Robot Upgrade: neuvector chart upgrade from 2.4.2 to 2.8.11

[weizhoublue]

I am robot, upgrade: project neuvector chart upgrade from 2.4.2 to 2.8.11

[gemini-code-assist]

Summary of Changes

Hello @weizhoublue, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a significant upgrade of the NeuVector Helm chart, moving from version 2.4.2 to 2.8.11. The update focuses on enhancing security features through least privilege access and automated certificate handling, integrating with cloud billing platforms for AWS and Azure, and modernizing container runtime detection. It also expands the capabilities of custom resource definitions for more granular policy management and introduces new components to streamline operations and improve the overall deployment experience.

Highlights

• NeuVector Chart Upgrade: The NeuVector Helm chart has been upgraded from version 2.4.2 to 2.8.11, aligning with NeuVector application version 5.4.8.
• Enhanced Security and Certificate Management: Introduced least privilege service accounts, automatic bootstrap password generation, and automated internal and external certificate management and rotation, improving overall security posture.
• Cloud Billing Integration: Added support for AWS and Azure billing CSP adapters, enabling cloud marketplace integration and usage reporting.
• Improved Container Runtime Detection: The enforcer now automatically detects container runtimes at default socket locations, deprecating previous explicit runtime path configurations.
• Expanded Custom Resource Definitions (CRDs): Updated CRD schemas for network/process, DLP, admission control, WAF, compliance, response rules, and vulnerability profiles, including new fields for enhanced policy control.
• New Helm Chart Components: Several new Helm templates were added for bootstrap secrets, cert-manager integration, least privilege roles, CSP adapters, registry adapter, and a certificate upgrader cronjob.
• Refined Deployment Configurations: Updated various deployment configurations across controller, manager, enforcer, and scanner components, including topology spread constraints, manager probes, and conditional image pull policies.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• charts/neuvector/config
  • Updated NeuVector chart version from 2.4.2 to 2.8.11.
• charts/neuvector/neuvector/Chart.yaml
  • Updated application version from 5.1.1 to 5.4.8.
  • Updated chart version from 2.4.2 to 2.8.11.
  • Removed 'engine: gotpl' field.
  • Added 'sources' field with links to NeuVector GitHub repositories.
  • Updated 'core' dependency version to 2.8.11.
• charts/neuvector/neuvector/README.md
  • Updated documentation for container runtime detection, indicating deprecation of explicit runtime settings in favor of auto-detection.
  • Added documentation for scan caching configuration.
  • Introduced new configuration parameters for least privilege, bootstrap password, automatic certificate generation/rotation, AWS/Azure billing, controller prime deployment, topology spread constraints, custom search registries, and manager probes.
  • Deprecated several runtime-related parameters.
  • Renamed 'crdwebhook.enabled' to 'crdwebhooksvc.enabled' and added a new 'crdwebhook.enabled' for CRD resources.
  • Added 'lease.enabled' parameter.
• charts/neuvector/neuvector/charts/core/Chart.yaml
  • Updated application version from 5.1.1 to 5.4.8.
  • Updated chart version from 2.4.2 to 2.8.11.
  • Removed 'engine: gotpl' field.
  • Added 'sources' field with links to NeuVector GitHub repositories.
• charts/neuvector/neuvector/charts/core/README.md
  • Updated documentation for container runtime detection, indicating deprecation of explicit runtime settings in favor of auto-detection.
  • Added documentation for scan caching configuration.
  • Introduced new configuration parameters for least privilege, bootstrap password, automatic certificate generation/rotation, AWS/Azure billing, controller prime deployment, topology spread constraints, custom search registries, and manager probes.
  • Deprecated several runtime-related parameters.
  • Renamed 'crdwebhook.enabled' to 'crdwebhooksvc.enabled' and added a new 'crdwebhook.enabled' for CRD resources.
  • Added 'lease.enabled' parameter.
• charts/neuvector/neuvector/charts/core/templates/NOTES.txt
  • Added conditional HTTPS URL display for manager ingress.
  • Updated ClusterIP and LoadBalancer service URL generation to use dynamic target ports.
  • Added instructions for retrieving the bootstrap password.
• charts/neuvector/neuvector/charts/core/templates/_helpers.tpl
  • Added 'neuvector.secrets.lookup' helper for retrieving secret data.
  • Added 'neuvector.controller.image' helper for conditional controller image selection based on Azure enablement.
• charts/neuvector/neuvector/charts/core/templates/admission-webhook-service.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
• charts/neuvector/neuvector/charts/core/templates/bootstrap-secret.yaml
  • Added new template to create a secret for the bootstrap password.
• charts/neuvector/neuvector/charts/core/templates/cert-manager-secret.yaml
  • Added new template for cert-manager Issuer and Certificate resources for internal certificates.
• charts/neuvector/neuvector/charts/core/templates/clusterrole.yaml
  • Removed 'heritage: {{ .Release.Service }}' label from multiple ClusterRole definitions.
  • Added a new ClusterRole 'neuvector-binding-nvgroupdefinitions'.
• charts/neuvector/neuvector/charts/core/templates/clusterrolebinding-least.yaml
  • Added new template for least privilege cluster role bindings for various NeuVector components.
• charts/neuvector/neuvector/charts/core/templates/clusterrolebinding.yaml
  • Modified rendering condition to exclude when 'leastPrivilege' is enabled.
  • Removed 'heritage: {{ .Release.Service }}' label from multiple ClusterRoleBinding definitions.
• charts/neuvector/neuvector/charts/core/templates/controller-deployment.yaml
  • Added version comparison variables for conditional logic.
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Added checksum annotations for configmap and secrets to trigger rolling updates.
  • Added 'topologySpreadConstraints' for controller pods.
  • Implemented conditional 'serviceAccountName' based on 'leastPrivilege'.
  • Added init containers for certificate upgrader and prime configuration.
  • Updated controller image selection using a new helper.
  • Applied conditional 'securityContext' based on NeuVector version.
  • Added new environment variables for controller server port, CSP environment, default admin status, search registries, and internal certificate auto-generation.
  • Updated volume mounts for shared storage and runtime sockets, with version-specific logic.
  • Modified certificate volume mounts to support auto-generated and user-provided certificates, and internal certificate rotation.
• charts/neuvector/neuvector/charts/core/templates/controller-ingress.yaml
  • Removed 'heritage: {{ .Release.Service }}' label from Ingress resources.
  • Updated service port to use 'controller.apisvc.ctrlServerPort'.
• charts/neuvector/neuvector/charts/core/templates/controller-lease.yaml
  • Added new template for controller lease object.
• charts/neuvector/neuvector/charts/core/templates/controller-route.yaml
  • Removed 'heritage: {{ .Release.Service }}' label from Route resources.
• charts/neuvector/neuvector/charts/core/templates/controller-secret.yaml
  • Added new template to manage controller certificates, including auto-generation logic.
• charts/neuvector/neuvector/charts/core/templates/controller-service.yaml
  • Removed 'heritage: {{ .Release.Service }}' label from Service resources.
  • Updated controller API service port to use 'controller.apisvc.ctrlServerPort' and added 'nodePort' and 'appProtocol'.
  • Added new service parameters for federation master and managed services, including load balancer IP, cluster IP, node port, and traffic policies.
• charts/neuvector/neuvector/charts/core/templates/crd-role-least.yaml
  • Added new template for least privilege CRD roles and role bindings for various NeuVector CRDs.
• charts/neuvector/neuvector/charts/core/templates/crd-role.yaml
  • Added new template for standard CRD roles and role bindings.
• charts/neuvector/neuvector/charts/core/templates/crd-webhook-service.yaml
  • Added new template for the CRD webhook service.
• charts/neuvector/neuvector/charts/core/templates/crd.yaml
  • Removed 'heritage: {{ .Release.Service }}' label from CustomResourceDefinition resources.
  • Updated schemas for various CRDs (nvgroupdefinitions, nvsecurityrules, nvadmissioncontrolsecurityrules, nvwafsecurityrules, nvcomplianceprofiles, nvresponserulesecurityrules, nvvulnerabilityprofiles) to include new properties and enums.
  • Removed previously embedded service and clusterrole/clusterrolebinding definitions, which are now in separate files.
• charts/neuvector/neuvector/charts/core/templates/csp-clusterrole.yaml
  • Added new template for CSP adapter cluster roles.
• charts/neuvector/neuvector/charts/core/templates/csp-clusterrolebinding.yaml
  • Added new template for CSP adapter cluster role bindings.
• charts/neuvector/neuvector/charts/core/templates/csp-crd.yaml
  • Added new template for CSP adapter CustomResourceDefinition.
• charts/neuvector/neuvector/charts/core/templates/csp-deployment.yaml
  • Added new template for CSP adapter deployment.
• charts/neuvector/neuvector/charts/core/templates/csp-role.yaml
  • Added new template for CSP adapter role.
• charts/neuvector/neuvector/charts/core/templates/csp-rolebinding.yaml
  • Added new template for CSP adapter role binding.
• charts/neuvector/neuvector/charts/core/templates/csp-serviceaccount.yaml
  • Added new template for CSP adapter service account.
• charts/neuvector/neuvector/charts/core/templates/enforcer-daemonset.yaml
  • Added version comparison variables and a unified runtime path variable.
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Implemented conditional 'serviceAccountName' based on 'leastPrivilege'.
  • Added conditional image selection for Azure and 'imagePullPolicy'.
  • Updated 'securityContext' to use configurable values.
  • Added new environment variables for internal certificate auto-generation and enforcer-specific settings.
  • Updated volume mounts for runtime sockets and added a debug volume, with version-specific logic.
  • Modified internal certificate volume mounts to support auto-rotation.
• charts/neuvector/neuvector/charts/core/templates/init-configmap.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Adjusted indentation for configmap data.
• charts/neuvector/neuvector/charts/core/templates/init-secret.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
• charts/neuvector/neuvector/charts/core/templates/manager-deployment.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Added checksum annotation for manager secret.
  • Added 'topologySpreadConstraints' for manager pods.
  • Implemented conditional 'serviceAccountName' based on 'leastPrivilege'.
  • Added conditional image selection for Azure and 'imagePullPolicy'.
  • Added explicit port definition and new environment variables for controller and manager server ports.
  • Added manager probes (startup, liveness, readiness).
• charts/neuvector/neuvector/charts/core/templates/manager-ingress.yaml
  • Added conditional 'nginx.ingress.kubernetes.io/backend-protocol' annotation based on manager SSL setting.
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Updated service port to use 'manager.svc.mgrServerPort'.
• charts/neuvector/neuvector/charts/core/templates/manager-route.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
• charts/neuvector/neuvector/charts/core/templates/manager-secret.yaml
  • Added new template to manage manager certificates, including auto-generation logic.
• charts/neuvector/neuvector/charts/core/templates/manager-service.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Updated manager service port to use 'manager.svc.mgrServerPort' and added 'nodePort' and 'appProtocol'.
• charts/neuvector/neuvector/charts/core/templates/psp.yaml
  • Modified rendering condition to apply PSP only for Kubernetes versions older than 1.25.
  • Removed 'heritage: {{ .Release.Service }}' label from PSP and RoleBinding resources.
  • Implemented conditional 'subjects' for RoleBinding based on 'leastPrivilege'.
  • Added a least privilege PSP, Role, and RoleBinding specifically for the controller.
• charts/neuvector/neuvector/charts/core/templates/pvc.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
• charts/neuvector/neuvector/charts/core/templates/registry-adapter-ingress.yaml
  • Added new template for registry adapter ingress and OpenShift route configurations.
• charts/neuvector/neuvector/charts/core/templates/registry-adapter-secret.yaml
  • Added new template to manage registry adapter certificates.
• charts/neuvector/neuvector/charts/core/templates/registry-adapter.yaml
  • Added new template for registry adapter deployment and service.
• charts/neuvector/neuvector/charts/core/templates/role-least.yaml
  • Added new template for least privilege role for scanner deployments.
• charts/neuvector/neuvector/charts/core/templates/role.yaml
  • Added new template for roles related to secret access, lease management, job creation, and certificate upgrader.
• charts/neuvector/neuvector/charts/core/templates/rolebinding-least.yaml
  • Added new template for least privilege role bindings for scanner, lease, job creation, cert upgrader, secrets, and OpenShift SCC.
• charts/neuvector/neuvector/charts/core/templates/rolebinding.yaml
  • Modified rendering condition to exclude when 'leastPrivilege' is enabled.
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Added new RoleBinding for 'neuvector-binding-secret'.
  • Added new RoleBindings for lease, job creation, secret controller, and cert upgrader when internal certificates are auto-generated.
• charts/neuvector/neuvector/charts/core/templates/scanner-deployment.yaml
  • Added version comparison variable for conditional logic.
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Added 'topologySpreadConstraints' for scanner pods.
  • Implemented conditional 'serviceAccountName' based on 'leastPrivilege'.
  • Added conditional image selection for Azure, 'imagePullPolicy', and image registry override.
  • Added new environment variables for internal certificate auto-generation and scanner-specific settings.
  • Modified internal certificate volume mounts to support auto-rotation.
  • Added configurable volumes and volume mounts for scanner.
• charts/neuvector/neuvector/charts/core/templates/serviceaccount-least.yaml
  • Added new template for least privilege service accounts for basic, controller, enforcer, scanner, updater, registry adapter, and cert upgrader.
• charts/neuvector/neuvector/charts/core/templates/serviceaccount.yaml
  • Modified rendering condition to exclude when 'leastPrivilege' is enabled.
  • Removed 'heritage: {{ .Release.Service }}' label.
• charts/neuvector/neuvector/charts/core/templates/updater-cronjob.yaml
  • Removed 'heritage: {{ .Release.Service }}' label.
  • Added 'tolerations' for updater pods.
  • Implemented conditional 'serviceAccountName' based on 'leastPrivilege'.
  • Added configurable resources for updater.
  • Added image registry override and 'imagePullPolicy'.
  • Updated curl command to include 'cacert' option and filter Bearer token from output.
• charts/neuvector/neuvector/charts/core/templates/upgrader-cronjob.yaml
  • Added new template for the certificate upgrader cronjob.
• charts/neuvector/neuvector/charts/core/templates/upgrader-lease.yaml
  • Added new template for the certificate upgrader lease object.
• charts/neuvector/neuvector/charts/core/values.schema.json
  • Added new file for Helm chart values schema validation.
• charts/neuvector/neuvector/charts/core/values.yaml
  • Updated 'tag' from 5.1.1 to 5.4.8.
  • Added 'leastPrivilege', 'global' configuration for Rancher, Azure, and AWS, 'bootstrapPassword', 'autoGenerateCert', 'defaultValidityPeriod', and 'internal' certificate settings.
  • Updated controller configuration with 'imagePullPolicy', 'topologySpreadConstraints', API service port settings, federation service parameters, and refined certificate defaults.
  • Added 'certupgrader' and 'prime' configurations for controller.
  • Updated enforcer configuration with 'imagePullPolicy', new environment variables, expanded tolerations, refined internal certificate defaults, and 'securityContext'.
  • Updated manager configuration with 'imagePullPolicy', new environment variables, API service port settings, default service type, refined certificate defaults, 'topologySpreadConstraints', and 'probes'.
  • Added 'cve.adapter' configuration.
  • Updated CVE updater configuration with 'cacert', image registry override, 'imagePullPolicy', new tag, resources, and tolerations.
  • Updated CVE scanner configuration with image registry override, 'imagePullPolicy', new tag, 'topologySpreadConstraints', new environment variables, refined internal certificate defaults, and new volumes/volume mounts.
  • Added 'runtimePath' for container runtime socket path.
  • Deprecated previous explicit runtime configurations (docker, containerd, crio, k3s, bottlerocket) with comments.
  • Added 'crdwebhooksvc.enabled' and 'lease.enabled'.
• charts/neuvector/neuvector/values.yaml
  • Updated 'core.tag' from 5.1.1 to 5.4.8.
  • Added 'core.leastPrivilege', 'core.global' configuration for Rancher, Azure, and AWS, 'core.bootstrapPassword', 'core.autoGenerateCert', 'core.defaultValidityPeriod', and 'core.internal' certificate settings.
  • Updated 'core.controller' configuration with 'imagePullPolicy', 'topologySpreadConstraints', API service port settings, federation service parameters, and refined certificate defaults.
  • Added 'core.controller.certupgrader' and 'core.controller.prime' configurations.
  • Updated 'core.enforcer' configuration with 'imagePullPolicy', new environment variables, expanded tolerations, refined internal certificate defaults, and 'securityContext'.
  • Updated 'core.manager' configuration with 'imagePullPolicy', new environment variables, API service port settings, default service type, refined certificate defaults, 'topologySpreadConstraints', and 'probes'.
  • Added 'core.cve.adapter' configuration.
  • Updated 'core.cve.updater' configuration with 'cacert', image registry override, 'imagePullPolicy', new tag, resources, and tolerations.
  • Updated 'core.cve.scanner' configuration with image registry override, 'imagePullPolicy', new tag, 'topologySpreadConstraints', new environment variables, refined internal certificate defaults, and new volumes/volume mounts.
  • Added 'core.runtimePath' for container runtime socket path.
  • Deprecated previous explicit runtime configurations (core.docker, core.containerd, core.crio, core.k3s, core.bottlerocket) with comments.
  • Added 'core.crdwebhooksvc.enabled' and 'core.lease.enabled'.

Activity

• The pull request was opened by @weizhoublue.
• The pull request description indicates an automated chart upgrade from NeuVector 2.4.2 to 2.8.11.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR upgrades the neuvector chart from 2.4.2 to 2.8.11, introducing many new features and improvements. Key changes include support for least-privilege service accounts, integration with cert-manager, cloud provider billing support for AWS and Azure, and configurable container runtime paths. The chart has been refactored to improve maintainability, with many resources moved to separate files. The heritage label has been removed, and a values.schema.json has been added for validation, which are great improvements. I've found a critical issue with an invalid YAML definition that needs to be addressed, along with a couple of medium-severity issues in documentation and file formatting. Overall, this is a significant and valuable upgrade.

[gemini-code-assist]

The SecurityContextConstraints resource definition in this file is malformed. The apiVersion, kind, and metadata fields are incorrectly placed within the resource definition, which will cause parsing errors and prevent successful deployment on OpenShift clusters. These fields must be at the top level of the resource definition.

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: neuvector-scc-controller
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- azureFile
- projected
- secret

[gemini-code-assist]

The formatting for the manager.env.envs parameter notes appears to be broken. The current structure with indented lines and extra pipe characters will not render correctly within the markdown table, making the documentation for these environment variables difficult to read. To ensure the table renders correctly and the information is clear, this should be formatted as a single entry in the notes column, for example using an HTML list.

Suggested change

	`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` |
	` CUSTOM_LOGIN_LOGO` | SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon. |
	` CUSTOM_EULA_POLICY` | HTML or TEXT encoded in base64. |
	` CUSTOM_PAGE_HEADER_CONTENT` | max. 120 characters, base64 encoded. |
	` CUSTOM_PAGE_HEADER_COLOR` | use color name (yellow) or value (#ffff00) |
	` CUSTOM_PAGE_FOOTER_CONTENT` | max. 120 characters, base64 encoded. |
	` CUSTOM_PAGE_FOOTER_COLOR` | use color name (yellow) or value (#ffff00) |
	`manager.env.envs` | Other environment variables. The following variables are accepted. | `[]` | <ul><li>`CUSTOM_LOGIN_LOGO`: SVG file encoded in based64, the logo is displayed as a 300 x 80 pixels icon.</li><li>`CUSTOM_EULA_POLICY`: HTML or TEXT encoded in base64.</li><li>`CUSTOM_PAGE_HEADER_CONTENT`: max. 120 characters, base64 encoded.</li><li>`CUSTOM_PAGE_HEADER_COLOR`: use color name (yellow) or value (#ffff00).</li><li>`CUSTOM_PAGE_FOOTER_CONTENT`: max. 120 characters, base64 encoded.</li><li>`CUSTOM_PAGE_FOOTER_COLOR`: use color name (yellow) or value (#ffff00).</li></ul>

[gemini-code-assist]

This file is missing a newline character at the end. While this may not cause functional issues, it's a common linting and style convention to end files with a newline. Please add one for consistency.

{{- end }}