internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` | +`defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` | +`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https:///` | +`global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.aws.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction +`global.aws.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction +`global.aws.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction +`global.aws.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction +`global.aws.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction +`global.aws.image.tag` | csp adapter image tag | `latest` | Follow AWS subscription instruction +`global.aws.image.digest` | csp adapter image digest | `nil` | Follow AWS subscription instruction +`global.aws.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction +`global.azure.enabled` | If true, install Azure billing csp adapter | `false` | **Note**: default admin user is disabled when azure market place billing enabled, use secret to create admin-role user to manage NeuVector deployment. +`global.azure.serviceAccount` | Service account name for csp adapter | `csp` | Follow Azure subscription instruction +`global.azure.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.registry` | csp adapter image registry | `susellcforazuremarketplace.azurecr.io` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.image` | csp adapter image repository | `neuvector-billing-azure-by-suse-llc` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction +`global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction +`controller.enabled` | If true, create controller | `true` | +`controller.image.repository` | controller image repository | `neuvector/controller` | +`controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`controller.replicas` | controller replicas | `3` | +`controller.schedulerName` | kubernetes scheduler name | `nil` | +`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes | +`controller.tolerations` | List of node taints to tolerate | `nil` | +`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` | +`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`controller.podLabels` | Specify the pod labels. | `{}` | +`controller.podAnnotations` | Specify the pod annotations. | `{}` | +`controller.env` | User-defined environment variables for controller. | `[]` | +`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. | +`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi +`controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` | +`controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` | +`controller.pvc.storageClass` | Storage Class to be used | `default` | +`controller.pvc.capacity` | Storage capacity | `1Gi` | +`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` | +`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` | +`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` | +`controller.apisvc.type` | Controller REST API service type | `nil` | +`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` | +`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` | +`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` | +`controller.apisvc.route.tls.key` | Set controller REST API service PEM format key file | `nil` | +`controller.apisvc.route.tls.certificate` | Set controller REST API service PEM format certificate file | `nil` | +`controller.apisvc.route.tls.caCertificate` | Set controller REST API service CA certificate may be required to establish a certificate chain for validation | `nil` | +`controller.apisvc.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate | `nil` | +`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` | +`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` | +`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` | +`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.mastersvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.mastersvc.clusterIP` | Set clusterIP to be used for mastersvc | `nil` | +`controller.federation.mastersvc.nodePort` | Define a nodePort for mastersvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.mastersvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for mastersvc | `nil` | +`controller.federation.mastersvc.annotations` | Add annotations to Multi-cluster primary cluster REST API service | `{}` | +`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` | +`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` | +`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.mastersvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.certificate` | Set PEM format key certificate file for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster primary cluster service | `nil` | +`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`. +`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.mastersvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` | +`controller.federation.managedsvc.loadBalancerIP` | Multi-cluster primary cluster service load balancer IP. If specified, the deployment must also specify controller.federation.mastersvc.type of LoadBalancer. | `nil` | +`controller.federation.managedsvc.clusterIP` | Set clusterIP to be used for managedsvc | `nil` | +`controller.federation.managedsvc.nodePort` | Define a nodePort for managedsvc | `nil` | Must be a valid NodePort (30000-32767) +`controller.federation.managedsvc.externalTrafficPolicy` | Set externalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.internalTrafficPolicy` | Set internalTrafficPolicy to be used for managedsvc | `nil` | +`controller.federation.managedsvc.annotations` | Add annotations to Multi-cluster managed cluster REST API service | `{}` | +`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` | +`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` | +`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` | +`controller.federation.managedsvc.route.tls.key` | Set PEM format key file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.certificate` | Set PEM format certificate file for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.route.tls.destinationCACertificate` | Set CA certificate to validate the endpoint certificate for OpenShift route for Multi-cluster managed cluster service | `nil` | +`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`. +`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.federation.managedsvc.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed +`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`. +`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`controller.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. +`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false` +`controller.configmap.data` | NeuVector configuration in YAML format | `{}` +`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false` +`controller.secret.data` | NeuVector configuration in key/value pair format | `{}` +`controller.internal.certificate.secret` | Secret name to be used for custom controller internal certificate | `nil` | +`controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` | +`controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` | +`controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` | +`enforcer.enabled` | If true, create enforcer | `true` | +`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` | +`enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`enforcer.updateStrategy.type` | enforcer update strategy type. | `RollingUpdate` | +`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`enforcer.podLabels` | Specify the pod labels. | `{}` | +`enforcer.podAnnotations` | Specify the pod annotations. | `{}` | +`enforcer.env` | User-defined environment variables for enforcers. | `[]` | +`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`
`key: node-role.kubernetes.io/master` | other taints can be added after the default +`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`enforcer.internal.certificate.secret` | Secret name to be used for custom enforcer internal certificate | `nil` | +`enforcer.internal.certificate.keyFile` | Set PEM format key file for custom enforcer internal certificate | `tls.key` | +`enforcer.internal.certificate.pemFile` | Set PEM format certificate file for custom enforcer internal certificate | `tls.crt` | +`enforcer.internal.certificate.caFile` | Set CA certificate file for enforcer custom internal certificate | `ca.crt` | +`manager.enabled` | If true, create manager | `true` | +`manager.image.repository` | manager image repository | `neuvector/manager` | +`manager.image.hash` | manager image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`manager.podLabels` | Specify the pod labels. | `{}` | +`manager.podAnnotations` | Specify the pod annotations. | `{}` | +`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` | +`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | +` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | +` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. | +` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) | +` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. | +` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) | +`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`manager.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`manager.route.host` | Set OpenShift route host for management console service | `nil` | +`manager.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`manager.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`manager.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`manager.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`manager.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` | +`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` | +`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` | +`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`manager.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`. +`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`manager.affinity` | manager affinity rules | `{}` | +`manager.tolerations` | List of node taints to tolerate | `nil` | +`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`manager.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.enabled` | If true, create registry adapter | `true` | +`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` | +`cve.adapter.image.tag` | registry adapter image tag | | +`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.adapter.podLabels` | Specify the pod labels. | `{}` | +`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.adapter.env` | User-defined environment variables for adapter. | `[]` | +`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;
if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google +`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` | +`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` | +`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | | +`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` | +`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` | +`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` | +`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` | +`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` | +`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` | +`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` | +`cve.adapter.certificate.pemFile` | Replace registry adapter certificate crt file | `tls.crt` | +`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed +`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` | +`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` | +`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/` +`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`. +`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually) +`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) +`cve.adapter.affinity` | registry adapter affinity rules | `{}` | +`cve.adapter.tolerations` | List of node taints to tolerate | `nil` | +`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.adapter.runAsUser` | Specify the run as User ID | `nil` | +`cve.adapter.internal.certificate.secret` | Secret name to be used for custom registry adapter internal certificate | `nil` | +`cve.adapter.internal.certificate.keyFile` | Set PEM format key file for custom registry adapter internal certificate | `tls.key` | +`cve.adapter.internal.certificate.pemFile` | Set PEM format certificate file for custom registry adapter internal certificate | `tls.crt` | +`cve.adapter.internal.certificate.caFile` | Set CA certificate file for registry adapter custom internal certificate | `ca.crt` | +`cve.updater.enabled` | If true, create cve updater | `true` | +`cve.updater.secure` | If true, API server's certificate is validated | `false` | +`cve.updater.cacert` | If set, use this ca file to validate API server's certificate | `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` | +`cve.updater.image.registry` | cve updater image registry to overwrite global registry | | +`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` | +`cve.updater.image.tag` | image tag for cve updater | `latest` | +`cve.updater.image.hash` | cve updateer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.updater.podLabels` | Specify the pod labels. | `{}` | +`cve.updater.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` | +`cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.updater.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.enabled` | If true, cve scanners will be deployed | `true` | +`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | | +`cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` | +`cve.scanner.image.tag` | cve scanner image tag | `latest` | +`cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | +`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` | +`cve.scanner.podLabels` | Specify the pod labels. | `{}` | +`cve.scanner.podAnnotations` | Specify the pod annotations. | `{}` | +`cve.scanner.env` | User-defined environment variables for scanner. | `[]` | +`cve.scanner.replicas` | external scanner replicas | `3` | +`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` | +`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](https://github.com/neuvector/neuvector-helm/tree/2.7.6/charts/core/values.yaml) | +`cve.scanner.affinity` | scanner affinity rules | `{}` | +`cve.scanner.tolerations` | List of node taints to tolerate | `nil` | +`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` | +`cve.scanner.runAsUser` | Specify the run as User ID | `nil` | +`cve.scanner.internal.certificate.secret` | Secret name to be used for custom scanner internal certificate | `nil` | +`cve.scanner.internal.certificate.keyFile` | Set PEM format key file for custom scanner internal certificate | `tls.key` | +`cve.scanner.internal.certificate.pemFile` | Set PEM format certificate file for custom scanner internal certificate | `tls.crt` | +`cve.scanner.internal.certificate.caFile` | Set CA certificate file for scanner custom internal certificate | `ca.crt` | +`runtimePath` | container runtime socket path, if it's not at the default location. | `` | +`docker.path` | docker path | `/var/run/docker.sock` | Deprecated in 5.3.0 +`containerd.enabled` | Set to true, if the container runtime is containerd | `false` | Deprecated in 5.3.0. Prior to 5.3.0, for k3s and rke clusters, set k3s.enabled to true instead +`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` | Deprecated in 5.3.0. +`crio.enabled` | Set to true, if the container runtime is cri-o | `false` | Deprecated in 5.3.0. +`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` | Deprecated in 5.3.0. +`k3s.enabled` | Set to true for k3s or rke2 | `false` | Deprecated in 5.3.0. +`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` | Deprecated in 5.3.0. +`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` | Deprecated in 5.3.0. +`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` | Deprecated in 5.3.0. +`admissionwebhook.type` | admission webhook type | `ClusterIP` | +`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` | +`crdwebhook.type` | crd webhook type | `ClusterIP` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml +``` diff --git a/charts/neuvector/102.0.9+up2.7.6/app-readme.md b/charts/neuvector/102.0.9+up2.7.6/app-readme.md new file mode 100644 index 0000000000..caddee8a85 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/app-readme.md @@ -0,0 +1,35 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include: + ++ Build phase vulnerability scanning with Jenkins plug-in and registry scanning ++ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks ++ Complete run-time scanning with network, process, and file system monitoring and protection ++ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation ++ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures ++ Run-time vulnerability scanning and CIS benchmarks + +Additional Notes: ++ Previous deployments from Rancher, such as from our Partners chart repository or the primary NeuVector Helm chart, must be completely removed in order to update to the new integrated feature chart. See https://github.com/rancher/rancher/issues/37447. ++ Container runtime and runtime path are auto detected in NeuVector 5.3.0 version. If the socket path is not at the default location, use runtimePath in values.yaml to specify the location. ++ For deploying on hardened RKE2 and K3s clusters, enable PSP and set user id from other configuration for Manager, Scanner and Updater deployments. User id can be any number other than 0. ++ For deploying on hardened RKE cluster, enable PSP from security settings. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + **Note:** + In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + + **Note:** + If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** + + If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/neuvector/102.0.9+up2.7.6/crds/_helpers.tpl b/charts/neuvector/102.0.9+up2.7.6/crds/_helpers.tpl new file mode 100644 index 0000000000..c0cc49294e --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/crds/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/questions.yaml b/charts/neuvector/102.0.9+up2.7.6/questions.yaml new file mode 100644 index 0000000000..29668b2bf1 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/questions.yaml @@ -0,0 +1,283 @@ +questions: +#image configurations +- variable: controller.image.repository + default: "neuvector/controller" + description: controller image repository + type: string + label: Controller Image Path + group: "Container Images" +- variable: controller.image.tag + default: "" + description: image tag for controller + type: string + label: Controller Image Tag + group: "Container Images" +- variable: manager.image.repository + default: "neuvector/manager" + description: manager image repository + type: string + label: Manager Image Path + group: "Container Images" +- variable: manager.image.tag + default: "" + description: image tag for manager + type: string + label: Manager Image Tag + group: "Container Images" +- variable: enforcer.image.repository + default: "neuvector/enforcer" + description: enforcer image repository + type: string + label: Enforcer Image Path + group: "Container Images" +- variable: enforcer.image.tag + default: "" + description: image tag for enforcer + type: string + label: Enforcer Image Tag + group: "Container Images" +- variable: cve.scanner.image.repository + default: "neuvector/scanner" + description: scanner image repository + type: string + label: Scanner Image Path + group: "Container Images" +- variable: cve.scanner.image.tag + default: "" + description: image tag for scanner + type: string + label: Scanner Image Tag + group: "Container Images" +- variable: cve.updater.image.repository + default: "neuvector/updater" + description: cve updater image repository + type: string + label: CVE Updater Image Path + group: "Container Images" +- variable: cve.updater.image.tag + default: "" + description: image tag for updater + type: string + label: Updater Image Tag + group: "Container Images" +#storage configurations +- variable: controller.pvc.enabled + default: false + description: If true, enable persistence for controller using PVC. PVC should support ReadWriteMany(RWX) + type: boolean + label: PVC Status + group: "PVC Configuration" +- variable: controller.pvc.storageClass + default: "" + description: Storage Class to be used + type: string + label: Storage Class Name + group: "PVC Configuration" +#ingress configurations +- variable: manager.ingress.enabled + default: false + description: If true, create ingress, must also set ingress host value + type: boolean + label: Manager Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: manager.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Manager Ingress Host + group: "Ingress Configuration" + - variable: manager.ingress.path + default: "/" + description: Set ingress path + type: string + label: Manager Ingress Path + group: "Ingress Configuration" + - variable: manager.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Manager Ingress Annotations + group: "Ingress Configuration" +- variable: controller.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Ingress Host + group: "Ingress Configuration" + - variable: controller.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Ingress Path + group: "Ingress Configuration" + - variable: controller.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.mastersvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Master Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.mastersvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation master ingress service + type: boolean + label: Controller Federation Master Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Master Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Master Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Master Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Master Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.mastersvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Master Service Ingress Annotations + group: "Ingress Configuration" +- variable: controller.federation.managedsvc.ingress.enabled + default: false + description: If true, create ingress for rest api, must also set ingress host value + type: boolean + label: Controller Federation Managed Service Ingress Status + group: "Ingress Configuration" + show_subquestion_if: true + subquestions: + - variable: controller.federation.managedsvc.ingress.tls + default: false + description: If true, TLS is enabled for controller federation managed ingress service + type: boolean + label: Controller Federation Managed Service Ingress TLS Status + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.host + default: "" + description: Must set this host value if ingress is enabled + type: string + label: Controller Federation Managed Service Ingress Host + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.path + default: "/" + description: Set ingress path + type: string + label: Controller Federation Managed Service Ingress Path + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.ingressClassName + default: "" + description: To be used instead of the ingress.class annotation if an IngressClass is provisioned + type: string + label: Controller Federation Managed Service Ingress IngressClassName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.secretName + default: "" + description: Name of the secret to be used for TLS-encryption + type: string + label: Controller Federation Managed Service Ingress SecretName + group: "Ingress Configuration" + - variable: controller.federation.managedsvc.ingress.annotations + default: "{}" + description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation + type: string + label: Controller Federation Managed Service Ingress Annotations + group: "Ingress Configuration" +#service configurations +- variable: manager.svc.type + default: "NodePort" + description: Set manager service type for native Kubernetes + type: enum + label: Manager Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.mastersvc.type + default: "" + description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Master Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.federation.managedsvc.type + default: "" + description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and ClusterIP + type: enum + label: Fed Managed Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +- variable: controller.apisvc.type + default: "NodePort" + description: Controller REST API service type + type: enum + label: Controller REST API Service Type + group: "Service Configuration" + options: + - "NodePort" + - "ClusterIP" + - "LoadBalancer" +#Security Settings +- variable: global.cattle.psp.enabled + default: "false" + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + default: "false" + type: boolean + group: "Security Settings" +- variable: manager.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Manager runAsUser ID + group: "Security Settings" +- variable: cve.scanner.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Scanner runAsUser ID + group: "Security Settings" +- variable: cve.updater.runAsUser + default: "" + description: Specify the run as User ID + type: int + label: Updater runAsUser ID + group: "Security Settings" diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/NOTES.txt b/charts/neuvector/102.0.9+up2.7.6/templates/NOTES.txt new file mode 100644 index 0000000000..2360cee8e3 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/NOTES.txt @@ -0,0 +1,23 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }} +From outside the cluster, the NeuVector URL is: +http://{{ .Values.manager.ingress.host }} +{{- else if and .Values.manager.enabled .Values.manager.ingress.enabled .Values.manager.ingress.tls}} +From outside the cluster, the NeuVector URL is: +https://{{ .Values.manager.ingress.host }} +{{- else if not .Values.openshift }} +Get the NeuVector URL by running these commands: +{{- if contains "NodePort" .Values.manager.svc.type }} + NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui) + NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if contains "ClusterIP" .Values.manager.svc.type }} + CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui) + echo https://$CLUSTER_IP:8443 +{{- else if contains "LoadBalancer" .Values.manager.svc.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui' + + SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + echo https://$SERVICE_IP:8443 +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/_helpers.tpl b/charts/neuvector/102.0.9+up2.7.6/templates/_helpers.tpl new file mode 100644 index 0000000000..53e17b863c --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/_helpers.tpl @@ -0,0 +1,55 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Lookup secret. +*/}} +{{- define "neuvector.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/admission-webhook-service.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/admission-webhook-service.yaml new file mode 100644 index 0000000000..0d92eec7fd --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/admission-webhook-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-admission-webhook + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + ports: + - port: 443 + targetPort: 20443 + protocol: TCP + name: admission-webhook + type: {{ .Values.admissionwebhook.type }} + selector: + app: neuvector-controller-pod \ No newline at end of file diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/cert-manager-secret.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/cert-manager-secret.yaml new file mode 100644 index 0000000000..3692886b4c --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/cert-manager-secret.yaml @@ -0,0 +1,33 @@ +{{- if .Values.internal.certmanager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.internal.certmanager.secretname }} + namespace: {{ .Release.Namespace }} +spec: + duration: 17520h # 2 years + subject: + organizations: + - NeuVector + isCA: true + commonName: neuvector.internal + dnsNames: + - neuvector.internal + - NeuVector + secretName: {{ .Values.internal.certmanager.secretname }} + usages: + - digital signature + - key encipherment + issuerRef: + group: cert-manager.io + kind: Issuer + name: {{ .Values.internal.certmanager.secretname }} +{{- end }} \ No newline at end of file diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/clusterrole.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrole.yaml new file mode 100644 index 0000000000..54f33a90c2 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrole.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - "" + resources: + - nodes + - pods + - services + - namespaces + verbs: + - get + - list + - watch + - update + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +{{- if .Values.openshift }} +- apiGroups: + - image.openshift.io + resources: + - imagestreams + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + - clusterrolebindings + - clusterroles + verbs: + - get + - list + - watch + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - delete + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - config.openshift.io + resources: + - clusteroperators + verbs: + - get + - list +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding-least.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding-least.yaml new file mode 100644 index 0000000000..bcfca9a212 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding-least.yaml @@ -0,0 +1,150 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..7147a9ff16 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/clusterrolebinding.yaml @@ -0,0 +1,147 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-app + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-app +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-rbac + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-rbac +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-admission + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-admission +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-view + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: view +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-co + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: neuvector-binding-co +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/controller-deployment.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/controller-deployment.yaml new file mode 100644 index 0000000000..03a7eb1cd3 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/controller-deployment.yaml @@ -0,0 +1,275 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- if .Values.controller.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-controller-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +{{- with .Values.controller.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + minReadySeconds: 60 + strategy: +{{ toYaml .Values.controller.strategy | indent 4 }} + selector: + matchLabels: + app: neuvector-controller-pod + template: + metadata: + labels: + app: neuvector-controller-pod + release: {{ .Release.Name }} + {{- with .Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} + annotations: + {{- if .Values.controller.secret.enabled }} + checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.configmap.enabled }} + checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if eq "true" (toString .Values.autoGenerateCert) }} + checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.controller.podAnnotations }} + {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.controller.affinity }} + affinity: +{{ toYaml .Values.controller.affinity | indent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: +{{ toYaml .Values.controller.tolerations | indent 8 }} + {{- end }} + {{- if .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml .Values.controller.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.controller.schedulerName }} + schedulerName: {{ .Values.controller.schedulerName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: controller + serviceAccount: controller + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-controller-pod + image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + {{- if $pre530 }} + securityContext: + privileged: true + {{- else }} + securityContext: + runAsUser: 0 + {{- end }} + resources: + {{- if .Values.controller.resources }} +{{ toYaml .Values.controller.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + readinessProbe: + exec: + command: + - cat + - /tmp/ready + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if .Values.controller.ranchersso.enabled }} + - name: RANCHER_SSO + value: "1" + - name: RANCHER_EP + value: "{{ .Values.global.cattle.url }}" + {{- end }} + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: CTRL_PERSIST_CONFIG + value: "1" + {{- end }} + {{- with .Values.controller.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - mountPath: /var/neuvector + name: nv-share + readOnly: false + {{- end }} + {{- if $pre530 }} + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + {{- end }} + - mountPath: /etc/config + name: config-volume + readOnly: true + {{- if .Values.controller.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.controller.certificate.keyFile }} + name: usercert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.controller.certificate.pemFile }} + name: usercert + readOnly: true + {{- else if eq "true" (toString .Values.autoGenerateCert) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- else }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.controller.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.controller.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.controller.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 300 + restartPolicy: Always + volumes: + {{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }} + - name: nv-share + {{- if .Values.controller.pvc.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.controller.pvc.existingClaim | default "neuvector-data" }} + {{- else if .Values.controller.azureFileShare.enabled }} + azureFile: + secretName: {{ .Values.controller.azureFileShare.secretName }} + shareName: {{ .Values.controller.azureFileShare.shareName }} + readOnly: false + {{- end }} + {{- end }} + {{- if $pre530 }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + {{- end }} + - name: config-volume + projected: + sources: + - configMap: + name: neuvector-init + optional: true + - secret: + name: neuvector-init + optional: true + - secret: + name: neuvector-secret + optional: true + {{- if eq "true" (toString .Values.autoGenerateCert) }} + - name: cert + secret: + secretName: neuvector-controller-secret + {{- end }} + {{- if .Values.controller.certificate.secret }} + - name: usercert + secret: + secretName: {{ .Values.controller.certificate.secret }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.controller.internal.certificate.secret }} + {{- end }} +{{- if gt (int .Values.controller.disruptionbudget) 0 }} +--- +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: policy/v1 +{{- else }} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: neuvector-controller-pdb + namespace: {{ .Release.Namespace }} +spec: + minAvailable: {{ .Values.controller.disruptionbudget }} + selector: + matchLabels: + app: neuvector-controller-pod +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/controller-ingress.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/controller-ingress.yaml new file mode 100644 index 0000000000..1ea0cdce12 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/controller-ingress.yaml @@ -0,0 +1,219 @@ +{{- if .Values.controller.enabled }} +{{- if .Values.controller.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-api + port: + number: 10443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-restapi-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.ingress.host }} +{{- if .Values.controller.ingress.secretName }} + secretName: {{ .Values.controller.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.ingress.host }} + http: + paths: + - path: {{ .Values.controller.ingress.path }} + backend: + serviceName: neuvector-svc-controller-api + servicePort: 10443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.mastersvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-master + port: + number: 11443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-mastersvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.mastersvc.ingress.host }} +{{- if .Values.controller.federation.mastersvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.mastersvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.mastersvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-master + servicePort: 11443 +{{- end }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.ingress.ingressClassName }} + ingressClassName: {{ .Values.controller.federation.managedsvc.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-svc-controller-fed-managed + port: + number: 10443 +{{- else }} +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-managedsvc-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.ingress.tls }} + tls: + - hosts: + - {{ .Values.controller.federation.managedsvc.ingress.host }} +{{- if .Values.controller.federation.managedsvc.ingress.secretName }} + secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.controller.federation.managedsvc.ingress.host }} + http: + paths: + - path: {{ .Values.controller.federation.managedsvc.ingress.path }} + backend: + serviceName: neuvector-svc-controller-fed-managed + servicePort: 10443 +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/controller-route.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/controller-route.yaml new file mode 100644 index 0000000000..377917afaf --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/controller-route.yaml @@ -0,0 +1,98 @@ +{{- if .Values.openshift -}} +{{- if .Values.controller.apisvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-api + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.apisvc.route.host }} + host: {{ .Values.controller.apisvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-api + port: + targetPort: controller-api + tls: + termination: {{ .Values.controller.apisvc.route.termination }} +{{- if or (eq .Values.controller.apisvc.route.termination "reencrypt") (eq .Values.controller.apisvc.route.termination "edge") }} +{{- with .Values.controller.apisvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} + +--- +{{ end -}} +{{- if .Values.controller.federation.mastersvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-master + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.mastersvc.route.host }} + host: {{ .Values.controller.federation.mastersvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-master + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.mastersvc.route.termination }} +{{- if or (eq .Values.controller.federation.mastersvc.route.termination "reencrypt") (eq .Values.controller.federation.mastersvc.route.termination "edge") }} +{{- with .Values.controller.federation.mastersvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +--- +{{ end -}} +{{- if .Values.controller.federation.managedsvc.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-fed-managed + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.controller.federation.managedsvc.route.host }} + host: {{ .Values.controller.federation.managedsvc.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-svc-controller-fed-managed + port: + targetPort: fed + tls: + termination: {{ .Values.controller.federation.managedsvc.route.termination }} +{{- if or (eq .Values.controller.federation.managedsvc.route.termination "reencrypt") (eq .Values.controller.federation.managedsvc.route.termination "edge") }} +{{- with .Values.controller.federation.managedsvc.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/controller-secret.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/controller-secret.yaml new file mode 100644 index 0000000000..e07504dc45 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/controller-secret.yaml @@ -0,0 +1,20 @@ +{{- if .Values.controller.enabled -}} +{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-controller-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end}} +{{- end}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/controller-service.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/controller-service.yaml new file mode 100644 index 0000000000..1eeae5acbf --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/controller-service.yaml @@ -0,0 +1,127 @@ +{{- if .Values.controller.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + clusterIP: None + ports: + - port: 18300 + protocol: "TCP" + name: "cluster-tcp-18300" + - port: 18301 + protocol: "TCP" + name: "cluster-tcp-18301" + - port: 18301 + protocol: "UDP" + name: "cluster-udp-18301" + selector: + app: neuvector-controller-pod +{{- if .Values.controller.apisvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-api + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.apisvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.apisvc.type }} + ports: + - port: 10443 + protocol: "TCP" + name: "controller-api" + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.mastersvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-master + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.mastersvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.federation.mastersvc.type }} +{{- if and .Values.controller.federation.mastersvc.loadBalancerIP (eq .Values.controller.federation.mastersvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.mastersvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.mastersvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.mastersvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.mastersvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.mastersvc.internalTrafficPolicy }} +{{- end }} + ports: + - port: 11443 + name: fed + protocol: TCP +{{- if .Values.controller.federation.mastersvc.nodePort }} + nodePort: {{ .Values.controller.federation.mastersvc.nodePort }} +{{- end }} + selector: + app: neuvector-controller-pod +{{ end -}} +{{- if .Values.controller.federation.managedsvc.type }} +--- +apiVersion: v1 +kind: Service +metadata: + name: neuvector-svc-controller-fed-managed + namespace: {{ .Release.Namespace }} +{{- with .Values.controller.federation.managedsvc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.controller.federation.managedsvc.type }} +{{- if and .Values.controller.federation.managedsvc.loadBalancerIP (eq .Values.controller.federation.managedsvc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.controller.federation.managedsvc.loadBalancerIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.clusterIP }} + clusterIP: {{ .Values.controller.federation.managedsvc.clusterIP }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.controller.federation.managedsvc.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.federation.managedsvc.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.controller.federation.managedsvc.internalTrafficPolicy }} +{{- end }} + ports: + - port: 10443 + name: fed + protocol: TCP +{{- if .Values.controller.federation.managedsvc.nodePort }} + nodePort: {{ .Values.controller.federation.managedsvc.nodePort }} +{{- end }} + selector: + app: neuvector-controller-pod +{{ end -}} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/crd-role-least.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/crd-role-least.yaml new file mode 100644 index 0000000000..64517f123a --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/crd-role-least.yaml @@ -0,0 +1,417 @@ +{{- if .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/crd-role.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/crd-role.yaml new file mode 100644 index 0000000000..46d99761ed --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/crd-role.yaml @@ -0,0 +1,417 @@ +{{- if not .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +# ClusterRole for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + - watch + - create + - get + +--- + +# ClusterRoleBinding for NeuVector to operate CRD +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-customresourcedefinition + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-customresourcedefinition +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvsecurityrules + - nvclustersecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage network/process CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage dlp CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvdlpsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRole for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvadmissioncontrolsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvdlpsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvdlpsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRoleBinding for NeuVector to manage admission control CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvadmissioncontrolsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvadmissioncontrolsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvwafsecurityrules + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage waf CRD rules +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvwafsecurityrules + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvwafsecurityrules +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvcomplianceprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage compliance CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvcomplianceprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvcomplianceprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +# ClusterRole for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRole +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - neuvector.com + resources: + - nvvulnerabilityprofiles + verbs: + - get + - list + - delete + +--- + +# ClusterRoleBinding for NeuVector to manage vulnerability CRD profiles +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: ClusterRoleBinding +metadata: + name: neuvector-binding-nvvulnerabilityprofiles + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: neuvector-binding-nvvulnerabilityprofiles +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/enforcer-daemonset.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/enforcer-daemonset.yaml new file mode 100644 index 0000000000..4f407a8183 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/enforcer-daemonset.yaml @@ -0,0 +1,180 @@ +{{- $pre530 := false -}} +{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }} +{{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}} +{{- end }} +{{- $runtimePath := "" -}} +{{- if .Values.runtimePath }} +{{- $runtimePath = .Values.runtimePath -}} +{{- else if and .Values.k3s.enabled (ne .Values.k3s.runtimePath "/run/k3s/containerd/containerd.sock") }} +{{- $runtimePath = .Values.k3s.runtimePath -}} +{{- else if and .Values.bottlerocket.enabled (ne .Values.bottlerocket.runtimePath "/run/dockershim.sock") }} +{{- $runtimePath = .Values.bottlerocket.runtimePath -}} +{{- else if and .Values.containerd.enabled (ne .Values.containerd.path "/var/run/containerd/containerd.sock") }} +{{- $runtimePath = .Values.containerd.path -}} +{{- else if and .Values.crio.enabled (ne .Values.crio.path "/var/run/crio/crio.sock") }} +{{- $runtimePath = .Values.crio.path -}} +{{- else if ne .Values.docker.path "/var/run/docker.sock" }} +{{- $runtimePath = .Values.docker.path -}} +{{- end }} +{{- if .Values.enforcer.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: DaemonSet +metadata: + name: neuvector-enforcer-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + updateStrategy: {{- toYaml .Values.enforcer.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: neuvector-enforcer-pod + template: + metadata: + labels: + app: neuvector-enforcer-pod + release: {{ .Release.Name }} + {{- with .Values.enforcer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.enforcer.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.enforcer.tolerations }} + tolerations: +{{ toYaml .Values.enforcer.tolerations | indent 8 }} + {{- end }} + hostPID: true + {{- if .Values.enforcer.priorityClassName }} + priorityClassName: {{ .Values.enforcer.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: enforcer + serviceAccount: enforcer + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + containers: + - name: neuvector-enforcer-pod + image: {{ template "system_default_registry" . }}{{ .Values.enforcer.image.repository }}:{{ .Values.enforcer.image.tag }} + securityContext: + privileged: true + resources: + {{- if .Values.enforcer.resources }} +{{ toYaml .Values.enforcer.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: CLUSTER_ADVERTISED_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CLUSTER_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- with .Values.enforcer.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if $pre530 }} + {{- if .Values.containerd.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.k3s.enabled }} + - mountPath: /run/containerd/containerd.sock + {{- else if .Values.bottlerocket.enabled }} + - mountPath: /var/run/containerd/containerd.sock + {{- else if .Values.crio.enabled }} + - mountPath: /var/run/crio/crio.sock + {{- else }} + - mountPath: /var/run/docker.sock + {{- end }} + name: runtime-sock + readOnly: true + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/cgroup + name: cgroup-vol + readOnly: true + {{- else if $runtimePath }} + - mountPath: /run/runtime.sock + name: runtime-sock + readOnly: true + {{- end }} + - mountPath: /lib/modules + name: modules-vol + readOnly: true + - mountPath: /var/nv_debug + name: nv-debug + readOnly: false + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.enforcer.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.enforcer.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.enforcer.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + terminationGracePeriodSeconds: 1200 + restartPolicy: Always + volumes: + {{- if $pre530 }} + - name: runtime-sock + hostPath: + {{- if .Values.containerd.enabled }} + path: {{ .Values.containerd.path }} + {{- else if .Values.crio.enabled }} + path: {{ .Values.crio.path }} + {{- else if .Values.k3s.enabled }} + path: {{ .Values.k3s.runtimePath }} + {{- else if .Values.bottlerocket.enabled }} + path: {{ .Values.bottlerocket.runtimePath }} + {{- else }} + path: {{ .Values.docker.path }} + {{- end }} + - name: proc-vol + hostPath: + path: /proc + - name: cgroup-vol + hostPath: + path: /sys/fs/cgroup + {{- else if $runtimePath }} + - name: runtime-sock + hostPath: + path: {{ $runtimePath }} + {{- end }} + - name: modules-vol + hostPath: + path: /lib/modules + - name: nv-debug + hostPath: + path: /var/nv_debug + {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.enforcer.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/init-configmap.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/init-configmap.yaml new file mode 100644 index 0000000000..1300794afa --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/init-configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.controller.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +data: +{{ toYaml .Values.controller.configmap.data | indent 2 }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/init-secret.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/init-secret.yaml new file mode 100644 index 0000000000..d4bfca591d --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/init-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.controller.secret.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-init + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +data: +{{- range $key, $val := .Values.controller.secret.data }} + {{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/manager-deployment.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/manager-deployment.yaml new file mode 100644 index 0000000000..2c0f46b668 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/manager-deployment.yaml @@ -0,0 +1,122 @@ +{{- if .Values.manager.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-manager-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-manager-pod + template: + metadata: + labels: + app: neuvector-manager-pod + release: {{ .Release.Name }} + {{- with .Values.manager.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.manager.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} + annotations: + {{- if eq "true" (toString .Values.autoGenerateCert) }} + checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.manager.podAnnotations }} + {{- toYaml .Values.manager.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.manager.affinity }} + affinity: +{{ toYaml .Values.manager.affinity | indent 8 }} + {{- end }} + {{- if .Values.manager.tolerations }} + tolerations: +{{ toYaml .Values.manager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.manager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.manager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.manager.priorityClassName }} + priorityClassName: {{ .Values.manager.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.manager.runAsUser }} + securityContext: + runAsUser: {{ .Values.manager.runAsUser }} + {{- end }} + containers: + - name: neuvector-manager-pod + image: {{ template "system_default_registry" . }}{{ .Values.manager.image.repository }}:{{ .Values.manager.image.tag }} + ports: + - name: http + containerPort: 8443 + protocol: TCP + env: + - name: CTRL_SERVER_IP + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if not .Values.manager.env.ssl }} + - name: MANAGER_SSL + value: "off" + {{- end }} + {{- with .Values.manager.env.envs }} +{{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.manager.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.manager.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.manager.certificate.pemFile }} + name: cert + readOnly: true + {{- else if eq "true" (toString .Values.autoGenerateCert) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.manager.resources }} +{{ toYaml .Values.manager.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.manager.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.manager.certificate.secret }} + {{- else if eq "true" (toString .Values.autoGenerateCert) }} + - name: cert + secret: + secretName: neuvector-manager-secret + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/manager-ingress.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/manager-ingress.yaml new file mode 100644 index 0000000000..52826fc5ec --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/manager-ingress.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.ingress.ingressClassName }} + ingressClassName: {{ .Values.manager.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-webui + port: + number: 8443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-webui-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.ingress.tls }} + tls: + - hosts: + - {{ .Values.manager.ingress.host }} +{{- if .Values.manager.ingress.secretName }} + secretName: {{ .Values.manager.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.manager.ingress.host }} + http: + paths: + - path: {{ .Values.manager.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 8443 +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/manager-route.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/manager-route.yaml new file mode 100644 index 0000000000..77262d5bd5 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/manager-route.yaml @@ -0,0 +1,33 @@ +{{- if .Values.openshift -}} +{{- if .Values.manager.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-webui + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.manager.route.host }} + host: {{ .Values.manager.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-webui + port: + targetPort: manager + tls: + termination: {{ .Values.manager.route.termination }} +{{- if or (eq .Values.manager.route.termination "reencrypt") (eq .Values.manager.route.termination "edge") }} +{{- with .Values.manager.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/manager-secret.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/manager-secret.yaml new file mode 100644 index 0000000000..601dae3720 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/manager-secret.yaml @@ -0,0 +1,20 @@ +{{- if .Values.manager.enabled -}} +{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-manager-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-manager-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/manager-service.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/manager-service.yaml new file mode 100644 index 0000000000..ab6e659756 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/manager-service.yaml @@ -0,0 +1,26 @@ +{{- if .Values.manager.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-webui + namespace: {{ .Release.Namespace }} +{{- with .Values.manager.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.manager.svc.type }} +{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }} +{{- end }} + ports: + - port: 8443 + name: manager + protocol: TCP + selector: + app: neuvector-manager-pod +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/psp.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/psp.yaml new file mode 100644 index 0000000000..736acc4732 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/psp.yaml @@ -0,0 +1,160 @@ +{{- if and .Values.global.cattle.psp.enabled (semverCompare "<1.25-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + allowedCapabilities: + - SYS_ADMIN + - NET_ADMIN + - SYS_PTRACE + - IPC_LOCK + requiredDropCapabilities: + - ALL + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp +subjects: +{{- if .Values.leastPrivilege }} +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} +{{- else }} +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- if .Values.leastPrivilege }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: neuvector-binding-psp-controller + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + allowedCapabilities: null + requiredDropCapabilities: + - ALL + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - azureFile + - projected + - secret + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +rules: +- apiGroups: + - policy + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - neuvector-binding-psp-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: neuvector-binding-psp-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: neuvector-binding-psp-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/pvc.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/pvc.yaml new file mode 100644 index 0000000000..b7e97e7df0 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if not .Values.controller.pvc.existingClaim -}} +{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: neuvector-data + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + accessModes: +{{ toYaml .Values.controller.pvc.accessModes | indent 4 }} + volumeMode: Filesystem +{{- if .Values.controller.pvc.storageClass }} + storageClassName: {{ .Values.controller.pvc.storageClass }} +{{- end }} + resources: + requests: +{{- if .Values.controller.pvc.capacity }} + storage: {{ .Values.controller.pvc.capacity }} +{{- else }} + storage: 1Gi +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-ingress.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-ingress.yaml new file mode 100644 index 0000000000..aec7161c65 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-ingress.yaml @@ -0,0 +1,109 @@ +{{- if .Values.cve.adapter.enabled -}} + +{{- if .Values.cve.adapter.ingress.enabled }} +{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.ingress.ingressClassName }} + ingressClassName: {{ .Values.cve.adapter.ingress.ingressClassName | quote }} +{{ end }} +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + pathType: Prefix + backend: + service: + name: neuvector-service-registry-adapter + port: + number: 9443 +{{- else }} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: neuvector-registry-adapter-ingress + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.ingress.tls }} + tls: + - hosts: + - {{ .Values.cve.adapter.ingress.host }} +{{- if .Values.cve.adapter.ingress.secretName }} + secretName: {{ .Values.cve.adapter.ingress.secretName }} +{{- end }} +{{- end }} + rules: + - host: {{ .Values.cve.adapter.ingress.host }} + http: + paths: + - path: {{ .Values.cve.adapter.ingress.path }} + backend: + serviceName: neuvector-service-webui + servicePort: 9443 +{{- end }} +{{- end }} + +--- + +{{- if and .Values.openshift .Values.cve.adapter.route.enabled }} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: route.openshift.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Route +metadata: + name: neuvector-route-registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: +{{- if .Values.cve.adapter.route.host }} + host: {{ .Values.cve.adapter.route.host }} +{{- end }} + to: + kind: Service + name: neuvector-service-registry-adapter + port: + targetPort: registry-adapter + tls: + termination: {{ .Values.cve.adapter.route.termination }} +{{- if or (eq .Values.cve.adapter.route.termination "reencrypt") (eq .Values.cve.adapter.route.termination "edge") }} +{{- with .Values.cve.adapter.route.tls }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-secret.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-secret.yaml new file mode 100644 index 0000000000..64ee05f18d --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if eq "true" (toString .Values.autoGenerateCert) }} +{{- $cn := "neuvector" }} +{{- $cert := genSelfSignedCert $cn nil (list $cn "neuvector-service-registry-adapter.cattle-neuvector-system.svc.cluster.local" "neuvector-service-registry-adapter") (.Values.defaultValidityPeriod | int) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-registry-adapter-secret +type: Opaque +data: + ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }} + ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-registry-adapter-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }} +--- +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter.yaml new file mode 100644 index 0000000000..3002aa18c3 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/registry-adapter.yaml @@ -0,0 +1,192 @@ +{{- if .Values.cve.adapter.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-registry-adapter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-registry-adapter-pod + template: + metadata: + labels: + app: neuvector-registry-adapter-pod + release: {{ .Release.Name }} + {{- with .Values.cve.adapter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.cve.adapter.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }} + annotations: + {{- if eq "true" (toString .Values.autoGenerateCert) }} + checksum/registry-adapter-secret: {{ include (print $.Template.BasePath "/registry-adapter-secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.cve.adapter.podAnnotations }} + {{- toYaml .Values.cve.adapter.podAnnotations | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- if .Values.cve.adapter.affinity }} + affinity: +{{ toYaml .Values.cve.adapter.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.tolerations }} + tolerations: +{{ toYaml .Values.cve.adapter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.adapter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.adapter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.adapter.priorityClassName }} + priorityClassName: {{ .Values.cve.adapter.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: registry-adapter + serviceAccount: registry-adapter + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.adapter.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.adapter.runAsUser }} + {{- end }} + containers: + - name: neuvector-registry-adapter-pod + {{- if eq .Values.registry "registry.neuvector.com" }} + {{- if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/registry-adapter:{{ .Values.cve.adapter.image.tag }}" + {{- end }} + {{- else }} + {{- if .Values.cve.adapter.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.cve.adapter.image.repository }}@{{ .Values.cve.adapter.image.hash }}" + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.cve.adapter.image.repository }}:{{ .Values.cve.adapter.image.tag }} + {{- end }} + {{- end }} + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + - name: HARBOR_SERVER_PROTO + value: {{ .Values.cve.adapter.harbor.protocol }} + {{- if .Values.cve.adapter.harbor.secretName }} + - name: HARBOR_BASIC_AUTH_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: username + - name: HARBOR_BASIC_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.cve.adapter.harbor.secretName }} + key: password + {{- end }} + {{- with .Values.cve.adapter.env }} +{{- toYaml . | nindent 14 }} + {{- end }} + volumeMounts: + {{- if .Values.cve.adapter.certificate.secret }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: {{ .Values.cve.adapter.certificate.keyFile }} + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: {{ .Values.cve.adapter.certificate.pemFile }} + name: cert + readOnly: true + {{- else if eq "true" (toString .Values.autoGenerateCert) }} + - mountPath: /etc/neuvector/certs/ssl-cert.key + subPath: ssl-cert.key + name: cert + readOnly: true + - mountPath: /etc/neuvector/certs/ssl-cert.pem + subPath: ssl-cert.pem + name: cert + readOnly: true + {{- end }} + resources: + {{- if .Values.cve.adapter.resources }} +{{ toYaml .Values.cve.adapter.resources | indent 12 }} + {{- else }} +{{ toYaml .Values.resources | indent 12 }} + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.adapter.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.adapter.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.adapter.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + volumes: + {{- if .Values.cve.adapter.certificate.secret }} + - name: cert + secret: + secretName: {{ .Values.cve.adapter.certificate.secret }} + {{- else if eq "true" (toString .Values.autoGenerateCert) }} + - name: cert + secret: + secretName: neuvector-registry-adapter-secret + {{- end }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.adapter.internal.certificate.secret }} + - name: internal-cert + secret: + secretName: {{ .Values.cve.adapter.internal.certificate.secret }} + {{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + name: neuvector-service-registry-adapter + namespace: {{ .Release.Namespace }} +{{- with .Values.cve.adapter.svc.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + type: {{ .Values.cve.adapter.svc.type }} +{{- if and .Values.cve.adapter.svc.loadBalancerIP (eq .Values.cve.adapter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.cve.adapter.svc.loadBalancerIP }} +{{- end }} + ports: + - name: registry-adapter +{{- if (eq .Values.cve.adapter.harbor.protocol "https") }} + port: 9443 +{{- else }} + port: 8090 +{{- end }} + protocol: TCP + selector: + app: neuvector-registry-adapter-pod + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/role-least.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/role-least.yaml new file mode 100644 index 0000000000..85202c9b7b --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/role-least.yaml @@ -0,0 +1,29 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - watch + - patch + - update +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/role.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/role.yaml new file mode 100644 index 0000000000..01dc47c4b5 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/role.yaml @@ -0,0 +1,24 @@ +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: Role +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding-least.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding-least.yaml new file mode 100644 index 0000000000..19cdec0867 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding-least.yaml @@ -0,0 +1,169 @@ +{{- if and .Values.rbac .Values.leastPrivilege -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-scanner +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: updater + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:controller +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: enforcer + namespace: {{ .Release.Namespace }} + +--- + +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: null +apiVersion: security.openshift.io/v1 +defaultAddCapabilities: null +fsGroup: + type: RunAsAny +groups: [] +kind: SecurityContextConstraints +metadata: + name: neuvector-scc-controller +priority: null +readOnlyRootFilesystem: false +requiredDropCapabilities: +- ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +users: [] +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- azureFile +- projected +- secret + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:openshift:scc:neuvector-scc-controller + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - neuvector-scc-controller + resources: + - securitycontextconstraints + verbs: + - use + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:neuvector-scc-controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:neuvector-scc-controller +subjects: +- kind: ServiceAccount + name: controller + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding.yaml new file mode 100644 index 0000000000..23c07f4fb3 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/rolebinding.yaml @@ -0,0 +1,88 @@ +{{- if and .Values.rbac (not .Values.leastPrivilege) -}} +{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} +{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-admin + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- end }} + name: admin +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc3 }} +apiVersion: authorization.openshift.io/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- else }} +apiVersion: v1 +{{- end }} +kind: RoleBinding +metadata: + name: neuvector-binding-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: +{{- if not $oc3 }} + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- end }} + name: neuvector-binding-secret +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- if $oc3 }} +userNames: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }} +{{- end }} + +--- + +{{- if $oc4 }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system:openshift:scc:privileged + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:scc:privileged +subjects: +- kind: ServiceAccount + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/scanner-deployment.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/scanner-deployment.yaml new file mode 100644 index 0000000000..9a92fac7d5 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/scanner-deployment.yaml @@ -0,0 +1,102 @@ +{{- if .Values.cve.scanner.enabled -}} +{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: apps/v1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Deployment +metadata: + name: neuvector-scanner-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + heritage: Helm + release: {{ .Release.Name }} +spec: + strategy: +{{ toYaml .Values.cve.scanner.strategy | indent 4 }} + replicas: {{ .Values.cve.scanner.replicas }} + selector: + matchLabels: + app: neuvector-scanner-pod + template: + metadata: + labels: + app: neuvector-scanner-pod + {{- with .Values.cve.scanner.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cve.scanner.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.cve.scanner.affinity }} + affinity: +{{ toYaml .Values.cve.scanner.affinity | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.tolerations }} + tolerations: +{{ toYaml .Values.cve.scanner.tolerations | indent 8 }} + {{- end }} + {{- if .Values.cve.scanner.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.scanner.priorityClassName }} + priorityClassName: {{ .Values.cve.scanner.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: scanner + serviceAccount: scanner + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.scanner.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.scanner.runAsUser }} + {{- end }} + containers: + - name: neuvector-scanner-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }} + imagePullPolicy: Always + env: + - name: CLUSTER_JOIN_ADDR + value: neuvector-svc-controller.{{ .Release.Namespace }} + {{- if .Values.cve.scanner.dockerPath }} + - name: SCANNER_DOCKER_URL + value: {{ .Values.cve.scanner.dockerPath }} + {{- end }} + {{- with .Values.cve.scanner.env }} +{{- toYaml . | nindent 12 }} + {{- end }} + resources: +{{ toYaml .Values.cve.scanner.resources | indent 12 }} + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + volumeMounts: + - mountPath: /etc/neuvector/certs/internal/cert.key + subPath: {{ .Values.cve.scanner.internal.certificate.keyFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/cert.pem + subPath: {{ .Values.cve.scanner.internal.certificate.pemFile }} + name: internal-cert + readOnly: true + - mountPath: /etc/neuvector/certs/internal/ca.cert + subPath: {{ .Values.cve.scanner.internal.certificate.caFile }} + name: internal-cert + readOnly: true + {{- end }} + restartPolicy: Always + {{- if or .Values.internal.certmanager.enabled .Values.cve.scanner.internal.certificate.secret }} + volumes: + - name: internal-cert + secret: + secretName: {{ .Values.cve.scanner.internal.certificate.secret }} + {{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount-least.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount-least.yaml new file mode 100644 index 0000000000..8b925644fa --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount-least.yaml @@ -0,0 +1,72 @@ +{{- if .Values.leastPrivilege }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: basic + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enforcer + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: scanner + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: updater + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: registry-adapter + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm + +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount.yaml new file mode 100644 index 0000000000..46a3027c4c --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.leastPrivilege }} +{{- if ne .Values.serviceAccount "default"}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount }} + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/updater-cronjob.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/updater-cronjob.yaml new file mode 100644 index 0000000000..96237b5ee6 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/updater-cronjob.yaml @@ -0,0 +1,79 @@ +{{- if .Values.cve.updater.enabled -}} +{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1 +{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} +apiVersion: batch/v1beta1 +{{- else }} +apiVersion: batch/v2alpha1 +{{- end }} +kind: CronJob +metadata: + name: neuvector-updater-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: Helm +spec: + schedule: {{ .Values.cve.updater.schedule | quote }} + jobTemplate: + spec: + template: + metadata: + labels: + app: neuvector-updater-pod + release: {{ .Release.Name }} + {{- with .Values.cve.updater.podLabels }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.cve.updater.podAnnotations }} + annotations: + {{- toYaml . | nindent 12 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.cve.updater.nodeSelector }} + nodeSelector: +{{ toYaml .Values.cve.updater.nodeSelector | indent 12 }} + {{- end }} + {{- if .Values.cve.updater.priorityClassName }} + priorityClassName: {{ .Values.cve.updater.priorityClassName }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: updater + serviceAccount: updater + {{- else }} + serviceAccountName: {{ .Values.serviceAccount }} + serviceAccount: {{ .Values.serviceAccount }} + {{- end }} + {{- if .Values.cve.updater.runAsUser }} + securityContext: + runAsUser: {{ .Values.cve.updater.runAsUser }} + {{- end }} + containers: + - name: neuvector-updater-pod + image: {{ template "system_default_registry" . }}{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }} + imagePullPolicy: Always + {{- if .Values.cve.scanner.enabled }} + command: + - /bin/sh + - -c + {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} + {{- if .Values.cve.updater.secure }} + {{- if .Values.cve.updater.cacert }} + - /usr/bin/curl -v --cacert {{ .Values.cve.updater.cacert }} -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- else }} + - /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- else }} + - /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod' + {{- end }} + {{- end }} + restartPolicy: Never +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/templates/validate-psp-install.yaml b/charts/neuvector/102.0.9+up2.7.6/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..da62c4d183 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +{{- if .Values.global.cattle.psp.enabled }} +{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/neuvector/102.0.9+up2.7.6/values.yaml b/charts/neuvector/102.0.9+up2.7.6/values.yaml new file mode 100644 index 0000000000..4f4f972555 --- /dev/null +++ b/charts/neuvector/102.0.9+up2.7.6/values.yaml @@ -0,0 +1,536 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +openshift: false + +registry: docker.io +tag: 5.3.2 +oem: +rbac: true # required for rancher authentication +serviceAccount: neuvector +leastPrivilege: false + +global: # required for rancher authentication (https:///) + cattle: + url: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false +autoGenerateCert: true + +defaultValidityPeriod: 365 + +internal: # enable when cert-manager is installed for the internal certificates + certmanager: + enabled: false + secretname: neuvector-internal + +controller: + # If false, controller will not be installed + enabled: true + annotations: {} + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + repository: rancher/mirrored-neuvector-controller + tag: 5.3.2 + hash: + replicas: 3 + disruptionbudget: 0 + schedulerName: + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - neuvector-controller-pod + topologyKey: "kubernetes.io/hostname" + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + apisvc: + type: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ranchersso: # required for rancher authentication + enabled: true + pvc: + enabled: false + existingClaim: false + accessModes: + - ReadWriteMany + storageClass: + capacity: + azureFileShare: + enabled: false + secretName: + shareName: + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.pem + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + federation: + mastersvc: + type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: + # Federation Master Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + managedsvc: + type: + loadBalancerIP: + clusterIP: + nodePort: # Must be a valid NodePort: 30000-32767 + externalTrafficPolicy: + internalTrafficPolicy: + # Federation Managed Ingress + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + annotations: {} + # OpenShift Route configuration + # Controller supports HTTPS only, so edge termination not supported + route: + enabled: false + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" # or this could be "/api", but might need "rewrite-target" annotation + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # ingress.kubernetes.io/rewrite-target: / + tls: false + secretName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + configmap: + enabled: false + data: + # passwordprofileinitcfg.yaml: | + # ... + # roleinitcfg.yaml: | + # ... + # ldapinitcfg.yaml: | + # ... + # oidcinitcfg.yaml: | + # ... + # samlinitcfg.yaml: | + # ... + # sysinitcfg.yaml: | + # ... + # userinitcfg.yaml: | + # ... + secret: + # NOTE: files defined here have preferrence over the ones defined in the configmap section + enabled: false + data: + # passwordprofileinitcfg.yaml: + # ... + # roleinitcfg.yaml: + # ... + # ldapinitcfg.yaml: + # directory: OpenLDAP + # ... + # oidcinitcfg.yaml: + # Issuer: https://... + # ... + # samlinitcfg.yaml: + # ... + # sysinitcfg.yaml: + # ... + userinitcfg.yaml: + users: + - Fullname: admin + Password: + Role: admin + +enforcer: + # If false, enforcer will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-enforcer + tag: 5.3.2 + hash: + updateStrategy: + type: RollingUpdate + priorityClassName: + podLabels: {} + podAnnotations: {} + env: [] + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +manager: + # If false, manager will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-manager + tag: 5.3.2 + hash: + priorityClassName: + env: + ssl: true + envs: [] + # - name: CUSTOM_PAGE_HEADER_COLOR + # value: "#FFFFFF" + # - name: CUSTOM_PAGE_FOOTER_COLOR + # value: "#FFFFFF" + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + # Make sure manager env ssl is false for edge termination + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.pem + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + +cve: + adapter: + enabled: false + image: + repository: rancher/mirrored-neuvector-registry-adapter + tag: 0.1.1-s1 + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 1024Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + ## TLS cert/key. If absent, TLS cert/key automatically generated will be used. + ## + ## default: (none) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + harbor: + protocol: https + secretName: + svc: + type: NodePort # should be set to - ClusterIP + loadBalancerIP: + annotations: + {} + # azure + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + # OpenShift Route configuration + route: + enabled: true + termination: passthrough + host: + tls: + #certificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #caCertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #destinationCACertificate: | + # -----BEGIN CERTIFICATE----- + # -----END CERTIFICATE----- + #key: | + # -----BEGIN PRIVATE KEY----- + # -----END PRIVATE KEY----- + ingress: + enabled: false + host: # MUST be set, if ingress is enabled + ingressClassName: "" + path: "/" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + # kubernetes.io/ingress.class: my-nginx + # nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1" + # nginx.ingress.kubernetes.io/rewrite-target: / + # nginx.ingress.kubernetes.io/enable-rewrite-log: "true" + # only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert + tls: false + secretName: # my-tls-secret + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + updater: + # If false, cve updater will not be installed + enabled: true + secure: false + cacert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + image: + registry: "" + repository: rancher/mirrored-neuvector-updater + tag: latest + hash: + schedule: "0 0 * * *" + priorityClassName: + podLabels: {} + podAnnotations: {} + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + scanner: + enabled: true + replicas: 3 + dockerPath: "" + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + image: + registry: "" + repository: rancher/mirrored-neuvector-scanner + tag: latest + hash: + priorityClassName: + resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + affinity: {} + podLabels: {} + podAnnotations: {} + env: [] + tolerations: [] + nodeSelector: + {} + # key1: value1 + # key2: value2 + runAsUser: # MUST be set for Rancher hardened cluster + internal: # this is used for internal communication. Please use the SAME CA for all the components (controller, scanner, adapter and enforcer) + certificate: + secret: "" + keyFile: tls.key + pemFile: tls.crt + caFile: ca.crt # must be the same CA for all internal. + +resources: + {} + # limits: + # cpu: 400m + # memory: 2792Mi + # requests: + # cpu: 100m + # memory: 2280Mi + +runtimePath: + +# The following runtime type and socket location are deprecated after 5.3.0. +# If the socket path is not at the default location, use above 'runtimePath' to specify the location. +docker: + path: /var/run/docker.sock + +k3s: + enabled: false + runtimePath: /run/k3s/containerd/containerd.sock + +bottlerocket: + enabled: false + runtimePath: /run/dockershim.sock + +containerd: + enabled: false + path: /var/run/containerd/containerd.sock + +crio: + enabled: false + path: /var/run/crio/crio.sock + +admissionwebhook: + type: ClusterIP + +crdwebhook: + enabled: true + type: ClusterIP diff --git a/index.yaml b/index.yaml index c2423e3d6f..79f87f5802 100755 --- a/index.yaml +++ b/index.yaml @@ -5510,6 +5510,37 @@ entries: urls: - assets/neuvector/neuvector-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/auto-install: neuvector-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.30.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.7.6 + apiVersion: v1 + appVersion: 5.3.2 + created: "2024-04-17T18:08:12.490434-03:00" + description: Helm feature chart for NeuVector container security platform. + digest: 62c81240577fe1300f5a85e9d8748fe1ca3e008d34f2ab91e67b7076b3f2d695 + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector/neuvector-102.0.9+up2.7.6.tgz + version: 102.0.9+up2.7.6 - annotations: catalog.cattle.io/auto-install: neuvector-crd=match catalog.cattle.io/certified: rancher @@ -6093,6 +6124,26 @@ entries: urls: - assets/neuvector-crd/neuvector-crd-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/release-name: neuvector-crd + apiVersion: v1 + appVersion: 5.3.2 + created: "2024-04-17T18:08:45.50861-03:00" + description: Helm chart for NeuVector's CRD services + digest: 68588f94dd25824a2a93bf3457b08143005727895e7bfb0454b436edd64157dc + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-crd + type: application + urls: + - assets/neuvector-crd/neuvector-crd-102.0.9+up2.7.6.tgz + version: 102.0.9+up2.7.6 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index c2c7c38fbb..2d26868420 100644 --- a/release.yaml +++ b/release.yaml @@ -1,6 +1,6 @@ neuvector: - - 103.0.3+up2.7.6 + - 102.0.9+up2.7.6 neuvector-crd: - - 103.0.3+up2.7.6 + - 102.0.9+up2.7.6 longhorn: - 102.4.0+up1.6.1 From 5df431be2b4e1e4997531b86ca8efe213b460ced Mon Sep 17 00:00:00 2001 From: Lucas Machado Date: Wed, 17 Apr 2024 18:37:44 -0300 Subject: [PATCH 4/4] [dev-v2.8] Forward ports neuvector-monitor 102.0.9+up2.7.6 (#3798) --- .../neuvector-monitor-102.0.9+up2.7.6.tgz | Bin 0 -> 8351 bytes .../102.0.9+up2.7.6/Chart.yaml | 27 + .../102.0.9+up2.7.6/README.md | 22 + .../102.0.9+up2.7.6/app-readme.md | 5 + .../dashboards/nv_dashboard.json | 2036 +++++++++++++++++ .../102.0.9+up2.7.6/questions.yaml | 27 + .../102.0.9+up2.7.6/templates/_helpers.tpl | 40 + .../102.0.9+up2.7.6/templates/dashboard.yaml | 19 + .../templates/exporter-deployment.yaml | 75 + .../templates/exporter-service.yaml | 28 + .../templates/exporter-servicemonitor.yaml | 39 + .../102.0.9+up2.7.6/templates/secret.yaml | 15 + .../102.0.9+up2.7.6/values.yaml | 59 + index.yaml | 31 + release.yaml | 4 + 15 files changed, 2427 insertions(+) create mode 100644 assets/neuvector-monitor/neuvector-monitor-102.0.9+up2.7.6.tgz create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/Chart.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/README.md create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/app-readme.md create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/dashboards/nv_dashboard.json create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/questions.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/_helpers.tpl create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/dashboard.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-deployment.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-service.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-servicemonitor.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/templates/secret.yaml create mode 100644 charts/neuvector-monitor/102.0.9+up2.7.6/values.yaml diff --git a/assets/neuvector-monitor/neuvector-monitor-102.0.9+up2.7.6.tgz b/assets/neuvector-monitor/neuvector-monitor-102.0.9+up2.7.6.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8f952fa90796d006871d2412e2cbc6692d5d4a44 GIT binary patch literal 8351 zcmV;QAYk7giwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBhbKAI*Xg>2-^wQ^?Np>w+l3$7H%(>UGotfN?6PN8|ZgwW+ zKqMsLm?Ss=C|eWzzi$EHn;<3m?L@3f#UdWvXf*nT1{mOIf*nCw%clVml&$TK5fkkx z^1Wxb^mIC%&eq0;`oGiZl>hH;ZLL4+Zfte7y1ia^qx-DW-Pqb*e+He~LZIo1xIpY# z=f<$ggL@(m3IZySAT;283&24Fd34lvkPsej6T0SLCdiOrw+{>j&KNUeHJ9+vL(^7( zeB6ikIQpcx3Jx?^8QYvi1KgTm#t9Aj@YBD3?zX!x+nrVi{t4Z7@0I-XCu2(qg@?$& zeb6sk86Wd07uYv8qr49u38D*QX^5Fm1aHl##pr~%n72j~)`t{q+oAs2q-$&v)2%R6 z=(V@wq4wG@>qpA4hY`myT`Q~A*hWl4NfCesfdb?-2m^+MwLcRJGdp-;?5)s4TNZA3;sVYO>3qY>hq5%k+V~HVU5Tj3m z5u6h-wg3(p^|2V^h_C&^&=3WvZH=iM^jL_H_t(}6w6=&Np(kZ%f&^l`*B%iujs_9O z%%Oq6flw0@t#x0mZ*BLsH~$a+x!39ZWAgKcb%v+sl)1cbwSZ$MVnj?WACW*H5@4p@ zV;>Q(4?GG(%EbRIq5z<0Wq=(bxEN!Gt-5*QG-3``eI__-R26<{{p>F*ot18<*Y31m z{Z|y~`MK5gUzPt8L5!e*hq+wt0}LVJ9J@dQK|zc$2<(R* z5}3CwYvj=Z@?wo6JS_hL(4sp==m?Jp7i`)G+qNv0{&J~vhFP0Xi(p6=tmjnrbf4C=sF(CufX;k))R-v7mr}VdT=l zn}U>J@E;by?#a=+(~rmdNAGtI_WOWbp9IP4!=2;f-##4eWv?BOMOZ$TbSaKwxYv`|t;g;;LHHbTGkw9P;Ag>R$#KOL5KP?^& z0xbGqqcG(0FIx_Kq;=jN;^P5D%&nOvt#V@1$F^Ywj-bbaLrAy<2gO0W?E4rw)JXJUx|@XGDb>-<3hXk zOne&~n#Q#P#|}fGT;2k+3G&)f4#*|Xu~=1IWp)R+u_WZhHd6RS9J?A!@>Yo@4dVa{ zMw}z8P~WA&kc{+l4nuD$|KP|ErCdZqDRxx%Bp9v2Ad<3YNSOpS!dxQXjyq*|*f*I9 zInhEx%#c*srgsC64%VbKv$jW_$j5=E%^C_x+jm!(#@12TDv*AD6eJk&KK%YAMrMw& z#p6f@_fVr?CHx;+zdrV-YX7BbdhK+Ky%00r7U7Ld!5Q{nZ+&yKWdCjVwlc6SQp^7AOR_j)+=u^MySlPuEo=WGM1iY>rc^dShw5+T^R=zGUQ0?* z5@4`1BU0A3p_P>@Dcjb8CTVRz`;&G$WX%r~%ouSoTuRL!IIy*@{v`f!G#ru(uv=MY zIB?b98pBm-VTA~baY|>@z_~b?}*UG z=m0BC14x?N68RY02I9(EMFNvyO3$P)rD;;9w!&OQ_juOR-_!v5KhHm}IXqKZ=w8~f zF{2x&xE9_nj9|z}AckQ7owxqZ?NV)p5oyL=Vnz&;|uG7w45@|9zb%w#L z+1KizFxPhTd_A)x(Xw)+_B(%4ULoM!q+H(@O|Q;Nn2QMouJEC1-s{c`sNY zQrfs#5U+f9waBHDILS!Y{x_G?erd@WdqX_T+rMA|c0M#vt}fM10s)F39-94s_@_z! zC+yR5ap=*h^uDj931-Ou&F*^1|Lb+PHaC{?|302N0hEaQR!QEYFyw2g(BDfL!zA^a z!r`ru8dSg>!dw}{s&>Mt22;762jsJFSrBR?U2ab_1Hn|@|auU3oaM2xE}p6*v|$9 zZbnl8S66Gf*ShJN0pq^OI#wOG1scKCm0iFm_K6ok<5qy?XJ;lR1^HbYT#$0S9*=A@ z7Ot*l;yVl7bfFzmk2upl?0DyB%1h169ACGoS%gr_{tZi@+nWP*988LxB@03A67L+o zJw4t(`t){pzfcMEmcQBg(mTIJFj>F*|NrpA(aHYNsr=8}X-U^WRYv7(jokKh-qAFI ze*fmf(eD1y>G8?V$#D(rZ{Owwk~xyL+NZROd|glPH;npanrn@Bgoo9cH4VGC<6a&w z092L1oNd2-Gc3G(moo)qOOK_Q6bwt-S(Mhx(z|;~&s_drlI?KKFyO5C-^TVv+5hXV zZ!P`5`*>pEgaWtT2Q*lC6Q|ZgOr68niCWY%oZBmGFhD2HTmdta!rjO^Pleq>`kyeD zSCqP`I!DT+G9*!CX*RyPd6zYdc~$T{XCPO5wBO}w+b?3Gl`^yHa4JEnQeW1MiQfY4 z$V%J7$}6;@_p8&F4$Dr|bEhskcSse_Uf>H83mxW24h6$^YKw zQvTo1Q)iqOQ~GL!eU``Hb|}M?C+8pvDj+!o@&KBkIE?Q_Da<)*^KV?48`ka&CEDf| z!l3y{KCX7BW;*Gu)x-oia6?LhvZ^R*hB*nBrhaBIyEN_7sK;hCulP|@NWcThW_ttZwbPn6E@ zn6yWs3S7cqYXb)kT*99b6*2hId7s*Dk}Ae-3{tPU{*U%|_73*jzI$stHp~9s>X!4r zH+swSfA{mO|jF9Q!X@d?i^(xTF(49ad*_$$bM6p>>(do8?3%vs5YY<~3V2mcXDDM^9 z7Ugn$hCop8=!gUmACAq=RJI}G4yl^cwV{Ek)f2#1v-bE3|0owFkiVu=&Cf^}V%Mte z;}Sk{%oKf_@H~!2Bg};?O7hHQm1KdcGpYI@YkIb|l^t%qgs-Ybk<=xWFX0ezeomR& zh>5u`iBcuU^yC2gH^erk^##qDO0%=b9n#Z z1j5MkVE6FjnvZ?TP4zE6`RX+XUM37IbRzR565TzRct;6txn8DUVs@I5KndFpdgUa)}j7@ z1lZL*%Jrt?iCoO^4oxwG?HrsTVfY+*UOO2Wa2#+V$OMBl&vh@kA!JR{F-W&TuKD)D zCJ`KJeea_)3_M~Oj`ojFVCV2{s-B0jNukA<)UY|lOn7pJx_yU&p}PK?GP$n@qjCLr z*Ec(x<@kSRqq98!c`wg53&1`-B|#VoZujAL9V(6^X0|$6*aurK7k!0|y_%FMS6dcl zR$W$@yCX-2YcAZff~`btN0zm ze@291!zdG+;$spSK;jx-Csg^RTo51hlV#mbyVqWiFcJ7fGAt-ON3gV>r`i3y@g<%vYg||0^ zKzz(GBiJxCCtB4O3#;JLHIdutl8eI9OPFwxE{6;&0DBM-PrQ{qbyu^uIWFqwYB%$l zDvydwDJ{Cn^{&;Ot#5qEy&n_T@Rm3<*rgt2vR^hDpy!=c=ykiR(A(Txh3<ae#YMW<63l-i-%38r>@%SoY7ppg+ zZc9_|Jw4A4QnRZ;lGZRtGker9M@kQS#E5%Hd9ll}nvh&C62tY}?~7!3@ozazol4&d z^!m&6x4yfs1k0grh2uRGj3PABtJgy$D98gIb$-xd~LV0zV&A7|Ly(H%Uwg?zYy_jG|0L$UAFh)kKm8spKC6e{439m zzMgE`N9@d{=RuVpwH@-QqU~^2k5NO+T2co6oh_-q zeao6(RR^MiQ95i}>^u%>@G{dovB1s0%#lot8Rlc^xjdgmeN_^gVMu}z&*>fg6#J}M zin(rtBSnBM#a3b2#T6LlkyjSw8TBN+2f+VoYq`;_=R#127Tv5S23lJw8$ zQ%gfMP<}HmjmhQ$hgG6g$(EZXd*DUoepCe&+>J$kd8~!sUuvf@3Y1E;0~%nn4x{mf zA6k{nFVxp($n^F3WO{Ei^Hd57O;a0P>>+^;RmMnBwb!WtkFtY!jx_ypcqpx!lq!pHp6b@;19+XVLQlks;puA7zK7MFX}*a z!8wDJH+Z8iiWkqf^1Hebo)Z_pLsJ?FJ9nMmViHvuX2n4kXi#gK&JvX{OI$*Q_wj|= zPi7UPRF#El=>?Nh9{E0E)6+D}TO_o;Ni(tYPfNDEs-m`f0%3xaaFe!P1q~a-B z@NzNW5f0opDe!OKG;Oc0irp|g)Sh@wKqkWBOI6b)@pCxR2W4TGMuDg*I_3NQ5Q@&l z4)Kw)lGm3SFlqMvX+S=vOx&*u+?r1XzWmWOpoh44PsMw=K$eQ|!4;u1!R{a#+jp!B zcR%feTw4RgF_g#qV{5{40BxxWmzwY)Ux-g{fckK`E5$?!E zk6k#V?)U8thRDN0;FjYd&WTgcBTmEx^{XAB3&LMh=3;g{F7C9HD($KeKX(5IGul)w zFP$^N~m@X$k!+Cn!hT~%p-*p5d=L0qR(Ds~w_B*tdh7;un>_Xrn^45AoBg&@hYi9t7x zijV1estfG^PjCfS9-^RW*jymzj07VSDkDatPz#a@;r;x4HzJvtPYIh<041H#;jrE) ztKXb>SaWT}Fb)>A*UHtK05I$}b^o$+Lt`++%)x@*N9wX*{HjRAK@cMBW&2L&hnC;yzRE!vMx9OvGrc}hHCHO z_rup~v|Vq(5XgN+Ky=#DG6wSF#6Xbi6D|jI>f(Tu*5hM|gWN3op~eL}$v_PmU*AXQ zLt08Ch-k!HNA73u7k1}bv|FbiQwi^p(O9&owu!2uUa^9UFAT!oph^Jj-b{#7?0NLO z8CGvDSnD%k)hWmvsP!9|2U?U{4VCZJ=t+juF%J00Fo|YZEKf3tubjb9W3)V0n`N29 z_k)-!Y3f4i7=PEhHaY)4&g1)TEth5D!V^({%ZR{DlOk%AYxmXNY1aXA&PI$zfx8R~ z%+$3NQ{)F%wl3ig4Fc>4?C$>v$@6=;0Yi1fb7)?NdXXPAOn0Iyb|c1cAPhXL7F}H0 zfb{pK<7;y=JTeN5f=D;Ro@bUa1!^cWx~N!79Sw;mFpJOdn)cF3AQiNzDLs!f2G%>B z+95viUF`++Efq91SK8d)eWjrS)w5O5+%dDFSfNtp(Sg%ktRC~H^W9V{SqXT#mCpzBlQ*5~;X ziIc<3bNyg5@D6bSTuSUamh}{#~*E zyi9qlj5Ii;718%_bP@ESsj`Q;Ac0=2i;>1Ezs;GwG)?ZbUv>U&&yE1REJXlbl_CJ; zoPezgOdVcti~yLueC&C@VyQcot(8w$vxk(5$_(4;3fd!jZodCSU;1;1Mln@Q?pmGe zt$lq~b?ABI*E{k&mtt)+5@m&7F>-O$UsaiNucyt{qspqQ4g-o@RwrMZ7-go{&mBfR zuLQh)KuIECF^W^Z^eG!o1tE0{O@r5oJc4*?$`of$8F7YajJnIIx3Rejn;ZIHr~T?h z+56D7*0)!o+k3SN8y#8gWlg=!&MI`bd#fOO?X+KQzo=&qsdh34|MTb1pIZk9t-U?? z_1C^%%FoQjhkM010SV5G>>j&fC)zwN1{Xpk1ZHYp57hTJO4*_ebIc|ga)!%SI-&(bf5{hvK|6cz=qMNV zV<_Nq_;w-b_7sgq43Cf~B^D*M(_8*(m_yI5{!+#XeWR6YVGKFVe>HQ(>+XEaN`CZp zdZBED0x7`iIw~?MzEB^cf1PO5ie;&UkVzFQ%R_%Ks;*oa;k>StxV0sU8J$|V|E7bw zqVyXlbrnKd3pTz~xUM+8+0a}{(~&kB*D4)nCb=ugI`*d|Dz(ux4PEmbXkgp*6V%-_ zPfxFDZq{oiri!6QN7Z9j*`<v}z%bLFNceT9cU)rRowg50Y*cc2Zdi)yIui@~LnUShhJnDjh5 z(3WS(IZ&JlS&?lpoefuW;k|-UOmZ+tg;Onf;;BL3`+05;4=X(^&vP%&b1%Rewv>DJwfxcCJ)@jNPDv&;bHv!gkYRby`5fnBv)L8xGr z7KLO;@JXV@2!8a(2%4?Kicg&yhb1lX#Erw)z~hmh7-kJ+FX93-*!{F$xyW*{P1ojK(&9|T*-a(! zb$>DHvZavQOKmg|7K~*t8e>ksk7&Vm;K1|(p@Hp(IIgH&!@<=+RV97=)R#Lu2qPtP)Tz^_(YvEAI@*0Ww z8i{LM^6;F4 z_6UcROH*LF_SQ!u+=mlXov(V%UdBmhK$*EjswqiNA)+@wf=Z-byZJJ$NUsDE*%&a^UE(#R+FpIUfUjLUf)l?stSogbOwWdVEzfu@ z&v-4*csusq%M zsKW(|pWb>Z7Xn`Ml-7c`{#kKv5}veY)Rb@P(c0V@V;^PAu&%DJw*|`CL$**;Ao8}I zX8epp@-eyi3o0ef<=9i7!8OL+l8@LPnz<&6w&&Q&xNM{ZEnSpF0_7O*sLv;rKlWUQ@I|>Q zKO^Bs<{eK1$AEUiBssLLJmX1`eWmA|d1eb5zq1R?LgJj|bh?}q z7Y9Xbk|CWYizzQ|?9E(+rrXK?$d{}aN-`;HZ~FNbe!fM%B;FnVl8i=5g51o_?5&&S zFxy+Xzq`HMkKRW9M`nK8+io7O__Dbo{r{34Q6KD&C%bn1GL{AJar6l*>7(AqA~l$t zx`>Yl6fw8c>2!7BBwgH!dF*qH&yEGs%EGp;o-Lp6@Ck4JxlBTw*${j|O49)rk)h87Cl!~YiI?c=iP-?gj`$-EGwueI`#uk7I9>o_Qt7PUl zs&6-qK%h|p^$Ky6~yAS#!$4pu#wWBcC%?~3k-OX^WA+tjBaOe2=w+}~qi=lal pI6tS%od?Za-C1Zp^paaX%V+s4pGWchZvX%Q|NmBLz1;v30RR)pS}6bk literal 0 HcmV?d00001 diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/Chart.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/Chart.yaml new file mode 100644 index 0000000000..0c271af5b5 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.7.6 +apiVersion: v1 +appVersion: 5.3.2 +description: Helm feature chart (optional) add-on to NeuVector for monitoring with + Prometheus/Grafana. +home: https://neuvector.com +icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 +keywords: +- security +maintainers: +- email: support@neuvector.com + name: becitsthere +name: neuvector-monitor +sources: +- https://github.com/neuvector/neuvector +version: 102.0.9+up2.7.6 diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/README.md b/charts/neuvector-monitor/102.0.9+up2.7.6/README.md new file mode 100644 index 0000000000..897f52ed5a --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/README.md @@ -0,0 +1,22 @@ +# NeuVector Helm Chart + +Helm chart for NeuVector's monitoring services. + +## Configuration + +The following table lists the configurable parameters of the NeuVector chart and their default values. + +Parameter | Description | Default | Notes +--------- | ----------- | ------- | ----- +`registry` | NeuVector container registry | `registry.neuvector.com` | +`oem` | OEM release name | `nil` | +`leastPrivilege` | Assume monitor chart is always installed after the core chart, so service accounts created by the core chart will be used. Keep this value as same as in the core chart. | `false` | +`exporter.enabled` | If true, create Prometheus exporter | `false` | +`exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` | +`exporter.image.tag` | exporter image tag | `latest` | +`exporter.ctrlSecretName` | existing secret that have CTRL_USERNAME and CTRL_PASSWORD fields to login to the controller. | `nil` | if parameter exists then `exporter.CTRL_USERNAME` & `exporter.CTRL_PASSWORD` will be skipped +`exporter.CTRL_USERNAME` | Username to login to the controller. Suggest to replace the default admin user to a read-only user | `admin` | +`exporter.CTRL_PASSWORD` | Password to login to the controller. | `admin` | +`exporter.enforcerStats.enabled` | If true, enable the Enforcers stats | `false` | For the performance reason, by default the exporter does NOT pull CPU/memory usage from enforcers. +--- + diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/app-readme.md b/charts/neuvector-monitor/102.0.9+up2.7.6/app-readme.md new file mode 100644 index 0000000000..e0faed5b50 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/app-readme.md @@ -0,0 +1,5 @@ +### Run-Time Protection Without Compromise + +NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform. + +Helm chart for NeuVector's monitoring services. Please make sure REST API service for controller in core chart is enabled. diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/dashboards/nv_dashboard.json b/charts/neuvector-monitor/102.0.9+up2.7.6/dashboards/nv_dashboard.json new file mode 100644 index 0000000000..1da8b12e94 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/dashboards/nv_dashboard.json @@ -0,0 +1,2036 @@ +{ + "__inputs": [ + { + "name": "datasource", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "10.2.3" + }, + { + "type": "panel", + "id": "piechart", + "name": "Pie chart", + "version": "" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "gridPos": { + "h": 10, + "w": 3, + "x": 0, + "y": 0 + }, + "id": 38, + "options": { + "code": { + "language": "plaintext", + "showLineNumbers": false, + "showMiniMap": false + }, + "content": "

\n \n ![NeuVector Logo](https://avatars.githubusercontent.com/u/19367275?s=200&v=4)
\n
\n [Documentation](https://open-docs.neuvector.com)
\n
\n [Users Slack Channel](https://rancher-users.slack.com/archives/C036F6JDZ8C)
\n
\n [GitHub](https://github.com/neuvector)\n\n
", + "mode": "markdown" + }, + "pluginVersion": "10.2.3", + "title": "NeuVector Product Links", + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 0 + }, + "id": 25, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_summary_enforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Enforcer Replica Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 3, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 0 + }, + "id": 8, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_summary_cvedbVersion", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "CVE Database Version", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 0 + }, + "id": 20, + "links": [], + "maxDataPoints": 1000, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_summary_pods", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Discovered Pod Count", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 34, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 3, + "y": 3 + }, + "id": 32, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_admission_denied", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Denied Admissions", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "continuous-RdYlGr" + }, + "mappings": [ + { + "options": { + "1": { + "color": "light-orange", + "index": 1 + }, + "2": { + "color": "yellow", + "index": 2 + }, + "3": { + "color": "green", + "index": 3 + } + }, + "type": "value" + }, + { + "options": { + "match": "null", + "result": { + "index": 0, + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 6, + "y": 3 + }, + "id": 2, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "mean" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_summary_controllers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Controller Replicas", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "decimals": 0, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 3 + }, + "id": 19, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "value", + "wideLayout": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "nv_summary_disconnectedEnforcers", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{target}}", + "refId": "A" + } + ], + "title": "Disconnected Enforcers", + "type": "stat" + }, + { + "columns": [ + { + "text": "Current", + "value": "current" + } + ], + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "cellOptions": { + "type": "auto" + }, + "filterable": false, + "inspect": false, + "width": 300 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "string" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "log" + }, + "properties": [ + { + "id": "custom.width", + "value": 101 + }, + { + "id": "custom.cellOptions", + "value": { + "type": "color-text" + } + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + }, + { + "id": "displayName", + "value": "Event Type" + }, + { + "id": "custom.filterable", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Violation Type" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Last seen" + }, + "properties": [ + { + "id": "unit", + "value": "dateTimeAsIso" + }, + { + "id": "custom.width", + "value": 200 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "fromname" + }, + "properties": [ + { + "id": "displayName", + "value": "Source Pod" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "toname" + }, + "properties": [ + { + "id": "displayName", + "value": "Destination Pod" + } + ] + } + ] + }, + "fontSize": "90%", + "gridPos": { + "h": 8, + "w": 9, + "x": 3, + "y": 6 + }, + "id": 29, + "links": [], + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [ + { + "desc": true, + "displayName": "Last seen" + } + ] + }, + "pluginVersion": "10.2.3", + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Event", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm", + "decimals": 2, + "link": false, + "mappingType": 1, + "pattern": "Metric", + "preserveFormat": false, + "sanitize": true, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Time", + "colorMode": "value", + "colors": [ + "#E0B400", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 0, + "pattern": "Current", + "thresholds": [], + "type": "number", + "unit": "dateTimeAsIso" + } + ], + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "nv_log_events", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "range": false, + "refId": "A" + } + ], + "title": "Security Event Log", + "transform": "timeseries_aggregations", + "transformations": [ + { + "id": "labelsToFields", + "options": {} + }, + { + "id": "merge", + "options": {} + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true, + "endpoint": true, + "fromns": true, + "id": true, + "instance": true, + "job": true, + "namespace": true, + "pod": true, + "service": true, + "target": true, + "tons": true + }, + "indexByName": { + "Time": 0, + "Value": 14, + "endpoint": 1, + "fromname": 7, + "fromns": 15, + "id": 2, + "instance": 3, + "job": 4, + "log": 5, + "name": 6, + "namespace": 8, + "pod": 9, + "service": 10, + "target": 11, + "toname": 12, + "tons": 13 + }, + "renameByName": {} + } + }, + { + "id": "groupBy", + "options": { + "fields": { + "Value": { + "aggregations": [ + "max" + ], + "operation": "aggregate" + }, + "fromname": { + "aggregations": [], + "operation": "groupby" + }, + "log": { + "aggregations": [], + "operation": "groupby" + }, + "name": { + "aggregations": [], + "operation": "groupby" + }, + "toname": { + "aggregations": [], + "operation": "groupby" + } + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": {}, + "indexByName": {}, + "renameByName": { + "Value (lastNotNull)": "Last seen", + "Value (max)": "Last seen" + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 6 + }, + "id": 12, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_controller_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Controller Memory Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "color", + "value": { + "fixedColor": "red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "color", + "value": { + "fixedColor": "light-orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 14, + "w": 3, + "x": 0, + "y": 10 + }, + "id": 24, + "links": [], + "options": { + "displayLabels": [ + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "none", + "sort": "none" + } + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "expr": "sum(nv_container_vulnerabilityHigh) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "expr": "sum(nv_container_vulnerabilityMedium) by (service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster CVE Count", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [ + { + "matcher": { + "id": "byValue", + "options": { + "op": "gte", + "reducer": "allIsZero", + "value": 0 + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": true, + "tooltip": true, + "viz": false + } + } + ] + }, + { + "matcher": { + "id": "byValue", + "options": { + "op": "gte", + "reducer": "allIsNull", + "value": 0 + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": true, + "tooltip": true, + "viz": false + } + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 12 + }, + "id": 10, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "max(nv_enforcer_cpu) by (display)\n", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "range": true, + "refId": "A" + } + ], + "title": "Enforcer CPU Usage", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "cellOptions": { + "type": "auto" + }, + "inspect": false, + "width": 101 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Cluster Service Name" + }, + { + "id": "custom.inspect", + "value": true + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + { + "id": "custom.cellOptions", + "value": { + "type": "color-text" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "custom.cellOptions", + "value": { + "type": "color-text" + } + }, + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "exported_service" + }, + "properties": [ + { + "id": "custom.width", + "value": 300 + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "displayName", + "value": "Cluster Service Name" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 4, + "x": 3, + "y": 14 + }, + "id": 36, + "links": [], + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityHigh) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "editorMode": "code", + "expr": "sum(nv_container_vulnerabilityMedium) by (exported_service)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Vulnerabilities by Service", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "center", + "cellOptions": { + "type": "auto" + }, + "filterable": false, + "inspect": false, + "minWidth": 50 + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "name" + }, + "properties": [ + { + "id": "unit", + "value": "string" + }, + { + "id": "custom.align", + "value": "right" + }, + { + "id": "custom.inspect", + "value": true + }, + { + "id": "custom.filterable", + "value": true + }, + { + "id": "displayName", + "value": "Repository/Image: Tag" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #A" + }, + "properties": [ + { + "id": "displayName", + "value": "High" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.cellOptions", + "value": { + "type": "color-text" + } + }, + { + "id": "color" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #B" + }, + "properties": [ + { + "id": "displayName", + "value": "Medium" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.cellOptions", + "value": { + "type": "color-text" + } + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "light-orange", + "value": 1 + } + ] + } + }, + { + "id": "color" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 5, + "x": 7, + "y": 14 + }, + "id": 33, + "links": [], + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "expr": "sum(nv_image_vulnerabilityHigh) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "expr": "sum(nv_image_vulnerabilityMedium) by (name)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 2, + "legendFormat": "", + "refId": "B" + } + ], + "title": "Registry Images Vulnerabilities", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true + }, + "indexByName": {}, + "renameByName": {} + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "never", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [ + { + "matcher": { + "id": "byValue", + "options": { + "op": "gte", + "reducer": "allIsZero", + "value": 0 + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": true, + "tooltip": true, + "viz": false + } + } + ] + }, + { + "matcher": { + "id": "byValue", + "options": { + "op": "gte", + "reducer": "allIsNull", + "value": 0 + } + }, + "properties": [ + { + "id": "custom.hideFrom", + "value": { + "legend": true, + "tooltip": true, + "viz": false + } + } + ] + } + ] + }, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 18 + }, + "id": 35, + "links": [], + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "10.2.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "exemplar": true, + "expr": "max(nv_enforcer_memory) by (display)", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{display}}", + "refId": "A" + } + ], + "title": "Enforcer Memory Usage", + "type": "timeseries" + } + ], + "refresh": "15s", + "schemaVersion": 39, + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "prometheus" + }, + "hide": 0, + "includeAll": false, + "label": "Data Source", + "multi": false, + "name": "datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "15s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "UTC", + "title": "NeuVector", + "uid": "nv_dashboard0001", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/questions.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/questions.yaml new file mode 100644 index 0000000000..b8d51b3791 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/questions.yaml @@ -0,0 +1,27 @@ +questions: +#monitor configurations +- variable: exporter.image.repository + default: "neuvector/prometheus-exporter" + description: exporter image repository + type: string + label: Exporter Image Path + group: "Container Images" +- variable: exporter.image.tag + default: "" + description: image tag for exporter + type: string + label: exporter Image Tag + group: "Container Images" +#controller crendential configuration +- variable: exporter.CTRL_USERNAME + default: "admin" + description: Controller Username + type: string + label: Controller Username + group: "Controller Crendential" +- variable: exporter.CTRL_PASSWORD + default: "admin" + description: Controller Password + type: string + label: Controller Password + group: "Controller Crendential" diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/_helpers.tpl b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/_helpers.tpl new file mode 100644 index 0000000000..5d21a18241 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "neuvector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "neuvector.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "neuvector.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/dashboard.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/dashboard.yaml new file mode 100644 index 0000000000..9a6840a4d8 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/dashboard.yaml @@ -0,0 +1,19 @@ +{{- if .Values.exporter.grafanaDashboard.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: nv-grafana-dashboard + namespace: {{ .Values.exporter.grafanaDashboard.namespace | default .Release.Namespace }} + labels: + grafana_dashboard: "1" +{{- if .Values.exporter.grafanaDashboard.labels }} + {{- toYaml .Values.exporter.grafanaDashboard.labels | nindent 4}} +{{- end }} +{{- if .Values.exporter.grafanaDashboard.annotations }} + annotations: + {{- toYaml .Values.exporter.grafanaDashboard.annotations | nindent 4}} +{{- end }} +data: + nv_dashboard.json: | +{{ .Files.Get "dashboards/nv_dashboard.json" | indent 4 }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-deployment.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-deployment.yaml new file mode 100644 index 0000000000..8309f8a412 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-deployment.yaml @@ -0,0 +1,75 @@ +{{- if .Values.exporter.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: neuvector-prometheus-exporter-pod + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: neuvector-prometheus-exporter-pod + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8068" + prometheus.io/scrape: "true" + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + labels: + app: neuvector-prometheus-exporter-pod + release: {{ .Release.Name }} + {{- with .Values.exporter.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.leastPrivilege }} + serviceAccountName: basic + serviceAccount: basic + {{- end }} + {{- with .Values.exporter.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: neuvector-prometheus-exporter-pod + {{ if eq .Values.registry "registry.neuvector.com" }} + {{ if .Values.oem }} + image: "{{ .Values.registry }}/{{ .Values.oem }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- else }} + image: "{{ .Values.registry }}/prometheus-exporter:{{ .Values.exporter.image.tag }}" + {{- end }} + {{- else }} + image: {{ template "system_default_registry" . }}{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }} + {{- end }} + imagePullPolicy: Always + {{- with .Values.exporter.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: CTRL_API_SERVICE + value: {{ .Values.exporter.apiSvc }} + - name: EXPORTER_PORT + value: "8068" + {{- if .Values.exporter.enforcerStats.enabled }} + - name: ENFORCER_STATS + value: "{{.Values.exporter.enforcerStats.enabled | default "false"}}" + {{- end }} + envFrom: + - secretRef: + {{- if .Values.exporter.ctrlSecretName }} + name: {{ .Values.exporter.ctrlSecretName }} + {{ else }} + name: neuvector-prometheus-exporter-pod-secret + {{- end }} + restartPolicy: Always +{{- end }} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-service.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-service.yaml new file mode 100644 index 0000000000..b304562709 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-service.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.exporter.enabled .Values.exporter.svc.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.svc.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app: neuvector-prometheus-exporter +spec: + type: {{ .Values.exporter.svc.type }} + {{- if and .Values.exporter.svc.loadBalancerIP (eq .Values.exporter.svc.type "LoadBalancer") }} + loadBalancerIP: {{ .Values.exporter.svc.loadBalancerIP }} + {{- end }} + ports: + - port: 8068 + name: metrics + targetPort: 8068 + protocol: TCP + selector: + app: neuvector-prometheus-exporter-pod +{{- end }} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-servicemonitor.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-servicemonitor.yaml new file mode 100644 index 0000000000..25ca23d121 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/exporter-servicemonitor.yaml @@ -0,0 +1,39 @@ +{{- if .Values.exporter.serviceMonitor.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: neuvector-prometheus-exporter + namespace: {{ .Release.Namespace }} + {{- with .Values.exporter.serviceMonitor.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.exporter.serviceMonitor.labels }} + {{- toYaml .Values.exporter.serviceMonitor.labels | nindent 4}} +{{- end }} +spec: + selector: + matchLabels: + app: neuvector-prometheus-exporter + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + {{- if .Values.exporter.serviceMonitor.interval }} + interval: {{ .Values.exporter.serviceMonitor.interval }} + {{- end }} + path: "/metrics" + {{- if .Values.exporter.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.exporter.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.exporter.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.exporter.serviceMonitor.relabelings | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/templates/secret.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/secret.yaml new file mode 100644 index 0000000000..a751795995 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if and (.Values.exporter.enabled) (not .Values.exporter.ctrlSecretName) -}} +apiVersion: v1 +kind: Secret +metadata: + name: neuvector-prometheus-exporter-pod-secret + namespace: {{ .Release.Namespace }} + labels: + chart: {{ template "neuvector.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +data: + CTRL_USERNAME: {{ .Values.exporter.CTRL_USERNAME | b64enc | quote }} + CTRL_PASSWORD: {{ .Values.exporter.CTRL_PASSWORD | b64enc | quote }} +{{- end }} diff --git a/charts/neuvector-monitor/102.0.9+up2.7.6/values.yaml b/charts/neuvector-monitor/102.0.9+up2.7.6/values.yaml new file mode 100644 index 0000000000..dc89881ed3 --- /dev/null +++ b/charts/neuvector-monitor/102.0.9+up2.7.6/values.yaml @@ -0,0 +1,59 @@ +# Default values for neuvector. +# This is a YAML-formatted file. +# Declare variables to be passed into the templates. + +global: + cattle: + systemDefaultRegistry: "" + +registry: docker.io +oem: '' +leastPrivilege: false + +exporter: + # If false, exporter will not be installed + enabled: true + image: + repository: rancher/mirrored-neuvector-prometheus-exporter + tag: 5.3.2 + # changes this to a readonly user ! + CTRL_USERNAME: admin + CTRL_PASSWORD: admin + ctrlSercretName: '' + enforcerStats: + enabled: false + ctrlSecretName: '' + apiSvc: neuvector-svc-controller-api:10443 + podLabels: {} + securityContext: {} + containerSecurityContext: {} + + svc: + enabled: true + type: ClusterIP + loadBalancerIP: '' + annotations: {} + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet" + + grafanaDashboard: + enabled: false + namespace: "" # Release namespace, if empty + labels: {} + # annotations: {} + # k8s-sidecar-target-directory: /tmp/dashboards/neuvector + + serviceMonitor: + enabled: false + # labels for the ServiceMonitor. + labels: {} + # annotations for the ServiceMonitor. + annotations: {} + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + # MetricRelabelConfigs to apply to samples after scraping, but before ingestion. + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + metricRelabelings: [] + # RelabelConfigs to apply to samples before scraping + # ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + relabelings: [] diff --git a/index.yaml b/index.yaml index 79f87f5802..e4d5026cea 100755 --- a/index.yaml +++ b/index.yaml @@ -6588,6 +6588,37 @@ entries: urls: - assets/neuvector-monitor/neuvector-monitor-103.0.0+up2.6.4.tgz version: 103.0.0+up2.6.4 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: NeuVector Monitor + catalog.cattle.io/kube-version: '>=1.18.0-0 < 1.29.0-0' + catalog.cattle.io/namespace: cattle-neuvector-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/provides-gvr: neuvector.com/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: neuvector-monitor + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 2.7.6 + apiVersion: v1 + appVersion: 5.3.2 + created: "2024-04-17T18:10:00.863906-03:00" + description: Helm feature chart (optional) add-on to NeuVector for monitoring + with Prometheus/Grafana. + digest: 30b7370721fa32ecf683411bc151580784b33ea152871721d89f284308c3643e + home: https://neuvector.com + icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4 + keywords: + - security + maintainers: + - email: support@neuvector.com + name: becitsthere + name: neuvector-monitor + sources: + - https://github.com/neuvector/neuvector + urls: + - assets/neuvector-monitor/neuvector-monitor-102.0.9+up2.7.6.tgz + version: 102.0.9+up2.7.6 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: NeuVector Monitor diff --git a/release.yaml b/release.yaml index 2d26868420..f7592ca80e 100644 --- a/release.yaml +++ b/release.yaml @@ -1,3 +1,7 @@ +longhorn-crd: + - 102.4.0+up1.6.1 +neuvector-monitor: + - 102.0.9+up2.7.6 neuvector: - 102.0.9+up2.7.6 neuvector-crd: