Merge pull request #428 from holyspectral/aws-addon-lookup-fix

feat: NVSHAS-9382 remove lookup for aws-addon

charts/core/README.md

@@ -27,6 +27,8 @@ Parameter | Description | Default | Notes
 `autoGenerateCert` | Automatically generate certificate or not | `true` |
 `internal.certmanager.enabled` | cert-manager is installed for the internal certificates | `false` |
 `internal.certmanager.secretname` | Name of the secret to be used for the internal certificates | `neuvector-internal` |
+`internal.autoGenerateCert` | Automatically generate internal certificate or not | `true` |
+`internal.autoRotateCert` | Automatically rotate internal certificate or not | `false` |
 `defaultValidityPeriod` | The default validity period used for certs automatically generated (days) | `365` |
 `global.cattle.url` | Set the Rancher Server URL | | Required for Rancher Authentication. `https://<Rancher_URL>/` |
 `global.aws.enabled` | If true, install AWS billing csp adapter | `false` | **Note**: default admin user is disabled when aws market place billing enabled, use secret to create admin-role user to manage NeuVector deployment.
@@ -66,6 +68,7 @@ Parameter | Description | Default | Notes
 `controller.pvc.existingClaim` | If `false`, a new PVC will be created. If a string is provided, an existing PVC with this name will be used. | `false` |
 `controller.pvc.storageClass` | Storage Class to be used | `default` |
 `controller.pvc.capacity` | Storage capacity | `1Gi` |
+`controller.searchRegistries` | Custom search registries for Admission control | `nil` |
 `controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` |
 `controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` |
 `controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` |
@@ -138,6 +141,13 @@ Parameter | Description | Default | Notes
 `controller.internal.certificate.keyFile` | Set PEM format key file for custom controller internal certificate | `tls.key` |
 `controller.internal.certificate.pemFile` | Set PEM format certificate file for custom controller internal certificate | `tls.crt` |
 `controller.internal.certificate.caFile` | Set CA certificate file for controller custom internal certificate | `ca.crt` |
+`controller.certupgrader.env` | User-defined environment variables. | `[]` |
+`controller.certupgrader.schedule` | cert upgrader schedule.  Leave empty to disable | `` |
+`controller.certupgrader.priorityClassName` | cert upgrader priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
+`controller.certupgrader.podLabels` | Specify the pod labels. | `{}` |
+`controller.certupgrader.podAnnotations` | Specify the pod annotations. | `{}` |
+`controller.certupgrader.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
+`controller.certupgrader.runAsUser` | Specify the run as User ID | `nil` |
 `enforcer.enabled` | If true, create enforcer | `true` |
 `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` |
 `enforcer.image.hash` | enforcer image hash in the format of sha256:xxxx. If present it overwrites the image tag value. | |
@@ -192,6 +202,10 @@ Parameter | Description | Default | Notes
 `manager.tolerations` | List of node taints to tolerate | `nil` |
 `manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
 `manager.runAsUser` | Specify the run as User ID | `nil` |
+`manager.probes.enabled` | enabled startup, liveness and readiness probes | 1 |
+`manager.probes.timeout` | timeout for startup, liveness and readiness probes | 1 |
+`manager.probes.periodSeconds` | periodSeconds for startup, liveness and readiness probes | 10 |
+`manager.probes.startupFailureThreshold` | failure threshold for startup probe | 30 |
 `cve.adapter.enabled` | If true, create registry adapter | `true` |
 `cve.adapter.image.repository` | registry adapter image repository | `neuvector/registry-adapter` |
 `cve.adapter.image.tag` | registry adapter image tag | |

charts/core/templates/_helpers.tpl

@@ -35,14 +35,26 @@ Create chart name and version as used by the chart label.
 Lookup secret.
 */}}
 {{- define "neuvector.secrets.lookup" -}}
-{{- $value := "" -}}
-{{- $secretData := (lookup "v1" "Secret" .namespace .secret).data  -}}
-{{- if and $secretData (hasKey $secretData .key) -}}
-  {{- $value = index $secretData .key -}}
-{{- else if .defaultValue -}}
-  {{- $value = .defaultValue | toString | b64enc -}}
-{{- end -}}
-{{- if $value -}}
+{{- $value := .defaultValue | toString | b64enc -}}
 {{- printf "%s" $value -}}
 {{- end -}}
-{{- end -}}
+
+{{- define "neuvector.controller.image" -}}
+{{- if .Values.global.azure.enabled }}
+  {{- printf "%s/%s:%s" .Values.global.azure.images.controller.registry .Values.global.azure.images.controller.image .Values.global.azure.images.controller.tag }}
+{{- else }}
+  {{- if eq .Values.registry "registry.neuvector.com" }}
+    {{- if .Values.oem }}
+      {{- printf "%s/%s/controller:%s" .Values.registry .Values.oem .Values.tag }}
+    {{- else }}
+      {{- printf "%s/controller:%s" .Values.registry .Values.tag }}
+    {{- end }}
+  {{- else }}
+    {{- if .Values.controller.image.hash }}
+      {{- printf "%s/%s@%s" .Values.registry .Values.controller.image.repository .Values.controller.image.hash }}
+    {{- else }}
+      {{- printf "%s/%s:%s" .Values.registry .Values.controller.image.repository .Values.tag }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/core/templates/controller-deployment.yaml

@@ -2,6 +2,10 @@
 {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
 {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}}
 {{- end }}
+{{- $pre540 := false -}}                                                
+{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}               
+{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}}                  
+{{- end }}    
 {{- if .Values.controller.enabled -}}
 {{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
 apiVersion: apps/v1
@@ -35,21 +39,19 @@ spec:
         {{- with .Values.controller.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- if or .Values.controller.secret.enabled .Values.controller.configmap.enabled .Values.controller.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
       annotations:
         {{- if .Values.controller.secret.enabled }}
         checksum/init-secret: {{ include (print $.Template.BasePath "/init-secret.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.controller.configmap.enabled }}
         checksum/init-configmap: {{ include (print $.Template.BasePath "/init-configmap.yaml") . | sha256sum }}
         {{- end }}
-        {{- if eq "true" (toString .Values.autoGenerateCert) }}
+        {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
         checksum/controller-secret: {{ include (print $.Template.BasePath "/controller-secret.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.controller.podAnnotations }}
         {{- toYaml .Values.controller.podAnnotations | nindent 8 }}
         {{- end }}
-      {{- end }}
     spec:
       {{- if .Values.controller.affinity }}
       affinity:
@@ -84,25 +86,23 @@ spec:
       serviceAccountName: {{ .Values.serviceAccount }}
       serviceAccount: {{ .Values.serviceAccount }}
       {{- end }}
+      {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
+      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      initContainers:
+        - name: init
+          image: {{ include "neuvector.controller.image" . | quote }}
+          command: ["/usr/local/bin/upgrader", "create-upgrader-job" ]
+          imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }}
+          env:
+            - name: OVERRIDE_CHECKSUM
+              value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }}
+          {{- with .Values.controller.certupgrader.env }}
+{{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- end }}
       containers:
         - name: neuvector-controller-pod
-          {{- if .Values.global.azure.enabled }}
-          image: "{{ .Values.global.azure.images.controller.registry }}/{{ .Values.global.azure.images.controller.image }}:{{ .Values.global.azure.images.controller.tag }}"
-          {{- else }}
-          {{- if eq .Values.registry "registry.neuvector.com" }}
-          {{- if .Values.oem }}
-          image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}"
-          {{- else }}
-          image: "{{ .Values.registry }}/controller:{{ .Values.tag }}"
-          {{- end }}
-          {{- else }}
-          {{- if .Values.controller.image.hash }}
-          image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}@{{ .Values.controller.image.hash }}"
-          {{- else }}
-          image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"
-          {{- end }}
-          {{- end }}
-          {{- end }}
+          image: {{ include "neuvector.controller.image" . | quote }}
           {{- if $pre530 }}
           securityContext:
             privileged: true
@@ -156,6 +156,15 @@ spec:
             - name: NO_DEFAULT_ADMIN
               value: "1"
           {{- end }}
+          {{- if .Values.controller.searchRegistries }}
+            - name: CTRL_SEARCH_REGISTRIES
+              value: "{{ .Values.controller.searchRegistries }}"
+          {{- end }}
+          {{- if or .Values.internal.certmanager.enabled .Values.controller.internal.certificate.secret }}
+          {{- else if .Values.internal.autoGenerateCert }}
+            - name: AUTO_INTERNAL_CERT
+              value: "1"
+          {{- end }}
           {{- with .Values.controller.env }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -198,7 +207,7 @@ spec:
               subPath: {{ .Values.controller.certificate.pemFile }}
               name: usercert
               readOnly: true
-          {{- else if eq "true" (toString .Values.autoGenerateCert) }}
+          {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
             - mountPath: /etc/neuvector/certs/ssl-cert.key
               subPath: ssl-cert.key
               name: cert
@@ -222,6 +231,9 @@ spec:
               subPath: {{ .Values.controller.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+            - mountPath: /etc/neuvector/certs/internal/
+              name: internal-cert-dir
           {{- end }}
       terminationGracePeriodSeconds: 300
       restartPolicy: Always
@@ -271,7 +283,7 @@ spec:
               - secret:
                   name: neuvector-secret
                   optional: true
-      {{- if eq "true" (toString .Values.autoGenerateCert) }}
+      {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
         - name: cert
           secret:
             secretName: neuvector-controller-secret
@@ -285,6 +297,10 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.controller.internal.certificate.secret }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+        - name: internal-cert-dir
+          emptyDir:
+            sizeLimit: 50Mi
       {{- end }}
 {{- if gt (int .Values.controller.disruptionbudget) 0 }}
 ---

charts/core/templates/controller-lease.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.internal.autoGenerateCert }}
+apiVersion: coordination.k8s.io/v1
+kind: Lease
+metadata:
+  name: neuvector-controller
+spec:
+  leaseTransitions: 0
+{{- end }}

charts/core/templates/controller-secret.yaml

@@ -1,7 +1,13 @@
 {{- if .Values.controller.enabled -}}
-{{- if eq "true" (toString .Values.autoGenerateCert) }}
+{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.controller.certificate.key .Values.controller.certificate.certificate) }}
+{{- $cert := (dict) }}
+{{- if and .Values.controller.certificate.key .Values.controller.certificate.certificate }}
+{{- $cert = (dict "Key" .Values.controller.certificate.key "Cert" .Values.controller.certificate.certificate ) }}
+{{- else }}
 {{- $cn := "neuvector" }}
-{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
+{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,6 +20,14 @@ type: Opaque
 data:
   ssl-cert.key: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.key" "defaultValue" $cert.Key) }}
   ssl-cert.pem: {{ include "neuvector.secrets.lookup" (dict "namespace" .Release.Namespace "secret" "neuvector-controller-secret" "key" "ssl-cert.pem" "defaultValue" $cert.Cert) }}
+{{- end}}
 ---
+{{- if .Values.internal.certmanager.enabled }}
+{{- else if .Values.internal.autoGenerateCert }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: neuvector-internal-certs
+type: Opaque
 {{- end}}
 {{- end}}

charts/core/templates/enforcer-daemonset.yaml

@@ -2,6 +2,10 @@
 {{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}
 {{- $pre530 = (semverCompare "<5.2.10-0" .Values.tag) -}}
 {{- end }}
+{{- $pre540 := false -}}                                                
+{{- if regexMatch "^[0-9]+\\.[0-9]+\\.[0-9]+" .Values.tag }}               
+{{- $pre540 = (semverCompare "<5.3.10-0" .Values.tag) -}}                  
+{{- end }}    
 {{- $runtimePath := "" -}}
 {{- if .Values.runtimePath }}
 {{- $runtimePath = .Values.runtimePath -}}
@@ -104,6 +108,11 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: status.podIP
+          {{- if or .Values.internal.certmanager.enabled .Values.enforcer.internal.certificate.secret }}
+          {{- else if .Values.internal.autoGenerateCert }}
+            - name: AUTO_INTERNAL_CERT
+              value: "1"
+          {{- end }}
           {{- with .Values.enforcer.env }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -152,6 +161,9 @@ spec:
               subPath: {{ .Values.enforcer.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+            - mountPath: /etc/neuvector/certs/internal/
+              name: internal-cert-dir
           {{- end }}
       terminationGracePeriodSeconds: 1200
       restartPolicy: Always
@@ -191,5 +203,9 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.enforcer.internal.certificate.secret }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
+        - name: internal-cert-dir
+          emptyDir:
+            sizeLimit: 50Mi
       {{- end }}
 {{- end }}

charts/core/templates/manager-deployment.yaml

@@ -24,15 +24,13 @@ spec:
         {{- with .Values.manager.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- if or .Values.manager.podAnnotations (eq "true" (toString .Values.autoGenerateCert)) }}
       annotations:
-        {{- if eq "true" (toString .Values.autoGenerateCert) }}
+        {{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }}
         checksum/manager-secret: {{ include (print $.Template.BasePath "/manager-secret.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.manager.podAnnotations }}
         {{- toYaml .Values.manager.podAnnotations | nindent 8 }}
         {{- end }}
-      {{- end }}
     spec:
       {{- if .Values.manager.affinity }}
       affinity:
@@ -111,7 +109,7 @@ spec:
               subPath: {{ .Values.manager.certificate.pemFile }}
               name: cert
               readOnly: true
-          {{- else if eq "true" (toString .Values.autoGenerateCert) }}
+          {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }}
             - mountPath: /etc/neuvector/certs/ssl-cert.key
               subPath: ssl-cert.key
               name: cert
@@ -121,6 +119,47 @@ spec:
               name: cert
               readOnly: true
           {{- end }}
+          {{- if .Values.manager.probes.enabled }}
+          startupProbe:
+            httpGet:
+              path: /
+              port: 8443
+              {{- if .Values.manager.env.ssl }}
+              scheme: HTTPS
+              {{- else }}
+              scheme: HTTP
+              {{- end }}
+            timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }}
+            periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }}
+            successThreshold: 1
+            failureThreshold: {{ .Values.manager.probes.startupFailureThreshold | default 30 }}
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8443
+              {{- if .Values.manager.env.ssl }}
+              scheme: HTTPS
+              {{- else }}
+              scheme: HTTP
+              {{- end }}
+            timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }}
+            periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }}
+            successThreshold: 1
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8443
+              {{- if .Values.manager.env.ssl }}
+              scheme: HTTPS
+              {{- else }}
+              scheme: HTTP
+              {{- end }}
+            timeoutSeconds: {{ .Values.manager.probes.timeout | default 1 }}
+            periodSeconds: {{ .Values.manager.probes.periodSeconds | default 10 }}
+            successThreshold: 1
+            failureThreshold: 3
+          {{- end }}
           resources:
           {{- if .Values.manager.resources }}
 {{ toYaml .Values.manager.resources | indent 12 }}
@@ -133,7 +172,7 @@ spec:
         - name: cert
           secret:
             secretName: {{ .Values.manager.certificate.secret }}
-      {{- else if eq "true" (toString .Values.autoGenerateCert) }}
+      {{- else if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }}
         - name: cert
           secret:
             secretName: neuvector-manager-secret

charts/core/templates/manager-secret.yaml

@@ -1,7 +1,12 @@
 {{- if .Values.manager.enabled -}}
-{{- if eq "true" (toString .Values.autoGenerateCert) }}
+{{- if or (eq "true" (toString .Values.autoGenerateCert)) (and .Values.manager.certificate.key .Values.manager.certificate.certificate) }}
+{{- $cert := (dict) }}
+{{- if and .Values.manager.certificate.key .Values.manager.certificate.certificate }}
+{{- $cert = (dict "Key" .Values.manager.certificate.key "Cert" .Values.manager.certificate.certificate ) }}
+{{- else }}
 {{- $cn := "neuvector" }}
-{{- $cert := genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
+{{- $cert = genSelfSignedCert $cn nil (list $cn) (.Values.defaultValidityPeriod | int) -}}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata: