Automate NeuVector installation and management with Fleet – The GitOps way

Automate NeuVector installation and management with Fleet – The GitOps way

Comments 1 comment

NeuVector is a Zero Trust container security platform. It is 100% open source and provides a solution to secure container image lifecycle and execution with no vendor lock-in.

As detailed in the documentation there are multiple ways to install NeuVector. We’ll focus on the case where we install NeuVector from Rancher to take advantage of the integration between the two tools, in particular URL redirection and Rancher RBAC.

NeuVector installation can be done from Rancher UI. It is great to discover and experiment:

But it is manual and this is why I wanted to show you how to automate it.

Rancher Apps are Helm applications, using Helm chart repository so we have everything to automate it in the best way possible in a Cloud Native world, which is GitOps! There are different tools to implement GitOps, ArgoCD and Flux but also Fleet which comes by default with Rancher and it’s this one I’ll be using.

We need a git repository to store and manage the Kubernetes object definitions. I have one on GitHub and inside I have two files: one for NeuVector CRD and one for NeuVector. I named them rancher-neuvector-crd and rancher-neuvector as I’ll use Rancher Helm chart to have the integration with Rancher.

rancher-neuvector-crd/fleet.yaml:

defaultNamespace: cattle-neuvector-system
helm:
  repo: https://charts.rancher.io
  chart: neuvector-crd              # https://github.com/rancher/charts/tree/release-v2.7/charts/neuvector-crd
  version: 102.0.1+up2.4.3          # 5.1.2
  releaseName: neuvector-crd
labels:
  app: neuvector-crd

rancher-neuvector/fleet.yaml:

defaultNamespace: cattle-neuvector-system
helm:
  repo: https://charts.rancher.io
  chart: neuvector                  # https://github.com/rancher/charts/tree/release-v2.7/charts/neuvector
  version: 102.0.1+up2.4.3          # 5.1.2
  releaseName: neuvector
  values:
    controller:
      replicas: 1
    cve:
      scanner:
        replicas: 1
targetCustomizations:
  - name: aks-business-blueprod
    helm:
      values:
        containerd:
          enabled: true
        global:
          cattle:
            url: https://rancher.xxxxx.sslip.io
    clusterName: c-xxxx
dependsOn:
  - selector:
      matchLabels:
        app: neuvector-crd

In “Rancher” > “Continuous Delivery”, I have defined two “GitRepo”. This is required to manage dependencies as in some cases the CRD must be installed before the actual application (coming from a limitation by design of Helm).

You’ll notice “definitions” and “security”. In the first one I’ll add “rancher-neuvector-crd” folder and the second one “rancher-neuvector”.

And voila, this is installed and NeuVector is now available!

Let me know if you run into an issue or want to know more.

bertrand
Latest posts by bertrand (see all)

One thought on “Automate NeuVector installation and management with Fleet – The GitOps way

  1. Pingback: أتمتة عملية تثبيت NeuVector وإدارتها باستخدام Fleet – طريقة GitOps – Sub Nology

Leave a Reply

Your email address will not be published. Required fields are marked *