diff --git a/charts/core/README.md b/charts/core/README.md index 2bbc155b..2de79f8b 100644 --- a/charts/core/README.md +++ b/charts/core/README.md @@ -48,6 +48,7 @@ Parameter | Description | Default | Notes `global.azure.images.neuvector_csp_pod.digest` | csp adapter image digest | `nil` | Follow Azure subscription instruction `global.azure.images.neuvector_csp_pod.imagePullPolicy` | csp adapter image pull policy | `IfNotPresent` | Follow Azure subscription instruction `controller.enabled` | If true, create controller | `true` | +`controller.prime.enabled` | NeuVector prime deployment | `false` | `controller.image.repository` | controller image repository | `neuvector/controller` | `controller.image.hash` | controller image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | | `controller.replicas` | controller replicas | `3` | diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml index 816bfa17..30509ddb 100644 --- a/charts/core/templates/controller-deployment.yaml +++ b/charts/core/templates/controller-deployment.yaml @@ -86,9 +86,9 @@ spec: serviceAccountName: {{ .Values.serviceAccount }} serviceAccount: {{ .Values.serviceAccount }} {{- end }} + initContainers: {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }} {{- else if and .Values.internal.autoGenerateCert (not $pre540) }} - initContainers: - name: init image: {{ include "neuvector.controller.image" . | quote }} command: ["/usr/local/bin/upgrader", "create-upgrader-job" ] @@ -100,6 +100,21 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} {{- end }} + {{- if .Values.controller.prime.enabled }} + - name: prime-config-container + {{- if .Values.controller.prime.image.hash }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}@{{ .Values.controller.prime.image.hash }}" + {{- else }} + image: "{{ .Values.registry }}/{{ .Values.controller.prime.image.repository }}:{{ .Values.controller.prime.image.tag }}" + {{- end }} + imagePullPolicy: Always + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/share + name: prime-config + {{- end }} containers: - name: neuvector-controller-pod image: {{ include "neuvector.controller.image" . | quote }} @@ -198,6 +213,11 @@ spec: - mountPath: /etc/config name: config-volume readOnly: true + {{- if .Values.controller.prime.enabled }} + - mountPath: /etc/neuvector/prime/compliance/ + name: prime-config + readOnly: true + {{- end }} {{- if .Values.controller.certificate.secret }} - mountPath: /etc/neuvector/certs/ssl-cert.key subPath: {{ .Values.controller.certificate.keyFile }} @@ -283,6 +303,10 @@ spec: - secret: name: neuvector-secret optional: true + {{- if .Values.controller.prime.enabled }} + - emptyDir: {} + name: prime-config + {{- end }} {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }} - name: cert secret: diff --git a/charts/core/values.yaml b/charts/core/values.yaml index a5610885..2551886a 100644 --- a/charts/core/values.yaml +++ b/charts/core/values.yaml @@ -312,7 +312,12 @@ controller: # key1: value1 # key2: value2 runAsUser: # MUST be set for Rancher hardened cluster - + prime: + enabled: false + image: + repository: neuvector/complianceconfig + tag: 1.0.0 + hash: enforcer: # If false, enforcer will not be installed enabled: true