UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects
Select Git revision
  • update-gitlab-tag-8.10.1-bb.0
  • update-nexus-tag-77.1.0-bb.0
  • update-elasticsearch-kibana-tag-1.28.0-bb.2
  • 2623-remove-holocron-from-bb-packages
  • update-fortify-tag-1.1.2320154-bb.23
  • update-elasticsearch-kibana-tag-1.28.0-bb.1
  • update-fortify-tag-1.1.2320154-bb.24
  • update-thanos-tag-15.9.1-bb.3
  • update-mimir-tag-5.5.1-bb.11
  • update-kyverno-reporter-tag-3.0.3-bb.1
  • update-velero-tag-8.4.0-bb.1
  • master default protected
  • update-twistlock-tag-0.19.0-bb.5
  • update-grafana-tag-8.10.4-bb.1
  • update-fluentbit-tag-0.48.9-bb.0
  • update-kiali-tag-2.6.0-bb.1
  • test-nexus
  • TEST-ONLY-DO-NOT_MERGE-Kyvern0-test
  • update-nexus-tag-77.1.0-bb.1
  • update-elasticsearch-kibana-tag-1.28.0-bb.0
  • 2.49.0 protected
  • 2.49.0-rc.2 protected
  • 2.49.0-rc.1 protected
  • 2.49.0-rc.0 protected
  • 2.48.0 protected
  • 2.48.0-rc.4 protected
  • 2.48.0-rc.3 protected
  • 2.48.0-rc.2 protected
  • 2.48.0-rc.1 protected
  • 2.47.0 protected
  • 2.47.0-rc.2 protected
  • 2.47.0-rc.1 protected
  • 2.47.0-rc.0 protected
  • 2.46.0 protected
  • 2.46.0-rc.0 protected
  • 2.45.1 protected
  • 2.45.1-rc.0 protected
  • 2.45.0 protected
  • 2.45.0-rc.0 protected
  • 2.44.0 protected
40 results
Blame Permalink
3
values.yaml 3.05 KiB 
{{- define "bigbang.defaults.neuvector" -}}
# Includes suffix of "A1a" to ensure password always meets default minimum password requirements
{{- $neuvectorMetricsPass := join "" (list (randAlphaNum 12) (randAlpha 2 | upper) (randAlpha 2 | lower) (randNumeric 2))}}

# hostname is deprecated and replaced with domain. But if hostname exists then use it.
domain: {{ default .Values.domain .Values.hostname }}

openshift: {{ .Values.openshift }}

{{ $istioInjection := (and .Values.istio.enabled (eq (dig "istio" "injection" "enabled" .Values.neuvector) "enabled")) }}

istio:
  enabled: {{ .Values.istio.enabled }}
  neuvector:
    gateways:
    - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
  injection: {{ ternary "enabled" "disabled" $istioInjection }}

{{- if .Values.monitoring.enabled }}
monitoring:
  enabled: true

controller:
  podAnnotations:
    checksum/metrics-pass: {{ sha256sum $neuvectorMetricsPass }}
  secret:
    enabled: true
    data: 
      # This configuration is read in at deploy time and users are created.
      userinitcfg.yaml:
        always_reload: true
        users:
        - username: metrics
          password: {{ $neuvectorMetricsPass }}
          role: reader
          fullname: metrics
      oidcinitcfg.yaml:
        always_reload: true
        enable: {{ .Values.neuvector.sso.enabled }}
        issuer: {{ default (include "sso.url" .) (tpl (default "" .Values.neuvector.sso.issuer) .) }}
        client_id: {{ .Values.neuvector.sso.client_id }}
        client_secret: {{ .Values.neuvector.sso.client_secret }}
        default_role: {{ .Values.neuvector.sso.default_role }} 
    
monitor:
  install: true
  exporter:
    enabled: true
    serviceMonitor:
      enabled: true
      # conditional passes only for default istio: enabled, mTLS: SCRICT
      {{- if and $istioInjection (eq (dig "istio" "mtls" "mode" "STRICT" .Values.neuvector.values) "STRICT") }}
      scheme: https
      tlsConfig:
        caFile: /etc/prom-certs/root-cert.pem
        certFile: /etc/prom-certs/cert-chain.pem
        keyFile: /etc/prom-certs/key.pem
        insecureSkipVerify: true  # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
      {{- end }}
    svc:
      enabled: true
      type: ClusterIP
    CTRL_USERNAME: metrics
    CTRL_PASSWORD: {{ $neuvectorMetricsPass }}
{{- end }}

{{- if .Values.istio.enabled }}
manager:
  env:
    ssl: false

UNCLASSIFIED - NO CUI