github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 11:16:30 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding open-appsec-kong helm chart to repo based on kong 2.16.1

Browse Source
This commit is contained in:
roybarda
2023-05-02 14:30:33 +03:00
parent 2c750513a1
commit 240f58217a
132 changed files with 17727 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
build_system/charts/open-appsec-kong/example-values/README.md Normal file
View File

@@ -0,0 +1,56 @@
# Example values.yaml configurations
The YAML files in this directory provide basic example configurations for
common Kong deployment scenarios on Kubernetes.
* [minimal-kong-controller.yaml](minimal-kong-controller.yaml) installs Kong
open source with the ingress controller in DB-less mode.
* [minimal-kong-standalone.yaml](minimal-kong-standalone.yaml) installs Kong
open source and Postgres with no controller.
* [minimal-kong-enterprise-dbless.yaml](minimal-kong-enterprise-dbless.yaml)
installs Kong for Kubernetes with Kong Enterprise with the ingress controller
in DB-less mode.
* [minimal-k4k8s-with-kong-enterprise.yaml](minimal-k4k8s-with-kong-enterprise.yaml)
installs Kong for Kubernetes with Kong Enterprise with the ingress controller
and PostgreSQL. It does not enable Enterprise features other than Kong
Manager, and does not expose it or the Admin API via a TLS-secured ingress.
* [full-k4k8s-with-kong-enterprise.yaml](full-k4k8s-with-kong-enterprise.yaml)
installs Kong for Kubernetes with Kong Enterprise with the ingress controller
in PostgreSQL. It enables all Enterprise services.
* [minimal-kong-hybrid-control.yaml](minimal-kong-hybrid-control.yaml) and
[minimal-kong-hybrid-data.yaml](minimal-kong-hybrid-data.yaml) install
separate releases for hybrid mode control and data plane nodes, using the
built-in PostgreSQL chart on the control plane release. They require some
pre-work to [create certificates](https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates)
and configure the control plane location. See comments in the file headers
for additional details.
Note that you should install the control plane release first if possible:
data planes must be able to talk with a control plane node before they can
come online. Starting control planes first is not strictly required (data
plane nodes will retry their connection for a while before Kubernetes
restarts them, so starting control planes second, but around the same time
will usually work), but is the smoothest option.
* [minimal-kong-enterprise-hybrid-control.yaml](minimal-kong-enterprise-hybrid-control.yaml) and
[minimal-kong-enterprise-hybrid-data.yaml](minimal-kong-enterprise-hybrid-data.yaml) install
separate releases of Kong Enterprise for hybrid mode control and data plane nodes, using the
built-in PostgreSQL chart on the control plane release. They require some
pre-work to [create certificates](https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates)
and configure the control plane location. See comments in the file headers
for additional details.
Note that you should install the control plane release first if possible:
data planes must be able to talk with a control plane node before they can
come online. Starting control planes first is not strictly required (data
plane nodes will retry their connection for a while before Kubernetes
restarts them, so starting control planes second, but around the same time
will usually work), but is the smoothest option.
All Enterprise examples require some level of additional user configuration to
install properly. Read the comments at the top of each file for instructions.

5
build_system/charts/open-appsec-kong/example-values/doc-examples/README.md Normal file
View File

@@ -0,0 +1,5 @@
# Kong Gateway Helm Docs Samples
This directory contains sample values files written in support of official [docs.konghq.com](https://docs.konghq.com/gateway/3.0.x/install-and-run/) workflows.
## Disclaimer
The samples here are published for educational purposes and should not be considered production ready as-is.

285
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml Normal file
View File

@@ -0,0 +1,285 @@
admin:
annotations:
konghq.com/protocol: https
enabled: true
http:
enabled: false
ingress:
annotations:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "true"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/app-root: /
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
enabled: true
hostname: kong.127-0-0-1.nip.io
path: /api
tls: quickstart-kong-admin-cert
tls:
containerPort: 8444
enabled: true
parameters:
- http2
servicePort: 8444
type: ClusterIP
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/instance
operator: In
values:
- dataplane
topologyKey: kubernetes.io/hostname
weight: 100
certificates:
enabled: true
issuer: quickstart-kong-selfsigned-issuer
cluster:
enabled: true
admin:
enabled: true
commonName: kong.127-0-0-1.nip.io
portal:
enabled: true
commonName: developer.127-0-0-1.nip.io
proxy:
enabled: true
commonName: 127-0-0-1.nip.io
dnsNames:
- '*.127-0-0-1.nip.io'
cluster:
enabled: true
labels:
konghq.com/service: cluster
tls:
containerPort: 8005
enabled: true
servicePort: 8005
type: ClusterIP
clustertelemetry:
enabled: true
tls:
containerPort: 8006
enabled: true
servicePort: 8006
type: ClusterIP
deployment:
kong:
daemonset: false
enabled: true
enterprise:
enabled: true
license_secret: kong-enterprise-license
portal:
enabled: true
rbac:
admin_api_auth: basic-auth
admin_gui_auth_conf_secret: kong-config-secret
enabled: true
session_conf_secret: kong-config-secret
smtp:
enabled: false
vitals:
enabled: true
env:
admin_access_log: /dev/stdout
admin_api_uri: https://kong.127-0-0-1.nip.io/api
admin_error_log: /dev/stdout
admin_gui_access_log: /dev/stdout
admin_gui_error_log: /dev/stdout
admin_gui_host: kong.127-0-0-1.nip.io
admin_gui_protocol: https
admin_gui_url: https://kong.127-0-0-1.nip.io/
cluster_data_plane_purge_delay: 60
cluster_listen: 0.0.0.0:8005
cluster_telemetry_listen: 0.0.0.0:8006
database: postgres
log_level: debug
lua_package_path: /opt/?.lua;;
nginx_worker_processes: "2"
password:
valueFrom:
secretKeyRef:
key: kong_admin_password
name: kong-config-secret
pg_database: kong
pg_host:
valueFrom:
secretKeyRef:
key: pg_host
name: kong-config-secret
pg_ssl: "off"
pg_ssl_verify: "off"
pg_user: kong
plugins: bundled,openid-connect
portal: true
portal_api_access_log: /dev/stdout
portal_api_error_log: /dev/stdout
portal_api_url: https://developer.127-0-0-1.nip.io/api
portal_auth: basic-auth
portal_cors_origins: '*'
portal_gui_access_log: /dev/stdout
portal_gui_error_log: /dev/stdout
portal_gui_host: developer.127-0-0-1.nip.io
portal_gui_protocol: https
portal_gui_url: https://developer.127-0-0-1.nip.io/
portal_session_conf:
valueFrom:
secretKeyRef:
key: portal_session_conf
name: kong-config-secret
prefix: /kong_prefix/
proxy_access_log: /dev/stdout
proxy_error_log: /dev/stdout
proxy_stream_access_log: /dev/stdout
proxy_stream_error_log: /dev/stdout
smtp_mock: "on"
status_listen: 0.0.0.0:8100
trusted_ips: 0.0.0.0/0,::/0
vitals: true
extraLabels:
konghq.com/component: quickstart
image:
repository: kong/kong-gateway
tag: "3.1"
ingressController:
enabled: true
env:
kong_admin_filter_tag: ingress_controller_default
kong_admin_tls_skip_verify: true
kong_admin_token:
valueFrom:
secretKeyRef:
key: password
name: kong-config-secret
kong_admin_url: https://localhost:8444
kong_workspace: default
publish_service: kong/quickstart-kong-proxy
image:
repository: docker.io/kong/kubernetes-ingress-controller
tag: "2.8"
ingressClass: default
installCRDs: false
manager:
annotations:
konghq.com/protocol: https
enabled: true
http:
containerPort: 8002
enabled: false
servicePort: 8002
ingress:
annotations:
konghq.com/https-redirect-status-code: "301"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
enabled: true
hostname: kong.127-0-0-1.nip.io
path: /
tls: quickstart-kong-admin-cert
tls:
containerPort: 8445
enabled: true
parameters:
- http2
servicePort: 8445
type: ClusterIP
migrations:
enabled: true
postUpgrade: true
preUpgrade: true
namespace: kong
podAnnotations:
kuma.io/gateway: enabled
portal:
annotations:
konghq.com/protocol: https
enabled: true
http:
containerPort: 8003
enabled: false
servicePort: 8003
ingress:
annotations:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "false"
kubernetes.io/ingress.class: default
enabled: true
hostname: developer.127-0-0-1.nip.io
path: /
tls: quickstart-kong-portal-cert
tls:
containerPort: 8446
enabled: true
parameters:
- http2
servicePort: 8446
type: ClusterIP
portalapi:
annotations:
konghq.com/protocol: https
enabled: true
http:
enabled: false
ingress:
annotations:
konghq.com/https-redirect-status-code: "301"
konghq.com/protocols: https
konghq.com/strip-path: "true"
kubernetes.io/ingress.class: default
nginx.ingress.kubernetes.io/app-root: /
enabled: true
hostname: developer.127-0-0-1.nip.io
path: /api
tls: quickstart-kong-portal-cert
tls:
containerPort: 8447
enabled: true
parameters:
- http2
servicePort: 8447
type: ClusterIP
postgresql:
enabled: true
auth:
database: kong
username: kong
proxy:
annotations:
prometheus.io/port: "9542"
prometheus.io/scrape: "true"
enabled: true
http:
containerPort: 8080
enabled: true
hostPort: 80
ingress:
enabled: false
labels:
enable-metrics: true
tls:
containerPort: 8443
enabled: true
hostPort: 443
type: LoadBalancer
replicaCount: 1
secretVolumes: []
status:
enabled: true
http:
containerPort: 8100
enabled: true
tls:
containerPort: 8543
enabled: false
updateStrategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 100%
type: RollingUpdate

199
build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml Normal file
View File

@@ -0,0 +1,199 @@
# Kong for Kubernetes with Kong Enterprise with Enterprise features enabled and
# exposed via TLS-enabled Ingresses. Before installing:
# * Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.
# * Ingresses reference example "<service>.kong.CHANGEME.example" hostnames. These must
# be changed to an actual hostname that resolve to your proxy.
# * Ensure that your session configurations create cookies that are usable
# across your services. The admin session configuration must create cookies
# that are sent to both the admin API and Kong Manager, and any Dev Portal
# instances with authentication must create cookies that are sent to both
# the Portal and Portal API.
image:
repository: kong/kong-gateway
tag: "3.1"
env:
prefix: /kong_prefix/
database: postgres
password:
valueFrom:
secretKeyRef:
name: kong-enterprise-superuser-password #CHANGEME
key: password #CHANGEME
admin:
enabled: true
annotations:
konghq.com/protocol: "https"
tls:
enabled: true
servicePort: 8444
containerPort: 8444
parameters:
- http2
ingress:
enabled: true
tls: CHANGEME-admin-tls-secret
hostname: admin.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
path: /
proxy:
enabled: true
type: LoadBalancer
annotations: {}
http:
enabled: true
servicePort: 80
containerPort: 8000
parameters: []
tls:
enabled: true
servicePort: 443
containerPort: 8443
parameters:
- http2
stream: {}
ingress:
enabled: false
annotations: {}
path: /
externalIPs: []
enterprise:
enabled: true
# CHANGEME: https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license
vitals:
enabled: true
portal:
enabled: true
rbac:
enabled: true
admin_gui_auth: basic-auth
session_conf_secret: kong-session-config
admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
smtp:
enabled: false
portal_emails_from: none@example.com
portal_emails_reply_to: none@example.com
admin_emails_from: none@example.com
admin_emails_reply_to: none@example.com
smtp_admin_emails: none@example.com
smtp_host: smtp.example.com
smtp_port: 587
smtp_auth_type: ''
smtp_ssl: nil
smtp_starttls: true
auth:
smtp_username: '' # e.g. postmaster@example.com
smtp_password_secret: CHANGEME-smtp-password
manager:
enabled: true
type: NodePort
annotations:
konghq.com/protocol: "https"
http:
enabled: false
tls:
enabled: true
servicePort: 8445
containerPort: 8445
parameters:
- http2
ingress:
enabled: true
tls: CHANGEME-manager-tls-secret
hostname: manager.kong.CHANGEME.example
annotations: {}
path: /
externalIPs: []
portal:
enabled: true
type: NodePort
annotations:
konghq.com/protocol: "https"
http:
enabled: true
servicePort: 8003
containerPort: 8003
parameters: []
tls:
enabled: true
servicePort: 8446
containerPort: 8446
parameters:
- http2
ingress:
enabled: true
tls: CHANGEME-portal-tls-secret
hostname: portal.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
path: /
externalIPs: []
portalapi:
enabled: true
type: NodePort
annotations:
konghq.com/protocol: "https"
http:
enabled: true
servicePort: 8004
containerPort: 8004
parameters: []
tls:
enabled: true
servicePort: 8447
containerPort: 8447
parameters:
- http2
ingress:
enabled: true
tls: CHANGEME-portalapi-tls-secret
hostname: portalapi.kong.CHANGEME.example
annotations:
kubernetes.io/ingress.class: "kong"
path: /
externalIPs: []
postgresql:
enabled: true
auth:
username: kong
database: kong
ingressController:
enabled: true
env:
kong_admin_token:
valueFrom:
secretKeyRef:
name: kong-enterprise-superuser-password #CHANGEME
key: password #CHANGEME

56
build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Basic values.yaml for Kong for Kubernetes with Kong Enterprise
# Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.
#
# This installation does not create an Ingress or LoadBalancer Service for
# the Admin API or Kong Manager. They require port-forwards to access without
# further configuration to add them:
# kubectl port-forward deploy/your-deployment-kong 8001:8001 8002:8002
image:
repository: kong/kong-gateway
tag: "3.1"
admin:
enabled: true
http:
enabled: true
servicePort: 8001
containerPort: 8001
enterprise:
enabled: true
# CHANGEME: https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license
vitals:
enabled: false
portal:
enabled: false
rbac:
enabled: false
smtp:
enabled: false
portal:
enabled: false
portalapi:
enabled: false
env:
prefix: /kong_prefix/
database: postgres
password:
valueFrom:
secretKeyRef:
name: kong-enterprise-superuser-password #CHANGEME
key: password #CHANGEME
postgresql:
enabled: true
auth:
username: kong
database: kong
ingressController:
enabled: true

12
build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml Normal file
View File

@@ -0,0 +1,12 @@
# Basic values.yaml configuration for Kong for Kubernetes (with the ingress controller)
image:
repository: kong
tag: "3.1"
env:
prefix: /kong_prefix/
database: "off"
ingressController:
enabled: true

38
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml Normal file
View File

@@ -0,0 +1,38 @@
# Basic values.yaml for Kong for Kubernetes with Kong Enterprise (DB-less)
# Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.
image:
repository: kong/kong-gateway
tag: "3.1"
enterprise:
enabled: true
# See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license # CHANGEME
vitals:
enabled: false
portal:
enabled: false
rbac:
enabled: false
manager:
enabled: false
portal:
enabled: false
portalapi:
enabled: false
env:
database: "off"
ingressController:
enabled: true
proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
type: NodePort

66
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml Normal file
View File

@@ -0,0 +1,66 @@
# Basic configuration for Kong Enterprise without the ingress controller, using the Postgres subchart
# This installation does not create an Ingress or LoadBalancer Service for
# the Admin API. It requires port-forwards to access without further
# configuration to add them, e.g.:
# kubectl port-forward deploy/your-deployment-kong 8001:8001
# Before installing:
# * Several settings (search for the string "CHANGEME") require user-provided
# Secrets. These Secrets must be created before installation.
# * Ensure that your session configurations create cookies that are usable
# across your services. The admin session configuration must create cookies
# that are sent to both the admin API and Kong Manager, and any Dev Portal
# instances with authentication must create cookies that are sent to both
# the Portal and Portal API.
image:
repository: kong/kong-gateway
tag: "3.1"
env:
database: postgres
role: control_plane
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
admin:
enabled: true
http:
enabled: true
cluster:
enabled: true
tls:
enabled: true
clustertelemetry:
enabled: true
tls:
containerPort: 8006
enabled: true
servicePort: 8006
type: ClusterIP
proxy:
enabled: false
secretVolumes:
- kong-cluster-cert
postgresql:
enabled: true
ingressController:
enabled: false
enterprise:
enabled: true
# See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license # CHANGEME
vitals:
enabled: false
portal:
enabled: false
portalapi:
enabled: false

46
build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml Normal file
View File

@@ -0,0 +1,46 @@
# Basic configuration for Kong Enterprise as a hybrid mode data plane node.
# It depends on the presence of a control plane release, as shown in
# https://github.com/Kong/charts/blob/main/charts/kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
#
# The "env.cluster_control_plane" value must be changed to your control plane
# instance's cluster Service hostname. Search "CHANGEME" to find it in this
# example.
#
# Hybrid mode requires a certificate. See https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates
# to create one.
image:
repository: kong/kong-gateway
tag: "3.1"
env:
role: data_plane
cluster_control_plane: CHANGEME-control-service.CHANGEME-namespace.svc.cluster.local:8005
cluster_telemetry_endpoint: CHANGEME-cluster-telemetry-service.CHANGEME-namespace.svc.cluster.local:8006
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
secretVolumes:
- kong-cluster-cert
ingressController:
enabled: false
enterprise:
enabled: true
# See instructions regarding enterprise licenses at https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license
license_secret: kong-enterprise-license # CHANGEME
vitals:
enabled: false
manager:
enabled: false
portal:
enabled: false
portalapi:
enabled: false

45
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml Normal file
View File

@@ -0,0 +1,45 @@
# Basic configuration for Kong without the ingress controller, using the Postgres subchart
# This installation does not create an Ingress or LoadBalancer Service for
# the Admin API. It requires port-forwards to access without further
# configuration to add them, e.g.:
# kubectl port-forward deploy/your-deployment-kong 8001:8001
image:
repository: kong
tag: "3.1"
env:
prefix: /kong_prefix/
database: postgres
role: control_plane
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
admin:
enabled: true
http:
enabled: true
servicePort: 8001
containerPort: 8001
cluster:
enabled: true
tls:
enabled: true
servicePort: 8005
containerPort: 8005
proxy:
enabled: false
secretVolumes:
- kong-cluster-cert
postgresql:
enabled: true
auth:
username: kong
database: kong
ingressController:
enabled: false

32
build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Basic configuration for Kong as a hybrid mode data plane node.
# It depends on the presence of a control plane release, as shown in
# https://github.com/Kong/charts/blob/main/charts/kong/example-values/minimal-kong-hybrid-control.yaml
#
# The "env.cluster_control_plane" value must be changed to your control plane
# instance's cluster Service hostname. Search "CHANGEME" to find it in this
# example.
#
# Hybrid mode requires a certificate. See https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates
# to create one.
image:
repository: kong
tag: "3.1"
env:
prefix: /kong_prefix/
database: "off"
role: data_plane
cluster_control_plane: CHANGEME-control-service.CHANGEME-namespace.svc.cluster.local:8005
lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt
cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key
admin:
enabled: false
secretVolumes:
- kong-cluster-cert
ingressController:
enabled: false

29
build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml Normal file
View File

@@ -0,0 +1,29 @@
# Basic configuration for Kong without the ingress controller, using the Postgres subchart
# This installation does not create an Ingress or LoadBalancer Service for
# the Admin API. It requires port-forwards to access without further
# configuration to add them, e.g.:
# kubectl port-forward deploy/your-deployment-kong 8001:8001
image:
repository: kong
tag: "3.1"
env:
prefix: /kong_prefix/
database: postgres
admin:
enabled: true
http:
enabled: true
servicePort: 8001
containerPort: 8001
postgresql:
enabled: true
auth:
username: kong
database: kong
ingressController:
enabled: false