From e022d5608bc3dc8c2b7c03535108680f3cf6a589 Mon Sep 17 00:00:00 2001
From: brandt keller <brandt.keller@defenseunicorns.com>
Date: Mon, 6 Feb 2023 18:00:26 +0000
Subject: [PATCH] Adding HA notes for NeuVector

---
 .../package-architecture/neuvector.md         | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/docs/understanding-bigbang/package-architecture/neuvector.md b/docs/understanding-bigbang/package-architecture/neuvector.md
index 59f52755c7..644f822581 100644
--- a/docs/understanding-bigbang/package-architecture/neuvector.md
+++ b/docs/understanding-bigbang/package-architecture/neuvector.md
@@ -1,4 +1,4 @@
-# Neuvector
+# NeuVector
 
 ## Overview
 
@@ -10,7 +10,7 @@
 
 ### UI
 
-The Neuvector UI runs on the manager, a simple pod that providesis the primary way of accessing and managing Neuvector. The UI is accessible via a web application on the cluster at the DNS name "neuvector" (e.g. neuvector.bigbang.dev/). UI access is exposed through the Istio Virtual Service. For more information, see [Using the Neuvector UI](https://open-docs.neuvector.com/navigation/navigation).
+The Neuvector UI runs on the manager, a simple pod that provides the primary way of accessing and managing NeuVector. The UI is accessible via a web application on the cluster at the DNS name "neuvector" (e.g. neuvector.bigbang.dev/). UI access is exposed through the Istio Virtual Service. For more information, see [Using the NeuVector UI](https://open-docs.neuvector.com/navigation/navigation).
 
 ### Dependency Packages
 
@@ -38,4 +38,35 @@ When deploying BigBang, neuvector depends on monitoring, gatekeeper/kyverno, and
   {{- end }}
 ```
 
+## High Availability
 
+NeuVector provides High Availability for the controller and scanner deployments with `3` replicas and a default `podAntiAffinity` in order to attempt installation of replicas to separate nodes if possible. These can be modified by providing new values to `controller.replicas` and `scanner.replicas` accordingly. 
+
+```yaml
+neuvector:
+  values:
+    controller:
+      replicas: 3
+
+    scanner:
+      replicas: 3
+```
+
+The enforcer pods are part of a daemonset that will be based upon the number of cluster nodes - with default tolerations for standard control-plane taints. Addition tolerations can be set for nodes by appending to the existing set:
+
+**Note:** The controller, manager, and cve.scanner deployments can also have their tolerations updated by mirroring this process. 
+
+```yaml
+neuvector:
+  values:
+    enforcer: # controller, manager, cve.scanner also have tolerations
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+        - effect: NoSchedule
+          key: custom-example-taint
+```
+
+The manager deployment houses the Security Center Admin Console and is explicitly set to `1` replica and cannot be scaled. 
-- 
GitLab