Merge branch 'master' into add-imagepullpolicy-value

.github/workflows/lint-test.yaml → .github/workflows/lint-unitest.yaml

@@ -10,10 +10,16 @@ jobs:
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '1.20'
       - name: Run chart-testing (lint)
         id: lint
         uses: helm/chart-testing-action@main
         with:
           command: lint
           config: ct.yaml
+      - name: Run unitest
+        run: |
+          cd test
+          go test

README.md

@@ -18,8 +18,8 @@ monitor | Deploy monitoring services, such as Prometheus exporter. [chart](chart
 ### Adding chart repo
 
 ```console
-$ helm repo add neuvector https://neuvector.github.io/neuvector-helm/
-$ helm search repo neuvector/core
+helm repo add neuvector https://neuvector.github.io/neuvector-helm/
+helm search repo neuvector/core
 ```
 
 ### Versioning
@@ -54,17 +54,17 @@ To install the chart with the release name `neuvector`:
 
 - Create the NeuVector namespace. You can use namespace name other than "neuvector".
 ```console
-$ kubectl create namespace neuvector
+kubectl create namespace neuvector
 ```
 
 - Label the NeuVector namespace with privileged profile for deploying on PSA enabled cluster.
 ```console
-$ kubectl label  namespace neuvector "pod-security.kubernetes.io/enforce=privileged"
+kubectl label  namespace neuvector "pod-security.kubernetes.io/enforce=privileged"
 ```
 
 - Configure Kubernetes to pull from the NeuVector container registry.
 ```console
-$ helm install neuvector --namespace neuvector --create-namespace neuvector/core
+helm install neuvector --namespace neuvector --create-namespace neuvector/core
 ```
 
 You can find a list of all config options in the [README of the core chart](charts/core).
@@ -73,43 +73,33 @@ You can find a list of all config options in the [README of the core chart](char
 
 - Create a new project.
 ```console
-$ oc new-project neuvector
-```
-
-- Create a new service account **if** you don't want to use the 'default'. Specify the service account name in charts' values.yaml file. Note: This step is only for OpenShift 3.x.
-```console
-$ oc create serviceaccount neuvector -n neuvector
-```
-
-- Grant Service Account Access to the Privileged SCC. Please replace the service account name that you plan to use. Note: This step is only for OpenShift 3.x.
-```console
-$ oc -n neuvector adm policy add-scc-to-user privileged -z default
+oc new-project neuvector
 ```
 
 - Privileged SCC is added to Service Account specified in the values.yaml by Helm chart version 2.0.0 and above in new Helm install on OpenShift 4.x. In case of upgrading NeuVector chart from previous version to 2.0.0, please delete Privileged SCC before upgrading.
 
 ```console
-$ oc delete rolebinding -n neuvector system:openshift:scc:privileged
+oc delete rolebinding -n neuvector system:openshift:scc:privileged
 ```
 
 To install the chart with the release name `neuvector`:
 
 ```console
-$ helm install neuvector --namespace neuvector neuvector/core --set openshift=true,crio.enabled=true
+helm install neuvector --namespace neuvector neuvector/core --set openshift=true,crio.enabled=true
 ```
 
 ## Rolling upgrade
 
 ```console
-$ helm upgrade neuvector --set tag=5.0.2 neuvector/core
+helm upgrade neuvector --set tag=5.0.2 neuvector/core
 ```
 
 ## Uninstalling the Chart
 
 To uninstall/delete the `neuvector` deployment:
 
 ```console
-$ helm delete neuvector
+helm delete neuvector
 ```
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -119,25 +109,25 @@ The command removes all the Kubernetes components associated with the chart and
 If you are using a private registry, you need pull NeuVector images of the specified version to your own registry and add registry name when installing the chart.
 
 ```console
-$ helm install neuvector --namespace neuvector neuvector/core --set registry=your-private-registry
+helm install neuvector --namespace neuvector neuvector/core --set registry=your-private-registry
 ```
 
 If your registry needs authentication, create a secret with the authentication information:
 
 ```console
-$ kubectl create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
+kubectl create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
 ```
 
 or for OpenShift:
 
 ```console
-$ oc create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
+oc create secret docker-registry regsecret -n neuvector --docker-server=https://your-private-registry/ --docker-username=your-name --docker-password=your-password --docker-email=your-email
 ```
 
 And install the helm chart with at least these values:
 
 ```console
-$ helm install neuvector --namespace neuvector neuvector/core --set imagePullSecrets=regsecret,registry=your-private-registry
+helm install neuvector --namespace neuvector neuvector/core --set imagePullSecrets=regsecret,registry=your-private-registry
 ```
 
 To keep the vulnerability database up-to-date, you want to create a script, run it as a cronjob to pull the updater and scanner images periodically to your own registry.

charts/core/Chart.yaml

@@ -1,7 +1,7 @@
 name: core
 apiVersion: v1
-version: 2.4.3
-appVersion: 5.1.2
+version: 2.4.5
+appVersion: 5.1.3
 description: Helm chart for NeuVector's core services
 home: https://neuvector.com
 icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4

charts/core/README.md

@@ -20,9 +20,11 @@ Parameter | Description | Default | Notes
 `oem` | OEM release name | `nil` |
 `imagePullSecrets` | image pull secret | `nil` |
 `imagePullPolicy` | global image pull policy | `Always` |
-`rbac` | NeuVector RBAC manifests are installed when rbac is enabled | `true` |
+`rbac` | NeuVector RBAC Manifests are installed when RBAC is enabled | `true` | Required for Rancher Authentication. |
 `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` |
 `serviceAccount` | Service account name for NeuVector components | `default` |
+`leastPrivilege` | Use least privileged service account | `false` |
+`global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https://<Rancher_URL>/` |
 `controller.enabled` | If true, create controller | `true` |
 `controller.image.repository` | controller image repository | `neuvector/controller` |
 `controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
@@ -38,7 +40,7 @@ Parameter | Description | Default | Notes
 `controller.podLabels` | Specify the pod labels. | `{}` |
 `controller.podAnnotations` | Specify the pod annotations. | `{}` |
 `controller.env` | User-defined environment variables for controller. | `[]` |
-`controller.ranchersso.enabled` | If true, enable Rancher single sign on | `false` | Rancher server address auto configured.|
+`controller.ranchersso.enabled` | If true, enable single sign on for Rancher | `false` | Required for Rancher Authentication. |
 `controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi
 `controller.pvc.accessModes` | Access modes for the created PVC. | `["ReadWriteMany"]` |
 `controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` |
@@ -121,6 +123,13 @@ Parameter | Description | Default | Notes
 `manager.podLabels` | Specify the pod labels. | `{}` |
 `manager.podAnnotations` | Specify the pod annotations. | `{}` |
 `manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
+`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` |
+`        CUSTOM_LOGIN_LOGO`               | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. | 
+`        CUSTOM_EULA_POLICY`              | HTML or TEXT encoded in base64. | 
+`        CUSTOM_PAGE_HEADER_CONTENT`      | max. 120 characters, base64 encoded. | 
+`        CUSTOM_PAGE_HEADER_COLOR`        | use color name (yellow) or value (#ffff00) | 
+`        CUSTOM_PAGE_FOOTER_CONTENT`      | max. 120 characters, base64 encoded. | 
+`        CUSTOM_PAGE_FOOTER_COLOR`        | use color name (yellow) or value (#ffff00) | 
 `manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
 `manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
 `manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
@@ -146,8 +155,44 @@ Parameter | Description | Default | Notes
 `manager.tolerations` | List of node taints to tolerate | `nil` |
 `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
 `manager.runAsUser` | Specify the run as User ID | `nil` |
+`cve.adapter.enabled` | If true, create registry adapter | `true` |
+`cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` |
+`cve.adapter.image.tag` | registry adapter image tag | |
+`cve.adapter.image.hash` | registry adapter image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
+`cve.adapter.priorityClassName` | registry adapter priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
+`cve.adapter.podLabels` | Specify the pod labels. | `{}` |
+`cve.adapter.podAnnotations` | Specify the pod annotations. | `{}` |
+`cve.adapter.env` | User-defined environment variables for adapter. | `[]` |
+`cve.adapter.svc.type` | set registry adapter service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
+`cve.adapter.svc.loadBalancerIP` | if registry adapter service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
+`cve.adapter.svc.annotations` | Add annotations to registry adapter service | `{}` | see examples in [values.yaml](values.yaml)
+`cve.adapter.harbor.protocol` | Harbor registry request protocol [http|https] | `https` |
+`cve.adapter.harbor.secretName` | Harbor registry adapter's basic authentication secret | |
+`cve.adapter.route.enabled` | If true, create a OpenShift route to expose the management console service | `true` |
+`cve.adapter.route.host` | Set OpenShift route host for management console service | `nil` |
+`cve.adapter.route.termination` | Specify TLS termination for OpenShift route for management console service. Possible passthrough, edge, reencrypt | `passthrough` |
+`cve.adapter.route.tls.key` | Set PEM format key file for OpenShift route for management console service | `nil` |
+`cve.adapter.route.tls.certificate` | Set PEM format certificate file for OpenShift route for management console service | `nil` |
+`cve.adapter.route.tls.caCertificate` | Set CA certificate may be required to establish a certificate chain for validation for OpenShift route for management console service | `nil` |
+`cve.adapter.route.tls.destinationCACertificate` | Set controller REST API service CA certificate to validate the endpoint certificate for OpenShift route for management console service | `nil` |
+`cve.adapter.certificate.secret` | Replace registry adapter certificate using secret if secret name is specified | `nil` |
+`cve.adapter.certificate.keyFile` | Replace registry adapter certificate key file | `tls.key` |
+`cve.adapter.certificate.pemFile` | Replace registry adapter certificate pem file | `tls.pem` |
+`cve.adapter.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed
+`cve.adapter.ingress.host` | Must set this host value if ingress is enabled | `nil` |
+`cve.adapter.ingress.ingressClassName` | To be used instead of the ingress.class annotation if an IngressClass is provisioned | `""` |
+`cve.adapter.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
+`cve.adapter.ingress.annotations` | Add annotations to ingress to influence behavior | `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` | see examples in [values.yaml](values.yaml)
+`cve.adapter.ingress.tls` | If true, TLS is enabled for registry adapter ingress service |`false` | If set, the tls-host used is the one set with `cve.adapter.ingress.host`.
+`cve.adapter.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
+`cve.adapter.resources` | Add resources requests and limits to registry adapter deployment | `{}` | see examples in [values.yaml](values.yaml)
+`cve.adapter.affinity` | registry adapter affinity rules  | `{}` |
+`cve.adapter.tolerations` | List of node taints to tolerate | `nil` |
+`cve.adapter.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
+`cve.adapter.runAsUser` | Specify the run as User ID | `nil` |
 `cve.updater.enabled` | If true, create cve updater | `true` |
 `cve.updater.secure` | If ture, API server's certificate is validated  | `false` |
+`cve.updater.image.registry` | cve updater image registry to overwrite global registry | |
 `cve.updater.image.repository` | cve updater image repository | `neuvector/updater` |
 `cve.updater.image.tag` | image tag for cve updater | `latest` |
 `cve.updater.image.hash` | cve updater image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
@@ -159,6 +204,7 @@ Parameter | Description | Default | Notes
 `cve.updater.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
 `cve.updater.runAsUser` | Specify the run as User ID | `nil` |
 `cve.scanner.enabled` | If true, cve scanners will be deployed | `true` |
+`cve.scanner.image.registry` | cve scanner image registry to overwrite global registry | |
 `cve.scanner.image.repository` | cve scanner image repository | `neuvector/scanner` |
 `cve.scanner.image.tag` | cve scanner image tag | `latest` |
 `cve.scanner.image.hash` | cve scanner image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
@@ -186,6 +232,15 @@ Parameter | Description | Default | Notes
 `admissionwebhook.type` | admission webhook type | `ClusterIP` |
 `crdwebhook.enabled` | Enable crd service and create crd related resources | `true` |
 `crdwebhook.type` | crd webhook type | `ClusterIP` |
+`awsbilling.enabled` | If true, install AWS billing csp adapter | `false` |
+`awsbilling.accountNumber` | AWS Account Number | `nil` | Follow AWS subscription instruction
+`awsbilling.roleName` | AWS Role name for billing | `nil` | Follow AWS subscription instruction
+`awsbilling.serviceAccount` | Service account name for csp adapter | `csp` | Follow AWS subscription instruction
+`awsbilling.annotations` | Annotaion for csp adapter  | `nil` | Follow AWS subscription instruction
+`awsbilling.imagePullSecrets` | Pull secret for csp adapter image | `nil` | Follow AWS subscription instruction
+`awsbilling.image.repository` | csp adapter image repository | `neuvector/neuvector-csp-adapter` | Follow AWS subscription instruction
+`awsbilling.image.tag` | csp adapter image tag | `1.0.0` | Follow AWS subscription instruction
+`awsbilling.image.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow AWS subscription instruction
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 

charts/core/templates/clusterrolebinding-least.yaml

@@ -0,0 +1,150 @@
+{{- if and .Values.rbac .Values.leastPrivilege -}}
+{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-app
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-app
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-rbac
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-rbac
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-admission
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: neuvector-binding-admission
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-view
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+{{- end }}
+  name: view
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+
+---
+
+{{- if $oc4 }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: neuvector-binding-co
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: neuvector-binding-co
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: enforcer
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}