defenseunicorns · chance-coleman · Apr 18, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
@@ -1,4 +1,4 @@
-# Copyright 2024 Defense Unicorns
+# Copyright 2025 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: AKS Test
@@ -99,7 +99,6 @@ jobs:
 
       - name: Test UDS Core
         run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server"
-        continue-on-error: true
 
       - name: Debug Output
         if: ${{ always() }}

@@ -1,4 +1,4 @@
-# Copyright 2024 Defense Unicorns
+# Copyright 2025 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: EKS Test
@@ -103,7 +103,6 @@ jobs:
 
       - name: Test UDS Core
         run: uds run -f tasks/test.yaml uds-core-non-k3d --set EXCLUDED_PACKAGES="metrics-server"
-        continue-on-error: true
 
       - name: Debug Output
         if: ${{ always() }}

@@ -1,4 +1,4 @@
-# Copyright 2024 Defense Unicorns
+# Copyright 2025 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
 
 name: RKE2 Test
@@ -103,7 +103,6 @@ jobs:
 
       - name: Test UDS Core
         run: uds run -f tasks/test.yaml uds-core-non-k3d
-        continue-on-error: true
 
       - name: Debug Output
         if: ${{ always() }}

@@ -14,7 +14,7 @@ components:
     charts:
       - name: crd
         url: https://neuvector.github.io/neuvector-helm/
-        version: 2.8.4
+        version: 2.8.5
         namespace: neuvector
         gitPath: charts/crd
       - name: uds-neuvector-config
@@ -25,14 +25,14 @@ components:
           - ../chart/values.yaml
       - name: core
         url: https://neuvector.github.io/neuvector-helm/
-        version: 2.8.4
+        version: 2.8.5
         namespace: neuvector
         gitPath: charts/core
         valuesFiles:
           - ../values/values.yaml
       # - name: monitor
       #   url: https://neuvector.github.io/neuvector-helm/
-      #   version: 2.8.4
+      #   version: 2.8.5
       #   namespace: neuvector
       #   gitPath: charts/monitor
       #   valuesFiles:

@@ -3,7 +3,7 @@
 
 registry: registry1.dso.mil
 # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker
-tag: "5.4.2"
+tag: "5.4.3"
 manager:
   image:
     repository: ironbank/neuvector/neuvector/manager

@@ -6,7 +6,7 @@ autoGenerateCert: true
 
 registry: cgr.dev
 # renovate: datasource=docker depName=cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips versioning=docker
-tag: "5.4.2"
+tag: "5.4.3"
 manager:
   image:
     repository: du-uds-defenseunicorns/neuvector-manager

@@ -3,7 +3,7 @@
 
 registry: docker.io
 # renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker
-tag: "5.4.2"
+tag: "5.4.3"
 manager:
   image:
     repository: neuvector/manager

@@ -31,6 +31,11 @@ controller:
   env:
     - name: NO_DEFAULT_ADMIN
       value: "1"
+  podAnnotations:
+    # Prevent istio from rewriting TCP Port readiness checks
+    # We modify the default readinessProbe for neuvector controller in pepr
+    # See https://github.com/defenseunicorns/uds-core/issues/1446
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
 
 cve:
   updater:
@@ -39,3 +44,10 @@ cve:
 crdwebhook:
   enabled: false
   type: ClusterIP
+
+enforcer:
+  podAnnotations:
+    # Prevent istio from rewriting TCP Port readiness checks
+    # We add default a readinessProbe and livenessProbe for neuvector enforcer in pepr
+    # See https://github.com/defenseunicorns/uds-core/issues/1446
+    sidecar.istio.io/rewriteAppHTTPProbers: "false"
@@ -28,11 +28,11 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - docker.io/neuvector/controller:5.4.2
-      - docker.io/neuvector/manager:5.4.2
+      - docker.io/neuvector/controller:5.4.3
+      - docker.io/neuvector/manager:5.4.3
       - docker.io/neuvector/updater:latest
       - docker.io/neuvector/scanner:latest
-      - docker.io/neuvector/enforcer:5.4.2
+      - docker.io/neuvector/enforcer:5.4.3
 
   - name: neuvector
     description: "Deploy Neuvector"
@@ -46,11 +46,11 @@ components:
         valuesFiles:
           - values/registry1-values.yaml
     images:
-      - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.4.2
-      - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.4.2
+      - registry1.dso.mil/ironbank/neuvector/neuvector/controller:5.4.3
+      - registry1.dso.mil/ironbank/neuvector/neuvector/manager:5.4.3
       - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.5
       - registry1.dso.mil/ironbank/neuvector/neuvector/scanner:6
-      - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.4.2
+      - registry1.dso.mil/ironbank/neuvector/neuvector/enforcer:5.4.3
 
   - name: neuvector
     description: "Deploy Neuvector"
@@ -67,8 +67,8 @@ components:
         valuesFiles:
           - values/unicorn-values.yaml
     images:
-      - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.4.2
-      - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.4.2
-      - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.4.2
+      - cgr.dev/du-uds-defenseunicorns/neuvector-manager:5.4.3
+      - cgr.dev/du-uds-defenseunicorns/neuvector-enforcer-fips:5.4.3
+      - cgr.dev/du-uds-defenseunicorns/neuvector-controller-fips:5.4.3
       - docker.io/neuvector/scanner:latest
       - cgr.dev/du-uds-defenseunicorns/neuvector-updater-fips:8.12.1-dev
@@ -43,7 +43,6 @@ When(a.Service)
 
 /**
  * Mutate the Neuvector Enforcer DaemonSet to add a livenessProbe
- * Temporary until fixed upstream
  */
 
 When(a.DaemonSet)
@@ -58,20 +57,45 @@ When(a.DaemonSet)
     if (enforcerContainer && enforcerContainer.livenessProbe === undefined) {
       log.debug("Patching NeuVector Enforcer Daemonset to add livenessProbe");
       const livenessProbe = {
-        exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] },
-        periodSeconds: 10,
-        failureThreshold: 2,
+        tcpSocket: { port: 8500 },
+        periodSeconds: 30,
+        failureThreshold: 3,
       };
       enforcerContainer.livenessProbe = livenessProbe;
     }
 
     if (enforcerContainer && enforcerContainer.readinessProbe === undefined) {
       log.debug("Patching NeuVector Enforcer Daemonset to add readinessProbe");
       const readinessProbe = {
-        exec: { command: ["curl", "--no-progress-meter", "127.0.0.1:8500"] },
-        initialDelaySeconds: 10,
-        periodSeconds: 5,
+        tcpSocket: { port: 8500 },
+        initialDelaySeconds: 30,
+        periodSeconds: 30,
+        failureThreshold: 3,
       };
       enforcerContainer.readinessProbe = readinessProbe;
     }
   });
+
+/**
+ * Mutate the Neuvector Controller Deployment to patch in new readinessProbe
+ * See issue for reference: https://github.com/defenseunicorns/uds-core/issues/1446
+ */
+
+When(a.Deployment)
+  .IsCreatedOrUpdated()
+  .InNamespace("neuvector")
+  .WithName("neuvector-controller-pod")
+  .Mutate(async deploy => {
+    const controllerContainer = deploy.Raw.spec?.template.spec?.containers.find(
+      container => container.name === "neuvector-controller-pod",
+    );
+
+    if (controllerContainer && controllerContainer.readinessProbe) {
+      log.debug("Patching NeuVector Controller deployment to modify readinessProbe");
+      const readinessProbe = {
+        // Probe default port for controller REST API server
+        tcpSocket: { port: 10443 },
+      };
+      controllerContainer.readinessProbe = readinessProbe;
+    }
+  });