chore(deps): update neuvector to 5.4.0 (#778)

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips](https://images.chainguard.dev/directory/image/neuvector-controller-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/neuvector-fips)) | minor | `5.3.4` -> `5.4.0` | | [cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips](https://images.chainguard.dev/directory/image/neuvector-enforcer-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/neuvector-fips)) | minor | `5.3.4` -> `5.4.0` | | [cgr.dev/du-uds-defenseunicorns/neuvector-manager](https://images.chainguard.dev/directory/image/neuvector-manager/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/neuvector)) | minor | `5.3.4` -> `5.4.0` | | [cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips](https://images.chainguard.dev/directory/image/neuvector-updater-fips/overview) ([source](https://redirect.github.com/chainguard-images/images-private/tree/HEAD/images/neuvector-fips)) | minor | `8.10.1-dev` -> `8.11.0-dev` | | [core](https://neuvector.com) ([source](https://redirect.github.com/neuvector/neuvector-helm)) | minor | `2.7.9` -> `2.8.3` | | [crd](https://neuvector.com) | minor | `2.7.9` -> `2.8.3` | | [docker.io/neuvector/controller](https://www.suse.com/products/base-container-images/) ([source](https://sources.suse.com/SUSE:SLE-15-SP6:Update:CR/micro-image/19856e79d950c4baf0d9cc9c3e07c2f3/)) | minor | `5.3.4` -> `5.4.0` | | [docker.io/neuvector/enforcer](https://www.suse.com/products/base-container-images/) ([source](https://sources.suse.com/SUSE:SLE-15-SP6:Update:CR/micro-image/19856e79d950c4baf0d9cc9c3e07c2f3/)) | minor | `5.3.4` -> `5.4.0` | | [docker.io/neuvector/manager](https://www.suse.com/products/base-container-images/) ([source](https://sources.suse.com/SUSE:SLE-15-SP6:Update:CR/micro-image/19856e79d950c4baf0d9cc9c3e07c2f3/)) | minor | `5.3.4` -> `5.4.0` | | [monitor](https://neuvector.com) | minor | `2.7.9` -> `2.8.3` | | [registry1.dso.mil/ironbank/neuvector/neuvector/controller](https://open-docs.neuvector.com/) ([source](https://repo1.dso.mil/dsop/neuvector/neuvector/controller)) | minor | `5.3.4` -> `5.4.0` | | [registry1.dso.mil/ironbank/neuvector/neuvector/enforcer](https://open-docs.neuvector.com/) ([source](https://repo1.dso.mil/dsop/neuvector/neuvector/enforcer)) | minor | `5.3.4` -> `5.4.0` | | [registry1.dso.mil/ironbank/neuvector/neuvector/manager](https://open-docs.neuvector.com/) ([source](https://repo1.dso.mil/dsop/neuvector/neuvector/manager)) | minor | `5.3.4` -> `5.4.0` | | [registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal](https://catalog.redhat.com/software/container-stacks/detail/5ec53f50ef29fd35586d9a56) ([source](https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9-minimal)) | minor | `9.4` -> `9.5` | --- ### Release Notes <details> <summary>neuvector/neuvector-helm (core)</summary> ### [`v2.8.3`](https://redirect.github.com/neuvector/neuvector-helm/releases/tag/v2.8.3): Release 2.8.3 [Compare Source](https://redirect.github.com/neuvector/neuvector-helm/compare/2.8.2...v2.8.3) ##### What's Changed - fix: NVSHAS-9624 rewrite gh-page publish flow by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/455](https://redirect.github.com/neuvector/neuvector-helm/pull/455) - fix: NVSHAS-8682 remove misplaced resc from crds by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/453](https://redirect.github.com/neuvector/neuvector-helm/pull/453) - Bump version for 2.8.3 by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/459](https://redirect.github.com/neuvector/neuvector-helm/pull/459) ##### Known issues In 2.8.3 chart release, we move a previously mislocated resource from crds to core. If you use both crds and core charts, you might see issues during upgrade if you deploy core first. To resolve this, upgrade crds first and then core charts. **Full Changelog**: neuvector/neuvector-helm@2.8.2...v2.8.3 ### [`v2.8.2`](https://redirect.github.com/neuvector/neuvector-helm/releases/tag/2.8.2) [Compare Source](https://redirect.github.com/neuvector/neuvector-helm/compare/2.8.1...2.8.2) #### What's Changed - NVSHAS-9451: support separate network mode and Process and File mode in CRD (helm) by [@williamlin-suse](https://redirect.github.com/williamlin-suse) in [https://github.com/neuvector/neuvector-helm/pull/443](https://redirect.github.com/neuvector/neuvector-helm/pull/443) - feat: add CODEOWNERS by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/449](https://redirect.github.com/neuvector/neuvector-helm/pull/449) - fix: NVSHAS-9546 make scanner not load cert by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/450](https://redirect.github.com/neuvector/neuvector-helm/pull/450) - fix: NVSHAS-9546 make scanner not load cert by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/451](https://redirect.github.com/neuvector/neuvector-helm/pull/451) - feat: increment version to 2.8.2 by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/452](https://redirect.github.com/neuvector/neuvector-helm/pull/452) #### New Contributors - [@williamlin-suse](https://redirect.github.com/williamlin-suse) made their first contribution in [https://github.com/neuvector/neuvector-helm/pull/443](https://redirect.github.com/neuvector/neuvector-helm/pull/443) **Full Changelog**: neuvector/neuvector-helm@2.8.0...2.8.2 ### [`v2.8.1`](https://redirect.github.com/neuvector/neuvector-helm/compare/2.8.0...2.8.1) [Compare Source](https://redirect.github.com/neuvector/neuvector-helm/compare/2.8.0...2.8.1) ### [`v2.8.0`](https://redirect.github.com/neuvector/neuvector-helm/releases/tag/2.8.0) [Compare Source](https://redirect.github.com/neuvector/neuvector-helm/compare/2.7.9...2.8.0) ##### What's Changed - Fix an issue where cert-upgrader pod created by cronjob has no effect by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/424](https://redirect.github.com/neuvector/neuvector-helm/pull/424) - Adding support for CTRL_SEARCH_REGISTRIES env variable NVSHAS-9255 by [@venkateshjayagopal](https://redirect.github.com/venkateshjayagopal) in [https://github.com/neuvector/neuvector-helm/pull/426](https://redirect.github.com/neuvector/neuvector-helm/pull/426) - Removed Heritage by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/429](https://redirect.github.com/neuvector/neuvector-helm/pull/429) - feat: NVSHAS-9382 allow providing TLS certificates by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/427](https://redirect.github.com/neuvector/neuvector-helm/pull/427) - prime compliance support by [@selvamt94](https://redirect.github.com/selvamt94) in [https://github.com/neuvector/neuvector-helm/pull/431](https://redirect.github.com/neuvector/neuvector-helm/pull/431) - update bootstrap support by [@selvamt94](https://redirect.github.com/selvamt94) in [https://github.com/neuvector/neuvector-helm/pull/438](https://redirect.github.com/neuvector/neuvector-helm/pull/438) - Merge 5.4 changes to master by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/437](https://redirect.github.com/neuvector/neuvector-helm/pull/437) - Bump version up for helm charts 2.8.0 release by [@holyspectral](https://redirect.github.com/holyspectral) in [https://github.com/neuvector/neuvector-helm/pull/439](https://redirect.github.com/neuvector/neuvector-helm/pull/439) **Full Changelog**: neuvector/neuvector-helm@2.7.9...2.8.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/defenseunicorns/uds-core).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Micah Nagel <[email protected]> Co-authored-by: Noah Birrer <[email protected]>
defenseunicorns · Nov 21, 2024 · ccd0a32 · ccd0a32
1 parent cca5e2c
commit ccd0a32
Show file tree

Hide file tree

Showing 11 changed files with 164 additions and 20 deletions.
diff --git a/packages/runtime-security/tasks.yaml b/packages/runtime-security/tasks.yaml
@@ -8,3 +8,4 @@ tasks:
   - name: validate
     actions:
       - task: neuvector:validate
+      - task: neuvector:e2e-test
diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml
@@ -81,6 +81,16 @@ spec:
         selector:
           app: neuvector-updater-pod
 
+      - direction: Egress
+        remoteGenerated: KubeAPI
+        selector:
+          app: neuvector-cert-upgrader-pod
+
+      - direction: Egress
+        remoteGenerated: KubeAPI
+        selector:
+          app: neuvector-scanner-pod
+
       - direction: Egress
         remoteGenerated: KubeAPI
         selector:

diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml
@@ -14,7 +14,7 @@ components:
     charts:
       - name: crd
         url: https://neuvector.github.io/neuvector-helm/
-        version: 2.7.9
+        version: 2.8.2
         namespace: neuvector
         gitPath: charts/crd
       - name: uds-neuvector-config
@@ -23,14 +23,14 @@ components:
         localPath: ../chart
       - name: core
         url: https://neuvector.github.io/neuvector-helm/
-        version: 2.7.9
+        version: 2.8.2
         namespace: neuvector
         gitPath: charts/core
         valuesFiles:
           - ../values/values.yaml
       # - name: monitor
       #   url: https://neuvector.github.io/neuvector-helm/
-      #   version: 2.7.9
+      #   version: 2.8.2
       #   namespace: neuvector
       #   gitPath: charts/monitor
       #   valuesFiles:

diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml
@@ -1,6 +1,9 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
+includes:
+  - utils: ../../tasks/utils.yaml
+
 tasks:
   - name: validate
     actions:
@@ -41,4 +44,17 @@ tasks:
 
   - name: e2e-test
     actions:
-      - description: "Run Neuvector E2E tests"
+      - description: "Setup the Keycloak admin user if needed"
+        task: utils:keycloak-admin-user
+      - description: "Setup the Doug User for testing"
+        # Self-reference this task file to avoid https://github.com/defenseunicorns/maru-runner/issues/144
+        cmd: uds run -f tasks/test.yaml common-setup:create-doug-user --set KEYCLOAK_GROUP="/UDS Core/Admin" --no-progress # Adds the test doug user
+      - description: E2E Test for NeuVector
+        cmd: |
+          # renovate: datasource=docker depName=mcr.microsoft.com/playwright versioning=docker
+          docker run --rm --ipc=host -e FULL_CORE="${FULL_CORE}" --net=host --mount type=bind,source="$(pwd)",target=/app mcr.microsoft.com/playwright:v1.49.0-noble sh -c " \
+            cd app && \
+            npm ci && \
+            npx playwright test neuvector.test.ts \
+            "
+        dir: test/playwright
diff --git a/src/neuvector/values/registry1-values.yaml b/src/neuvector/values/registry1-values.yaml
@@ -3,7 +3,7 @@
 
 registry: registry1.dso.mil
 # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker
-tag: "5.3.4"
+tag: "5.4.0"
 manager:
   image:
     repository: ironbank/neuvector/neuvector/manager
@@ -47,7 +47,7 @@ cve:
     image:
       repository: ironbank/redhat/ubi/ubi9-minimal
       # renovate: datasource=docker depName=registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal versioning=docker
-      tag: "9.4"
+      tag: "9.5"
     containerSecurityContext:
       capabilities:
         drop:

diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml
@@ -6,7 +6,7 @@ autoGenerateCert: true
 
 registry: cgr.dev
 # renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips versioning=docker
-tag: "5.3.4"
+tag: "5.4.0"
 manager:
   image:
     repository: du-uds-defenseunicorns/neuvector-manager
@@ -41,4 +41,4 @@ cve:
     image:
       repository: du-uds-defenseunicorns/neuvector-updater-fips
       # renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips versioning=docker
-      tag: 8.10.1-dev
+      tag: 8.11.0-dev
diff --git a/src/neuvector/values/upstream-values.yaml b/src/neuvector/values/upstream-values.yaml
@@ -3,7 +3,7 @@
 
 registry: docker.io
 # renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker
-tag: "5.3.4"
+tag: "5.4.0"
 manager:
   image:
     repository: neuvector/manager

diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml
@@ -10,6 +10,9 @@ manager:
   svc:
     type: ClusterIP
 
+internal:
+  autoRotateCert: true
+
 controller:
   apisvc:
     type: ClusterIP

diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml
@@ -25,11 +25,11 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - docker.io/neuvector/controller:5.3.4
-      - docker.io/neuvector/manager:5.3.4
+      - docker.io/neuvector/controller:5.4.0
+      - docker.io/neuvector/manager:5.4.0
       - docker.io/neuvector/updater:latest
       - docker.io/neuvector/scanner:latest
-      - docker.io/neuvector/enforcer:5.3.4
+      - docker.io/neuvector/enforcer:5.4.0
 
   - name: neuvector
     description: "Deploy Neuvector"
@@ -43,11 +43,11 @@ components:
         valuesFiles:
           - values/registry1-values.yaml
     images:
-      - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.3.4
-      - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.3.4
-      - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4
+      - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.4.0
+      - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.4.0
+      - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5
       - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:5
-      - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.3.4
+      - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.4.0
 
   - name: neuvector
     description: "Deploy Neuvector"
@@ -64,8 +64,8 @@ components:
         valuesFiles:
           - values/unicorn-values.yaml
     images:
-      - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.3.4
-      - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.3.4
-      - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.3.4
+      - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.4.0
+      - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.4.0
+      - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.4.0
       - docker.io/neuvector/scanner:latest
-      - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.10.1-dev
+      - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.11.0-dev
diff --git a/src/pepr/patches/index.ts b/src/pepr/patches/index.ts
@@ -40,3 +40,28 @@ When(a.Service)
       grpcPort.appProtocol = "tcp";
     }
   });
+
+/**
+ * Mutate the Neuvector Enforcer DaemonSet to add a livenessProbe
+ * Temporary until fixed upstream
+ */
+
+When(a.DaemonSet)
+  .IsCreatedOrUpdated()
+  .InNamespace("neuvector")
+  .WithName("neuvector-enforcer-pod")
+  .Mutate(async ds => {
+    const enforcerContainer = ds.Raw.spec?.template.spec?.containers.find(
+      container => container.name === "neuvector-enforcer-pod",
+    );
+
+    if (enforcerContainer && enforcerContainer.livenessProbe === undefined) {
+      log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe");
+      const livenessProbe = {
+        exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] },
+        periodSeconds: 10,
+        failureThreshold: 2,
+      };
+      enforcerContainer.livenessProbe = livenessProbe;
+    }
+  });
diff --git a/test/playwright/neuvector.test.ts b/test/playwright/neuvector.test.ts
@@ -0,0 +1,89 @@
+/**
+ * Copyright 2024 Defense Unicorns
+ * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+ */
+
+import { expect, test } from "@playwright/test";
+import { domain } from "./uds.config";
+
+const url = `https://neuvector.admin.${domain}`
+test.use({ baseURL: url });
+
+test("validate system health", async ({ page }) => {
+  await test.step("check sso", async () => {
+    await page.goto('/#/login');
+    await page.waitForLoadState("domcontentloaded");
+
+    await expect(page.getByRole('button', { name: 'Login with OpenID' })).toBeVisible();
+    const termsCheckbox = await page.locator('.mat-checkbox-inner-container');
+    if (await termsCheckbox.isVisible()) {
+      await termsCheckbox.click();
+    }
+    await page.getByRole('button', { name: 'Login with OpenID' }).click();
+    await expect(page).toHaveURL('/#/dashboard');
+    await expect(page.locator('.navbar-header')).toBeVisible();
+  });
+
+  // Expect counts for scanner, controller, enforcer are based on chart defaults
+  await test.step("check system components", async () => {
+    await page.goto('/#/controllers');
+    await page.waitForLoadState("domcontentloaded");
+
+    // Ensure at least three scanners are connected and at least one scan complete
+    await page.getByRole('tab', { name: 'Scanners' }).click();
+    await page.waitForLoadState("domcontentloaded");
+    const scannerPromise = page.waitForResponse(`${url}/scanner`);
+    await page.getByLabel('Scanners').getByRole('button', { name: 'refresh Refresh' }).click();
+    const scannerResponse = await scannerPromise;
+    const scannerData = await scannerResponse.json();
+
+    expect(scannerData).toHaveProperty('scanners');
+    expect(Array.isArray(scannerData.scanners)).toBe(true);
+    expect(scannerData.scanners.length).toBeGreaterThanOrEqual(3);
+    const hasScannedContainers = scannerData.scanners.some(
+      (scanner: { scanned_containers: number }) => scanner.scanned_containers > 0
+    );
+    expect(hasScannedContainers).toBe(true);
+
+    // Ensure at least three controller exists and all are connected
+    await page.getByRole('tab', { name: 'Controllers' }).click();
+    await page.waitForLoadState("domcontentloaded");
+    const controllerPromise = page.waitForResponse(`${url}/controller`);
+    await page.getByLabel('Controllers').getByRole('button', { name: 'refresh Refresh' }).click();
+    const controllerResponse = await controllerPromise;
+    const controllerData = await controllerResponse.json();
+
+    expect(controllerData).toHaveProperty('controllers');
+    expect(Array.isArray(controllerData.controllers)).toBe(true);
+    expect(controllerData.controllers.length).toBeGreaterThanOrEqual(3);
+    controllerData.controllers.forEach((controller: { connection_state: string }) => {
+      expect(controller.connection_state).toBe('connected');
+    });
+
+    // Ensure at least one enforcer exists and all are connected
+    await page.getByRole('tab', { name: 'Enforcers' }).click();
+    await page.waitForLoadState("domcontentloaded");
+    const enforcerPromise = page.waitForResponse(`${url}/enforcer`);
+    await page.getByLabel('Enforcers').getByRole('button', { name: 'refresh Refresh' }).click();
+    const enforcerResponse = await enforcerPromise;
+    const enforcerData = await enforcerResponse.json();
+
+    expect(enforcerData).toHaveProperty('enforcers');
+    expect(Array.isArray(enforcerData.enforcers)).toBe(true);
+    expect(enforcerData.enforcers.length).toBeGreaterThanOrEqual(1);
+    enforcerData.enforcers.forEach((enforcer: { connection_state: string }) => {
+      expect(enforcer.connection_state).toBe('connected');
+    });
+  });
+});
+
+test("validate local login is blocked", async ({ page }) => {
+  await test.step("check local login", async () => {
+    await page.goto('/#/login');
+    await page.locator('.mat-checkbox-inner-container').click();
+    await page.locator('#Email1').fill('admin');
+    await page.locator('#password1').fill('admin');
+    await page.getByRole('button', { name: 'Login', exact: true }).click();
+    await expect(page.getByText('RBAC: access denied')).toBeVisible();
+  });
+});