From deb64e3185e5a08d1452a29c1cf8c754cef79fb6 Mon Sep 17 00:00:00 2001
From: "Sam Wang (holyspectral)" <sam.wang@suse.com>
Date: Wed, 7 Aug 2024 12:24:01 -0400
Subject: [PATCH] feat: NVSHAS-9287 gen cert on fresh installation

Generate internal certificate for fresh installation.
---
 charts/core/templates/controller-deployment.yaml | 8 ++++++--
 charts/core/templates/enforcer-daemonset.yaml    | 4 ++--
 charts/core/templates/registry-adapter.yaml      | 4 ++--
 charts/core/templates/scanner-deployment.yaml    | 4 ++--
 charts/core/values.yaml                          | 3 ++-
 5 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
index c5284c27..4d4904c7 100644
--- a/charts/core/templates/controller-deployment.yaml
+++ b/charts/core/templates/controller-deployment.yaml
@@ -99,6 +99,10 @@ spec:
           env:
             - name: OVERRIDE_CHECKSUM
               value: {{ dict "image" (include "neuvector.controller.image" .) "internal" .Values.internal "certupgrader" .Values.controller.certupgrader | toJson | sha256sum }}
+            {{- if and .Values.internal.autoRotateCert (not $pre540) }}
+            - name: ENABLE_ROTATION
+              value: "1"
+            {{- end }}
           {{- with .Values.controller.certupgrader.env }}
 {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -230,7 +234,7 @@ spec:
               subPath: {{ .Values.controller.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -296,7 +300,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.controller.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi
diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml
index 23ce6dec..af34458d 100644
--- a/charts/core/templates/enforcer-daemonset.yaml
+++ b/charts/core/templates/enforcer-daemonset.yaml
@@ -162,7 +162,7 @@ spec:
               subPath: {{ .Values.enforcer.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -204,7 +204,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.enforcer.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi
diff --git a/charts/core/templates/registry-adapter.yaml b/charts/core/templates/registry-adapter.yaml
index 7dad57f5..df13ad05 100644
--- a/charts/core/templates/registry-adapter.yaml
+++ b/charts/core/templates/registry-adapter.yaml
@@ -149,7 +149,7 @@ spec:
               subPath: {{ .Values.cve.adapter.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -168,7 +168,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.cve.adapter.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi
diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml
index ea5093de..83c92be8 100644
--- a/charts/core/templates/scanner-deployment.yaml
+++ b/charts/core/templates/scanner-deployment.yaml
@@ -122,7 +122,7 @@ spec:
               subPath: {{ .Values.cve.scanner.internal.certificate.caFile }}
               name: internal-cert
               readOnly: true
-          {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+          {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
             - mountPath: /etc/neuvector/certs/internal/
               name: internal-cert-dir
           {{- end }}
@@ -132,7 +132,7 @@ spec:
         - name: internal-cert
           secret:
             secretName: {{ .Values.cve.scanner.internal.certificate.secret }}
-      {{- else if and .Values.internal.autoGenerateCert (not $pre540) }}
+      {{- else if and .Values.internal.autoRotateCert (not $pre540) }}
         - name: internal-cert-dir
           emptyDir:
             sizeLimit: 50Mi
diff --git a/charts/core/values.yaml b/charts/core/values.yaml
index 84b374ea..a0c25432 100644
--- a/charts/core/values.yaml
+++ b/charts/core/values.yaml
@@ -65,7 +65,8 @@ internal:
   certmanager: # enable when cert-manager is installed for the internal certificates
     enabled: false
     secretname: neuvector-internal
-  autoGenerateCert: false
+  autoGenerateCert: true
+  autoRotateCert: false
 
 controller:
   # If false, controller will not be installed