github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding open-appsec-kong helm chart to repo based on kong 2.16.1

Browse Source
This commit is contained in:
roybarda
2023-05-02 14:30:33 +03:00
parent 2c750513a1
commit 240f58217a
132 changed files with 17727 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
build_system/charts/open-appsec-kong/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,21 @@
To connect to Kong, please execute the following commands:
{{ if contains "LoadBalancer" .Values.proxy.type }}
HOST=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].port}')
{{ else if contains "NodePort" .Values.proxy.type }}HOST=$(kubectl get nodes --namespace {{ template "kong.namespace" . }} -o jsonpath='{.items[0].status.addresses[0].address}')
PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}')
{{ end -}}
export PROXY_IP=${HOST}:${PORT}
curl $PROXY_IP
Once installed, please follow along the getting started guide to start using
Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/getting-started/
{{ $warnings := list -}}
{{- if (hasKey .Values.ingressController "serviceAccount") -}}
{{- if (or (hasKey .Values.ingressController.serviceAccount "name") (hasKey .Values.ingressController.serviceAccount "annotations")) -}}
{{- $warnings = append $warnings "you have set either .ingressController.serviceAccount.name or .ingressController.serviceAccount.annotations. These settings have moved to .deployment.serviceAccount.name and .deployment.serviceAccount.annotations. You must move your configuration to the new location in values.yaml" -}}
{{- end -}}
{{- end -}}
{{- include "kong.deprecation-warnings" $warnings -}}

1421
build_system/charts/open-appsec-kong/templates/_helpers.tpl Normal file
View File

File diff suppressed because it is too large Load Diff

127
build_system/charts/open-appsec-kong/templates/admission-webhook.yaml Normal file
View File

@@ -0,0 +1,127 @@
{{- if .Values.ingressController.admissionWebhook.enabled }}
{{- $certCert := "" -}}
{{- $certKey := "" -}}
{{- $caCert := "" -}}
{{- $caKey := "" -}}
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}}
{{- $ca := genCA "kong-admission-ca" 3650 -}}
{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}}
{{- $certCert = $cert.Cert -}}
{{- $certKey = $cert.Key -}}
{{- $caCert = $ca.Cert -}}
{{- $caKey = $ca.Key -}}
{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}}
{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}}
{{- if $certSecret }}
{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}}
{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}}
{{- end }}
{{- if $caSecret }}
{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}}
{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}}
{{- end }}
{{- end }}
kind: ValidatingWebhookConfiguration
{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }}
apiVersion: admissionregistration.k8s.io/v1
{{- else }}
apiVersion: admissionregistration.k8s.io/v1beta1
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}-validations
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
webhooks:
- name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }}
sideEffects: None
admissionReviewVersions: ["v1beta1"]
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- kongclusterplugins
{{- end }}
{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- kongingresses
{{- end }}
- apiGroups:
- ''
apiVersions:
- 'v1'
operations:
- UPDATE
resources:
- secrets
clientConfig:
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
caBundle: {{ b64enc $caCert }}
{{- else }}
{{- if .Values.ingressController.admissionWebhook.certificate.caBundle }}
caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }}
{{- end }}
{{- end }}
service:
name: {{ template "kong.service.validationWebhook" . }}
namespace: {{ template "kong.namespace" . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "kong.service.validationWebhook" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $caCert }}
tls.key: {{ b64enc $caKey }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kong.fullname" . }}-validation-webhook-keypair
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ b64enc $certCert }}
tls.key: {{ b64enc $certKey }}
{{- end }}
{{- end }}

20
build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ .Values.appsec.name }}-storage
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/resource-policy": keep
spec:
accessModes:
- {{ .Values.appsec.persistence.learning.storageClass.accessModes }}
resources:
requests:
storage: {{ .Values.appsec.persistence.learning.size | quote }}
{{- if .Values.appsec.persistence.learning.storageClass.name }}
storageClassName: "{{ .Values.appsec.persistence.learning.storageClass.name }}"
{{- else }}
storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
{{- end -}}
{{- end }}

51
build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- if (eq .Values.kind "AppSecStateful") -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ .Values.appsec.name }}-conf
namespace: {{ .Release.Namespace }}
labels:
{{- include "appsec.labels" . | nindent 4 }}
app.kubernetes.io/component: open-appsec
{{- with .Values.appsec.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ .Values.appsec.name }}-data
namespace: {{ .Release.Namespace }}
labels:
{{- include "appsec.labels" . | nindent 4 }}
app.kubernetes.io/component: open-appsec
{{- with .Values.appsec.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
{{- end }}

447
build_system/charts/open-appsec-kong/templates/appsec.yaml Normal file
View File

@@ -0,0 +1,447 @@
{{- if and (not (eq .Values.kind "Vanilla")) (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if (eq .Values.kind "AppSec") }}
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
{{- else if eq .Values.kind "AppSecStateful" }}
kind: StatefulSet
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if eq .Values.kind "AppSecStateful" }}
serviceName: "cp-appsec-stateful-set"
{{- end }}
{{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
- name: {{ .Values.appsec.name }}
readinessProbe:
exec:
command:
- sh
- -c
- '[ -f /etc/cp/HttpTransactionHandler/cp-nano-http-transaction-handler ] && exit 0 || exit 1'
initialDelaySeconds: 30
periodSeconds: 5
failureThreshold: 120
successThreshold: 1
securityContext:
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
{{- with .Values.appsec.image }}
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
{{- end }}
command:
- {{ .Values.appsec.command }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
args:
{{- if (eq "standalone" .Values.appsec.mode) }}
- --hybrid-mode
- --token
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
{{- else }}
- --token
- {{ .Values.appsec.agentToken }}
{{- end }}
{{- if .Values.appsec.customFog.enabled }}
- --fog
- {{ .Values.appsec.customFog.fogAddress }}
{{- end }}
{{- if .Values.appsec.proxy }}
- --proxy
- {{ .Values.appsec.proxy }}
{{- end }}
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
env:
{{- if eq .Values.appsec.playground false }}
- name: SHARED_STORAGE_HOST
value: {{ .Values.appsec.storage.name }}-svc
- name: LEARNING_HOST
value: {{ .Values.appsec.learning.name }}-svc
{{- else }}
- name: PLAYGROUND
value: "true"
{{- end }}
{{- if .Values.appsec.email }}
{{- if eq .Values.appsec.email "STUB" }}
{{- fail "Please replace STUB with an email address" }}
{{- end }}
- name: user_email
value: {{ .Values.appsec.email }}
{{- end }}
- name: registered_server
value: "Kong Server"
resources:
{{ toYaml .Values.resources | nindent 12 }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeMounts:
- name: advanced-model
mountPath: /advanced-model
- name: appsec-conf
mountPath: /etc/cp/conf
- name: appsec-data
mountPath: /etc/cp/data
{{- end }}
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
{{- with .Values.appsec.kong.image }}
image: "{{ .repository }}:{{ .tag }}"
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: advanced-model
configMap:
name: advanced-model-config
optional: true
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end -}}
{{- end }}
{{- if eq .Values.kind "AppSecStateful" }}
volumeClaimTemplates:
- metadata:
name: appsec-conf
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.conf.size | quote }}
- metadata:
name: appsec-data
spec:
accessModes: [ "ReadWriteOnce" ]
# Need to create a storage class resource.
{{- if .Values.appsec.persistence.storageClass }}
{{- if (eq "-" .Values.appsec.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.appsec.persistence.storageClass }}"
{{- end -}}
{{- end }}
resources:
requests:
storage: {{ .Values.appsec.persistence.data.size | quote }}
{{- end }}
{{- end }}

77
build_system/charts/open-appsec-kong/templates/certificate.yaml Normal file
View File

@@ -0,0 +1,77 @@
{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
{{- $genericCertificateConfig := dict -}}
{{- $_ := set $genericCertificateConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $genericCertificateConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}}
{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}}
{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}}
{{- if .Values.certificates.admin.enabled }}
{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.admin -}}
{{- $_ := set $certificateConfig "serviceName" "admin" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
{{- if (and .Values.certificates.portal.enabled .Values.enterprise.enabled) }}
{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.portal -}}
{{- $_ := set $certificateConfig "serviceName" "portal" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
{{- if .Values.certificates.proxy.enabled }}
{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.proxy -}}
{{- $_ := set $certificateConfig "serviceName" "proxy" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
{{- if .Values.certificates.cluster.enabled }}
{{- $certificateConfig := dict -}}
{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) $certificateConfig -}}
{{- $_ := set $certificateConfig "dnsNames" (list) -}}
{{- $_ := set $certificateConfig "commonName" "kong_cluster" -}}
{{- $certificateConfig = (mustMerge $certificateConfig .Values.certificates.cluster) -}}
{{- $_ := set $certificateConfig "serviceName" "cluster" -}}
{{- include "kong.certificate" $certificateConfig -}}
{{- end }}
{{- end }}
{{- define "kong.certificate" }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .fullName }}-{{ .serviceName }}
namespace: {{ .namespace }}
labels:
{{- .metaLabels | nindent 4 }}
spec:
secretName: {{ .fullName }}-{{ .serviceName }}-cert
commonName: {{ .commonName }}
dnsNames:
{{- range (append .dnsNames .commonName) }}
- {{ . | quote }}
{{- end }}
renewBefore: 360h
duration: 2160h
isCA: false
{{ if .clusterIssuer -}}
issuerRef:
name: {{ .clusterIssuer }}
kind: ClusterIssuer
{{ else if .issuer -}}
issuerRef:
name: {{ .issuer }}
kind: Issuer
{{ else if .globalClusterIssuer -}}
issuerRef:
name: {{ .globalClusterIssuer}}
kind: ClusterIssuer
{{ else if .globalIssuer -}}
issuerRef:
name: {{ .globalIssuer }}
kind: Issuer
{{- end -}}
{{- end }}

17
build_system/charts/open-appsec-kong/templates/config-dbless.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.kong.enabled }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }}
{{- if not (or .Values.dblessConfig.configMap .Values.dblessConfig.secret) }}
{{- if .Values.dblessConfig.config }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.dblessConfig.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
kong.yml: | {{- .Values.dblessConfig.config | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

169
build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml Normal file
View File

@@ -0,0 +1,169 @@
{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<kong-ingress-controller-leader-nginx>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
# Begin KIC 2.x leader permissions
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- if eq (len .Values.ingressController.watchNamespaces) 0 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
name: {{ template "kong.fullname" . }}
rules:
{{ include "kong.kubernetesRBACRules" . }}
{{ include "kong.kubernetesRBACClusterRules" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- else }}
{{- range .Values.ingressController.watchNamespaces }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "kong.metaLabels" $ | nindent 4 }}
name: {{ template "kong.fullname" $ }}-{{ . }}
namespace: {{ . }}
rules:
{{ include "kong.kubernetesRBACRules" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kong.fullname" $ }}-{{ . }}
labels:
{{- include "kong.metaLabels" $ | nindent 4 }}
namespace: {{ . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kong.fullname" $ }}-{{ . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" $ }}
namespace: {{ template "kong.namespace" $ }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
name: {{ template "kong.fullname" . }}
rules:
{{ include "kong.kubernetesRBACClusterRules" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- end -}}
{{- end -}}

34
build_system/charts/open-appsec-kong/templates/custom-resource-definitions.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- $installCRDs := false -}}
{{- if (hasKey .Values.ingressController "installCRDs") -}}
{{/* Explicitly set, honor whatever's set */}}
{{- $installCRDs = .Values.ingressController.installCRDs -}}
{{- else -}}
{{/* Legacy default handling. CRD installation is _not_ enabled, but CRDs are already present
and are managed by this release. This release previously relied on the <2.0 default
.Values.ingressController.installCRDs=true. The default change would delete CRDs on upgrade,
which would cascade delete all associated CRs. This unexpected loss of configuration is bad,
so this clause pretends the default didn't change if you have an existing release that relied
on it
*/}}
{{- $kongPluginCRD := false -}}
{{- if .Capabilities.APIVersions.Has "apiextensions.k8s.io/v1/CustomResourceDefinition" -}}
{{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}}
{{- else -}}
{{/* TODO: remove the v1beta1 path when we no longer support k8s <1.16 */}}
{{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1beta1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}}
{{- end -}}
{{- if $kongPluginCRD -}}
{{- if (hasKey $kongPluginCRD.metadata "annotations") -}}
{{- if (eq .Release.Name (get $kongPluginCRD.metadata.annotations "meta.helm.sh/release-name")) -}}
{{- $installCRDs = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $installCRDs -}}
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

49
build_system/charts/open-appsec-kong/templates/default-policy.yaml Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: openappsec.io/v1beta1
kind: Practice
metadata:
name: appsec-best-practice
spec:
web-attacks:
override-mode: prevent-learn
minimum-confidence: high
anti-bot:
injected-URIs: []
validated-URIs: []
snort-signatures:
configmap: []
openapi-schema-validation:
configmap: []
---
apiVersion: openappsec.io/v1beta1
kind: LogTrigger
metadata:
name: appsec-log-trigger
spec:
appsec-logging:
detect-events: true
prevent-events: true
all-web-requests: false
additional-suspicious-events-logging:
enabled: true
minimum-severity: high # {high|critical}
response-body: false
response-code: true
extended-logging:
url-path: true
url-query: true
http-headers: false
request-body: false
log-destination:
cloud: false
stdout:
format: json-formatted
---
apiVersion: openappsec.io/v1beta1
kind: CustomResponse
metadata:
name: 403-forbidden
spec:
mode: response-code-only ## configurable modes: {block-page|redirect|response-code-only}
message-title: ""
message-body: ""
http-response-code: 403

334
build_system/charts/open-appsec-kong/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,334 @@
{{- if and (eq .Values.kind "Vanilla") (or .Values.deployment.kong.enabled .Values.ingressController.enabled) }}
apiVersion: apps/v1
{{- if .Values.deployment.daemonset }}
kind: DaemonSet
{{- else }}
kind: Deployment
{{- end }}
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: app
{{- if .Values.deploymentAnnotations }}
annotations:
{{- range $key, $value := .Values.deploymentAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
{{- if not .Values.deployment.daemonset }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- end }}
selector:
matchLabels:
{{- include "kong.selectorLabels" . | nindent 6 }}
{{- if .Values.updateStrategy }}
{{- if .Values.deployment.daemonset }}
updateStrategy:
{{- else }}
strategy:
{{- end }}
{{ toYaml .Values.updateStrategy | indent 4 }}
{{- end }}
{{- if .Values.deployment.minReadySeconds }}
minReadySeconds: {{ .Values.deployment.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
{{- end }}
{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }}
{{- if .Values.dblessConfig.config }}
checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }}
{{- end }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: app
app: {{ template "kong.fullname" . }}
version: {{ .Chart.AppVersion | quote }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.deployment.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
initContainers:
- name: clear-stale-pid
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
command:
- "rm"
- "-vrf"
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-db" . | nindent 6 }}
{{- end }}
{{- if .Values.deployment.hostAliases }}
hostAliases:
{{- toYaml .Values.deployment.hostAliases | nindent 6 }}
{{- end}}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy | quote }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{ toYaml .Values.dnsConfig | indent 8 }}
{{- end }}
containers:
{{- if .Values.ingressController.enabled }}
{{- include "kong.controller-container" . | nindent 6 }}
{{ end }}
{{- if .Values.deployment.sidecarContainers }}
{{- toYaml .Values.deployment.sidecarContainers | nindent 6 }}
{{- end }}
{{- if .Values.deployment.kong.enabled }}
- name: "proxy"
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:
{{- if (and .Values.admin.http.enabled .Values.admin.enabled) }}
- name: admin
containerPort: {{ .Values.admin.http.containerPort }}
{{- if .Values.admin.http.hostPort }}
hostPort: {{ .Values.admin.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }}
- name: admin-tls
containerPort: {{ .Values.admin.tls.containerPort }}
{{- if .Values.admin.tls.hostPort }}
hostPort: {{ .Values.admin.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }}
- name: proxy
containerPort: {{ .Values.proxy.http.containerPort }}
{{- if .Values.proxy.http.hostPort }}
hostPort: {{ .Values.proxy.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}}
- name: proxy-tls
containerPort: {{ .Values.proxy.tls.containerPort }}
{{- if .Values.proxy.tls.hostPort }}
hostPort: {{ .Values.proxy.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- range .Values.proxy.stream }}
- name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- range .Values.udpProxy.stream }}
- name: streamudp-{{ .containerPort }}
containerPort: {{ .containerPort }}
{{- if .hostPort }}
hostPort: {{ .hostPort }}
{{- end}}
protocol: {{ .protocol }}
{{- end }}
{{- if (and .Values.status.http.enabled .Values.status.enabled)}}
- name: status
containerPort: {{ .Values.status.http.containerPort }}
{{- if .Values.status.http.hostPort }}
hostPort: {{ .Values.status.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.status.tls.enabled .Values.status.enabled) }}
- name: status-tls
containerPort: {{ .Values.status.tls.containerPort }}
{{- if .Values.status.tls.hostPort }}
hostPort: {{ .Values.status.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }}
- name: cluster-tls
containerPort: {{ .Values.cluster.tls.containerPort }}
{{- if .Values.cluster.tls.hostPort }}
hostPort: {{ .Values.cluster.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if .Values.enterprise.enabled }}
{{- if (and .Values.manager.http.enabled .Values.manager.enabled) }}
- name: manager
containerPort: {{ .Values.manager.http.containerPort }}
{{- if .Values.manager.http.hostPort }}
hostPort: {{ .Values.manager.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }}
- name: manager-tls
containerPort: {{ .Values.manager.tls.containerPort }}
{{- if .Values.manager.tls.hostPort }}
hostPort: {{ .Values.manager.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.http.enabled .Values.portal.enabled) }}
- name: portal
containerPort: {{ .Values.portal.http.containerPort }}
{{- if .Values.portal.http.hostPort }}
hostPort: {{ .Values.portal.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }}
- name: portal-tls
containerPort: {{ .Values.portal.tls.containerPort }}
{{- if .Values.portal.tls.hostPort }}
hostPort: {{ .Values.portal.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }}
- name: portalapi
containerPort: {{ .Values.portalapi.http.containerPort }}
{{- if .Values.portalapi.http.hostPort }}
hostPort: {{ .Values.portalapi.http.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }}
- name: portalapi-tls
containerPort: {{ .Values.portalapi.tls.containerPort }}
{{- if .Values.portalapi.tls.hostPort }}
hostPort: {{ .Values.portalapi.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }}
- name: clustert-tls
containerPort: {{ .Values.clustertelemetry.tls.containerPort }}
{{- if .Values.clustertelemetry.tls.hostPort }}
hostPort: {{ .Values.clustertelemetry.tls.hostPort }}
{{- end}}
protocol: TCP
{{- end }}
{{- end }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 10 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
readinessProbe:
{{ toYaml .Values.readinessProbe | indent 10 }}
livenessProbe:
{{ toYaml .Values.livenessProbe | indent 10 }}
resources:
{{ toYaml .Values.resources | indent 10 }}
{{- end }} {{/* End of Kong container spec */}}
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml .Values.topologySpreadConstraints | indent 8 }}
{{- end }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
{{- include "kong.volumes" . | nindent 8 -}}
{{- include "kong.userDefinedVolumes" . | nindent 8 -}}
{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
- name: {{ template "kong.serviceAccountTokenName" . }}
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- else }}
secret:
secretName: {{ template "kong.serviceAccountTokenName" . }}
items:
- key: token
path: token
- key: ca.crt
path: ca.crt
- key: namespace
path: namespace
{{- end }}
{{- end }}
{{- end }}

4
build_system/charts/open-appsec-kong/templates/extraManifests.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{ range .Values.extraObjects }}
---
{{ tpl (toYaml .) $ }}
{{ end }}

26
build_system/charts/open-appsec-kong/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: {{ include "kong.autoscalingVersion" . }}
kind: HorizontalPodAutoscaler
metadata:
name: "{{ template "kong.fullname" . }}"
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: "{{ template "kong.fullname" . }}"
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
{{- if .Values.autoscaling.behavior }}
behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}
{{- if not (.Capabilities.APIVersions.Has "autoscaling/v2beta2") }}
targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }}
{{- else }}
metrics:
{{- toYaml .Values.autoscaling.metrics | nindent 4 }}
{{- end }}
{{- end }}

33
build_system/charts/open-appsec-kong/templates/ingress-class.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{/* Default to not managing if unsupported or created outside this chart */}}
{{- $includeIngressClass := false -}}
{{- if (and .Values.ingressController.enabled (not (eq (include "kong.ingressVersion" .) "extensions/v1beta1"))) -}}
{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}}
{{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}}
{{- if (hasKey .metadata "annotations") -}}
{{- if (eq $.Release.Name (get .metadata.annotations "meta.helm.sh/release-name")) -}}
{{/* IngressClass exists and is managed by this chart */}}
{{- $includeIngressClass = true -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{/* IngressClass doesn't exist */}}
{{- $includeIngressClass = true -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if $includeIngressClass -}}
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: {{ .Values.ingressController.ingressClass }}
{{- if .Values.ingressController.ingressClassAnnotations }}
annotations:
{{- range $key, $value := .Values.ingressController.ingressClassAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
controller: ingress-controllers.konghq.com/kong
{{- end -}}

141
build_system/charts/open-appsec-kong/templates/learning-deployment.yaml Normal file
View File

@@ -0,0 +1,141 @@
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.appsec.learning.name }}-deployment
labels:
app: {{ .Values.appsec.learning.name }}-lbl
namespace: {{ template "kong.namespace" . }}
spec:
replicas: {{ .Values.appsec.learning.replicas }}
selector:
matchLabels:
app: {{ .Values.appsec.learning.name }}-lbl
template:
metadata:
labels:
app: {{ .Values.appsec.learning.name }}-lbl
group: fog-core
spec:
securityContext:
{{- if eq .Values.appsec.persistence.enabled true }}
fsGroup: 2000
runAsGroup: 2000
runAsUser: 1000
{{- else }}
runAsUser: 0
{{- end }}
containers:
- name: {{ .Values.appsec.learning.name }}
imagePullPolicy: Always
ports:
- containerPort: 8080
livenessProbe:
failureThreshold: 3
httpGet:
path: /health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 10
{{- with .Values.appsec.learning.image }}
image: {{ .registry }}/{{ .image }}:{{ .tag }}
{{- end }}
readinessProbe:
failureThreshold: 3
httpGet:
path: /health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
env:
- name: APPSEC_MODE
value: stand-alone
- name: RP_BASEURL
value: http://{{ .Values.appsec.storage.name }}-svc/api
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if eq .Values.appsec.persistence.enabled true }}
volumeMounts:
- mountPath: /tmp/locks/
name: flock
volumes:
- name: flock
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-storage
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.appsec.storage.name }}-deployment
labels:
app: {{ .Values.appsec.storage.name }}-lbl
namespace: {{ template "kong.namespace" . }}
spec:
replicas: {{ .Values.appsec.storage.replicas }}
selector:
matchLabels:
app: {{ .Values.appsec.storage.name }}-lbl
template:
metadata:
labels:
app: {{ .Values.appsec.storage.name }}-lbl
group: fog-core
spec:
securityContext:
{{- if eq .Values.appsec.persistence.enabled true }}
fsGroup: 2000
runAsGroup: 2000
runAsUser: 1000
{{- else }}
runAsUser: 0
{{- end }}
containers:
- name: {{ .Values.appsec.storage.name }}
imagePullPolicy: Always
{{- with .Values.appsec.storage.image }}
image: {{ .registry }}/{{ .image }}:{{ .tag }}
{{- end }}
env:
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 8080
livenessProbe:
failureThreshold: 3
httpGet:
path: /health/live
port: 8080
scheme: HTTP
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /health/ready
port: 8080
scheme: HTTP
initialDelaySeconds: 3
periodSeconds: 15
successThreshold: 1
timeoutSeconds: 10
{{- if eq .Values.appsec.persistence.enabled true }}
volumeMounts:
- mountPath: /db/
name: files-volume
volumes:
- name: files-volume
persistentVolumeClaim:
claimName: {{ .Values.appsec.name }}-storage
{{- end }}
{{- end }}

33
build_system/charts/open-appsec-kong/templates/learning-services.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.appsec.learning.name }}-svc
namespace: {{ template "kong.namespace" . }}
spec:
ports:
- name: "http"
port: 80
targetPort: 8080
- name: "https"
port: 443
targetPort: 8080
selector:
app: {{ .Values.appsec.learning.name }}-lbl
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.appsec.storage.name }}-svc
namespace: {{ template "kong.namespace" . }}
spec:
ports:
- name: "http"
port: 80
targetPort: 8080
- name: "https"
port: 443
targetPort: 8080
selector:
app: {{ .Values.appsec.storage.name }}-lbl
{{- end }}

93
build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml Normal file
View File

@@ -0,0 +1,93 @@
{{- if .Values.deployment.kong.enabled }}
{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }}
# Why is this Job duplicated and not using only helm hooks?
# See: https://github.com/helm/charts/pull/7362
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-post-upgrade-migrations
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: post-upgrade-migrations
annotations:
helm.sh/hook: "post-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
{{- range $key, $value := .Values.migrations.jobAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-post-upgrade-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: post-upgrade-migrations
{{- if .Values.migrations.annotations }}
annotations:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
{{- end }}
containers:
{{- if .Values.migrations.sidecarContainers }}
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-post-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
args: [ "kong", "migrations", "finish" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
resources:
{{- toYaml .Values.migrations.resources | nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
{{- include "kong.userDefinedVolumes" . | nindent 6 -}}
{{- end }}
{{- end }}

93
build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml Normal file
View File

@@ -0,0 +1,93 @@
{{- if .Values.deployment.kong.enabled }}
{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }}
# Why is this Job duplicated and not using only helm hooks?
# See: https://github.com/helm/charts/pull/7362
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-pre-upgrade-migrations
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: pre-upgrade-migrations
annotations:
helm.sh/hook: "pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
{{- range $key, $value := .Values.migrations.jobAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-pre-upgrade-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: pre-upgrade-migrations
{{- if .Values.migrations.annotations }}
annotations:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
{{- end }}
containers:
{{- if .Values.migrations.sidecarContainers }}
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-upgrade-migrations
{{- if eq .Values.kind "Vanilla" }}
image: {{ include "kong.getRepoTag" .Values.image }}
{{- else }}
image: {{ include "kong.getRepoTag" .Values.appsec.kong.image }}
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
args: [ "kong", "migrations", "up" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
resources:
{{- toYaml .Values.migrations.resources| nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
{{- include "kong.userDefinedVolumes" . | nindent 6 -}}
{{- end }}
{{- end }}

98
build_system/charts/open-appsec-kong/templates/migrations.yaml Normal file
View File

@@ -0,0 +1,98 @@
{{- if .Values.deployment.kong.enabled }}
{{- if .Release.IsInstall -}}
{{/* .migrations.init isn't normally exposed in values.yaml, since it should
generally always run on install--there should never be any reason to
disable it, and at worst it's a no-op. However, https://github.com/helm/helm/issues/3308
means we cannot use the default function to create a hidden value, hence
the workaround with this $runInit variable.
*/}}
{{- $runInit := true -}}
{{- if (hasKey .Values.migrations "init") -}}
{{- $runInit = .Values.migrations.init -}}
{{- end -}}
{{- if (and ($runInit) (not (eq .Values.env.database "off"))) }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kong.fullname" . }}-init-migrations
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
app.kubernetes.io/component: init-migrations
annotations:
{{- range $key, $value := .Values.migrations.jobAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
backoffLimit: {{ .Values.migrations.backoffLimit }}
template:
metadata:
name: {{ template "kong.name" . }}-init-migrations
labels:
{{- include "kong.metaLabels" . | nindent 8 }}
app.kubernetes.io/component: init-migrations
{{- if .Values.migrations.annotations }}
annotations:
{{- range $key, $value := .Values.migrations.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
serviceAccountName: {{ template "kong.serviceAccountName" . }}
{{- end }}
{{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }}
automountServiceAccountToken: true
{{- else }}
automountServiceAccountToken: false
{{ end }}
{{- if .Values.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }}
initContainers:
{{- if .Values.deployment.initContainers }}
{{- toYaml .Values.deployment.initContainers | nindent 6 }}
{{- end }}
{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
{{- include "kong.wait-for-postgres" . | nindent 6 }}
{{- end }}
{{- end }}
containers:
{{- if .Values.migrations.sidecarContainers }}
{{- toYaml .Values.migrations.sidecarContainers | nindent 6 }}
{{- end }}
- name: {{ template "kong.name" . }}-migrations
image: {{ include "kong.getRepoTag" .Values.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
args: [ "kong", "migrations", "bootstrap" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }}
resources:
{{- toYaml .Values.migrations.resources | nindent 10 }}
securityContext:
{{- include "kong.podsecuritycontext" . | nindent 8 }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{- toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{- toYaml .Values.tolerations | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
volumes:
{{- include "kong.volumes" . | nindent 6 -}}
{{- include "kong.userDefinedVolumes" . | nindent 6 -}}
{{- end }}
{{- end }}
{{- end }}

20
build_system/charts/open-appsec-kong/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "kong.metaLabels" . | nindent 6 }}
app.kubernetes.io/component: app
{{- end }}

53
build_system/charts/open-appsec-kong/templates/psp.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- if and (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- with .Values.podSecurityPolicy.labels }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
{{- with .Values.podSecurityPolicy.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{ .Values.podSecurityPolicy.spec | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- {{ template "kong.serviceAccountName" . }}-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.serviceAccountName" . }}-psp
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
roleRef:
kind: ClusterRole
name: {{ template "kong.serviceAccountName" . }}-psp
apiGroup: rbac.authorization.k8s.io
{{- end }}

14
build_system/charts/open-appsec-kong/templates/secret-sa-token.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
See the related documentation of semver module that Helm depends on for semverCompare:
https://github.com/Masterminds/semver#working-with-prerelease-versions
Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20.0-0" .Capabilities.KubeVersion.Version) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kong.serviceAccountTokenName" . }}
namespace: {{ template "kong.namespace" . }}
annotations:
kubernetes.io/service-account.name: {{ template "kong.serviceAccountName" . }}
type: kubernetes.io/service-account-token
{{- end }}

15
build_system/charts/open-appsec-kong/templates/service-account.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if and (or .Values.deployment.kong.enabled .Values.ingressController.enabled) .Values.deployment.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- if .Values.deployment.serviceAccount.annotations }}
annotations:
{{- range $key, $value := .Values.deployment.serviceAccount.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- end -}}

17
build_system/charts/open-appsec-kong/templates/service-kong-admin.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.admin -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "admin" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.admin.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}

17
build_system/charts/open-appsec-kong/templates/service-kong-cluster-telemetry.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.clustertelemetry.enabled .Values.clustertelemetry.tls.enabled -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.clustertelemetry -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "clustertelemetry" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.clustertelemetry.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}

17
build_system/charts/open-appsec-kong/templates/service-kong-cluster.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.cluster.enabled .Values.cluster.tls.enabled -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.cluster -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "cluster" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.cluster.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}

19
build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.deployment.kong.enabled }}
{{- if .Values.enterprise.enabled }}
{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.manager -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "manager" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.manager.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

19
build_system/charts/open-appsec-kong/templates/service-kong-portal-api.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.deployment.kong.enabled }}
{{- if .Values.enterprise.enabled }}
{{- if and .Values.portalapi.enabled (or .Values.portalapi.http.enabled .Values.portalapi.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.portalapi -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "portalapi" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.portalapi.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

19
build_system/charts/open-appsec-kong/templates/service-kong-portal.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.deployment.kong.enabled }}
{{- if .Values.enterprise.enabled }}
{{- if and .Values.portal.enabled (or .Values.portal.http.enabled .Values.portal.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.portal -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "portal" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.portal.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

17
build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.proxy -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "proxy" -}}
{{- include "kong.service" $serviceConfig }}
{{ if .Values.proxy.ingress.enabled }}
---
{{ include "kong.ingress" $serviceConfig }}
{{- end -}}
{{- end -}}
{{- end -}}

15
build_system/charts/open-appsec-kong/templates/service-kong-udp-proxy.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.deployment.kong.enabled }}
{{- if and .Values.udpProxy.enabled -}}
{{- $serviceConfig := dict -}}
{{- $serviceConfig := merge $serviceConfig .Values.udpProxy -}}
{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}}
{{- $_ := set $serviceConfig "serviceName" "udp-proxy" -}}
{{- $_ := set $serviceConfig "tls" (dict "enabled" false) -}}
{{- $_ := set $serviceConfig "http" (dict "enabled" false) -}}
{{- include "kong.service" $serviceConfig }}
{{- end -}}
{{- end -}}

51
build_system/charts/open-appsec-kong/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "kong.fullname" . }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
{{- if .Values.serviceMonitor.labels }}
{{ toYaml .Values.serviceMonitor.labels | nindent 4 }}
{{- end }}
spec:
endpoints:
- targetPort: status
scheme: http
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
{{- if .Values.serviceMonitor.honorLabels }}
honorLabels: true
{{- end }}
{{- if .Values.serviceMonitor.metricRelabelings }}
metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
{{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}}
- targetPort: cmetrics
scheme: http
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
{{- if .Values.serviceMonitor.honorLabels }}
honorLabels: true
{{- end }}
{{- if .Values.serviceMonitor.metricRelabelings }}
metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }}
{{- end }}
{{- end }}
jobLabel: {{ .Release.Name }}
namespaceSelector:
matchNames:
- {{ template "kong.namespace" . }}
selector:
matchLabels:
enable-metrics: "true"
{{- include "kong.metaLabels" . | nindent 6 }}
{{- if .Values.serviceMonitor.targetLabels }}
targetLabels: {{ toYaml .Values.serviceMonitor.targetLabels | nindent 4 }}
{{- end }}
{{- end }}

32
build_system/charts/open-appsec-kong/templates/tests/test-jobs.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.deployment.test.enabled }}
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-test-ingress"
annotations:
"helm.sh/hook": test
spec:
restartPolicy: OnFailure
containers:
- name: "{{ .Release.Name }}-curl"
image: curlimages/curl
command:
- curl
- "http://{{ .Release.Name }}-kong-proxy.{{ .Release.Namespace }}.svc.cluster.local/httpbin"
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-test-httproute"
annotations:
"helm.sh/hook": test
spec:
restartPolicy: OnFailure
containers:
- name: "{{ .Release.Name }}-curl"
image: curlimages/curl
command:
- curl
- "http://{{ .Release.Name }}-kong-proxy.{{ .Release.Namespace }}.svc.cluster.local/httproute"
{{- end }}

84
build_system/charts/open-appsec-kong/templates/tests/test-resources.yaml Normal file
View File

@@ -0,0 +1,84 @@
{{- if .Values.deployment.test.enabled }}
---
apiVersion: v1
kind: Pod
metadata:
name: "{{ .Release.Name }}-httpbin"
labels:
app: httpbin
spec:
containers:
- name: httpbin
image: kennethreitz/httpbin
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: "{{ .Release.Name }}-httpbin"
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: httpbin
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "{{ .Release.Name }}-httpbin"
annotations:
httpbin.ingress.kubernetes.io/rewrite-target: /
kubernetes.io/ingress.class: "kong"
konghq.com/strip-path: "true"
spec:
rules:
- http:
paths:
- path: /httpbin
pathType: Prefix
backend:
service:
name: "{{ .Release.Name }}-httpbin"
port:
number: 80
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
name: "{{ .Release.Name }}-kong-test"
spec:
controllerName: konghq.com/kic-gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: "{{ .Release.Name }}-kong-test"
annotations:
konghq.com/gateway-unmanaged: "true"
spec:
gatewayClassName: "{{ .Release.Name }}-kong-test"
listeners: # Use GatewayClass defaults for listener definition.
- name: http
protocol: HTTP
port: 80
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
name: "{{ .Release.Name }}-httpbin"
spec:
parentRefs:
- name: "{{ .Release.Name }}-kong-test"
rules:
- matches:
- path:
type: PathPrefix
value: "/httproute"
backendRefs:
- name: "{{ .Release.Name }}-httpbin"
port: 80
{{- end }}

15
build_system/charts/open-appsec-kong/templates/wait-for-postgres-script.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{ if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
data:
wait.sh: |
until timeout 2 bash -c "9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}"
do echo "waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}"
sleep 2
done
{{ end }}