feat: NVSHAS-9287 gen cert on fresh installation

Generate internal certificate for fresh installation.
neuvector · Aug 7, 2024 · deb64e3 · deb64e3
1 parent cb69078
commit deb64e3
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 9 deletions.
diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
@@ -99,6 +99,10 @@ spec:
           env:
             - name: OVERRIDE_CHECKSUM
               value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }}
+            {{- if and .Values.internal.autoRotateCert (not $pre540) }}
+            - name: ENABLE_ROTATION
+              value: "1"
+            {{- end }}
           {{- with .Values.controller.certupgrader.env }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -230,7 +234,7 @@ spec:
               subPath: {{ .Values.controller.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -296,7 +300,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.controller.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi

diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml
@@ -162,7 +162,7 @@ spec:
               subPath: {{ .Values.enforcer.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -204,7 +204,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.enforcer.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi

diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml
@@ -149,7 +149,7 @@ spec:
               subPath: {{ .Values.cve.adapter.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -168,7 +168,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.cve.adapter.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi

diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml
@@ -122,7 +122,7 @@ spec:
               subPath: {{ .Values.cve.scanner.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -132,7 +132,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.cve.scanner.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi

diff --git a/charts/core/values.yaml b/charts/core/values.yaml
@@ -65,7 +65,8 @@ internal:
   certmanager: # enable when cert-manager is installed for the internal certificates
     enabled: false
     secretname: neuvector-internal
-  autoGenerateCert: false
+  autoGenerateCert: true
+  autoRotateCert: false
 
 controller:
   # If false, controller will not be installed