mirror of
https://github.com/openappsec/openappsec.git
synced 2025-09-30 03:34:26 +03:00
Updating the NGINX Ingress helm chart
This commit is contained in:
Ned Wright
@@ -85,6 +85,16 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
|
||||
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Construct a unique electionID.
|
||||
Users can provide an override for an explicit electionID if they want via `.Values.controller.electionID`
|
||||
*/}}
|
||||
{{- define "ingress-nginx.controller.electionID" -}}
|
||||
{{- $defElectionID := printf "%s-leader" (include "ingress-nginx.fullname" .) -}}
|
||||
{{- $electionID := default $defElectionID .Values.controller.electionID -}}
|
||||
{{- print $electionID -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Construct the path for the publish-service.
|
||||
|
||||
@@ -183,3 +193,20 @@ IngressClass parameters.
|
||||
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
|
||||
{{ end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Extra modules.
|
||||
*/}}
|
||||
{{- define "extraModules" -}}
|
||||
|
||||
- name: {{ .name }}
|
||||
image: {{ .image }}
|
||||
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
|
||||
{{- if (.containerSecurityContext) }}
|
||||
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: {{ toYaml "modules"}}
|
||||
mountPath: {{ toYaml "/modules_mount"}}
|
||||
|
||||
{{- end -}}
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}-internal
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
- --election-id={{ .Values.controller.electionID }}
|
||||
- --election-id={{ include "ingress-nginx.controller.electionID" . }}
|
||||
- --controller-class={{ .Values.controller.ingressClassResource.controllerValue }}
|
||||
{{- if .Values.controller.ingressClass }}
|
||||
- --ingress-class={{ .Values.controller.ingressClass }}
|
||||
@@ -51,6 +51,9 @@
|
||||
{{- if .Values.controller.watchIngressWithoutClass }}
|
||||
- --watch-ingress-without-class=true
|
||||
{{- end }}
|
||||
{{- if .Values.controller.enableTopologyAwareRouting }}
|
||||
- --enable-topology-aware-routing=true
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.controller.extraArgs }}
|
||||
{{- /* Accept keys without values or with false as value */}}
|
||||
{{- if eq ($value | quote | len) 2 }}
|
||||
|
||||
@@ -0,0 +1,63 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.certManager.enabled -}}
|
||||
{{- if not .Values.controller.admissionWebhooks.certManager.issuerRef -}}
|
||||
# Create a selfsigned Issuer, in order to create a root CA certificate for
|
||||
# signing webhook serving certificates
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
# Generate a CA Certificate used to sign certificates for the webhook
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-root-cert
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
|
||||
duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
|
||||
issuerRef:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
|
||||
commonName: "ca.webhook.ingress-nginx"
|
||||
isCA: true
|
||||
subject:
|
||||
organizations:
|
||||
- ingress-nginx
|
||||
---
|
||||
# Create an Issuer that uses the above generated CA certificate to issue certs
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
|
||||
{{- end }}
|
||||
---
|
||||
# generate a server certificate for the apiservices to use
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
|
||||
issuerRef:
|
||||
{{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.certManager.issuerRef | nindent 4 }}
|
||||
{{- else }}
|
||||
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
|
||||
{{- end }}
|
||||
dnsNames:
|
||||
- {{ include "ingress-nginx.controller.fullname" . }}-admission
|
||||
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
|
||||
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
|
||||
subject:
|
||||
organizations:
|
||||
- ingress-nginx-admission
|
||||
{{- end -}}
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
@@ -56,8 +56,12 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
{{- if .Values.controller.admissionWebhooks.extraEnvs }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.createSecretJob.securityContext }}
|
||||
securityContext: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.securityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
|
||||
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
@@ -69,8 +73,8 @@ spec:
|
||||
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
|
||||
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
|
||||
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
@@ -58,8 +58,12 @@ spec:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
{{- if .Values.controller.admissionWebhooks.extraEnvs }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.extraEnvs | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.securityContext }}
|
||||
securityContext: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.securityContext | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
|
||||
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
@@ -71,8 +75,8 @@ spec:
|
||||
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
|
||||
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
|
||||
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: admission-webhook
|
||||
{{- with .Values.controller.admissionWebhooks.patch.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: admission-webhook
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
egress:
|
||||
- {}
|
||||
{{- end }}
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
@@ -37,3 +38,4 @@ spec:
|
||||
- secret
|
||||
- downwardAPI
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
name: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
|
||||
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
|
||||
@@ -4,8 +4,13 @@
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
annotations:
|
||||
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
|
||||
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
|
||||
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.admissionWebhooks.annotations }}
|
||||
annotations: {{ toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
|
||||
{{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
|
||||
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
|
||||
kind: PersistentVolumeClaim
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
@@ -17,4 +17,4 @@ spec:
|
||||
{{- else }}
|
||||
storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -29,6 +29,13 @@ rules:
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- leases
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }}
|
||||
- apiGroups:
|
||||
- ""
|
||||
@@ -82,6 +89,14 @@ rules:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- discovery.k8s.io
|
||||
resources:
|
||||
- endpointslices
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- get
|
||||
- apiGroups:
|
||||
- openappsec.io
|
||||
resources:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}}
|
||||
{{- if .Values.controller.proxySetHeaders -}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
@@ -10,10 +10,5 @@ metadata:
|
||||
{{- end }}
|
||||
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
|
||||
namespace: {{ .Release.Namespace }}
|
||||
data:
|
||||
{{- if .Values.controller.proxySetHeaders }}
|
||||
{{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
|
||||
{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }}
|
||||
{{ toYaml .Values.controller.headers | indent 2 }}
|
||||
{{- end }}
|
||||
data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -17,13 +17,12 @@ data:
|
||||
{{- if .Values.controller.addHeaders }}
|
||||
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
|
||||
{{- end }}
|
||||
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }}
|
||||
{{- if .Values.controller.proxySetHeaders }}
|
||||
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
|
||||
{{- end }}
|
||||
{{- if .Values.dhParam }}
|
||||
ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }}
|
||||
ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
|
||||
{{- end }}
|
||||
{{- range $key, $value := .Values.controller.config }}
|
||||
{{- $key | nindent 2 }}: {{ $value | quote }}
|
||||
{{- $key | nindent 2 }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
@@ -33,7 +33,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
|
||||
{{- include "ingress-nginx.labels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- with .Values.controller.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@@ -102,8 +102,12 @@ spec:
|
||||
{{- if .Values.controller.startupProbe }}
|
||||
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.livenessProbe }}
|
||||
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.readinessProbe }}
|
||||
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $value := .Values.controller.containerPort }}
|
||||
- name: {{ $key }}
|
||||
@@ -114,7 +118,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.enabled }}
|
||||
- name: metrics
|
||||
- name: {{ .Values.controller.metrics.portName }}
|
||||
containerPort: {{ .Values.controller.metrics.port }}
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
@@ -174,11 +178,14 @@ spec:
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- range .Values.controller.extraModules }}
|
||||
- name: {{ .Name }}
|
||||
image: {{ .Image }}
|
||||
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
|
||||
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.opentelemetry.enabled}}
|
||||
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.hostNetwork }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
@@ -197,9 +204,9 @@ spec:
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
|
||||
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
volumes:
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
|
||||
- name: modules
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
@@ -215,6 +222,13 @@ spec:
|
||||
- name: webhook-cert
|
||||
secret:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: cert
|
||||
- key: tls.key
|
||||
path: key
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraVolumes }}
|
||||
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
|
||||
|
||||
@@ -37,7 +37,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
|
||||
{{- include "ingress-nginx.labels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- with .Values.controller.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@@ -76,9 +76,59 @@ spec:
|
||||
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: {{ .Values.appsec.name }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
|
||||
{{- with .Values.appsec.image }}
|
||||
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
|
||||
{{- end }}
|
||||
command:
|
||||
- {{ .Values.appsec.command }}
|
||||
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
||||
args:
|
||||
{{- if (eq "standalone" .Values.appsec.mode) }}
|
||||
- --hybrid-mode
|
||||
- --token
|
||||
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
|
||||
{{- else }}
|
||||
- --token
|
||||
- {{ .Values.appsec.agentToken }}
|
||||
{{- end -}}
|
||||
{{- if .Values.appsec.customFog.enabled }}
|
||||
- --fog
|
||||
- {{ .Values.appsec.customFog.fogAddress }}
|
||||
{{- end }}
|
||||
{{- if .Values.appsec.proxy }}
|
||||
- --proxy
|
||||
- {{ .Values.appsec.proxy }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
||||
env:
|
||||
- name: user_email
|
||||
value: {{ .Values.appsec.userEmail }}
|
||||
{{- if eq .Values.appsec.playground false }}
|
||||
- name: SHARED_STORAGE_HOST
|
||||
value: {{ .Values.appsec.storage.name }}-svc
|
||||
- name: LEARNING_HOST
|
||||
value: {{ .Values.appsec.learning.name }}-svc
|
||||
{{- else }}
|
||||
- name: PLAYGROUND
|
||||
value: "true"
|
||||
{{- end }}
|
||||
resources:
|
||||
{{ toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: advanced-model
|
||||
mountPath: /advanced-model
|
||||
{{- if .Values.appsec.persistence.enabled }}
|
||||
- name: appsec-conf
|
||||
mountPath: /etc/cp/conf
|
||||
- name: appsec-data
|
||||
mountPath: /etc/cp/data
|
||||
{{- end }}
|
||||
- name: {{ .Values.controller.containerName }}
|
||||
{{- with .Values.controller.image }}
|
||||
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}{{- if .tag }}:{{ .tag }}{{- end -}}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
|
||||
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
|
||||
{{- if .Values.controller.lifecycle }}
|
||||
@@ -106,8 +156,12 @@ spec:
|
||||
{{- if .Values.controller.startupProbe }}
|
||||
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.livenessProbe }}
|
||||
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.readinessProbe }}
|
||||
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $value := .Values.controller.containerPort }}
|
||||
- name: {{ $key }}
|
||||
@@ -118,7 +172,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.enabled }}
|
||||
- name: metrics
|
||||
- name: {{ .Values.controller.metrics.portName }}
|
||||
containerPort: {{ .Values.controller.metrics.port }}
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
@@ -143,11 +197,15 @@ spec:
|
||||
hostPort: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
volumeMounts:
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
- name: modules
|
||||
{{ if .Values.controller.image.chroot }}
|
||||
mountPath: /chroot/modules_mount
|
||||
{{ else }}
|
||||
mountPath: /modules_mount
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.customTemplate.configMapName }}
|
||||
- mountPath: /etc/nginx/template
|
||||
@@ -166,51 +224,24 @@ spec:
|
||||
{{- if .Values.controller.resources }}
|
||||
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
- name: {{ .Values.appsec.name }}
|
||||
securityContext:
|
||||
{{ toYaml .Values.appsec.securityContext | nindent 12 }}
|
||||
{{- with .Values.appsec.image }}
|
||||
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
|
||||
{{- end }}
|
||||
args:
|
||||
- --token
|
||||
- {{ .Values.appsec.agentToken }}
|
||||
{{- if .Values.appsec.customFog.enabled }}
|
||||
- --fog
|
||||
- {{ .Values.appsec.customFog.fogAddress }}
|
||||
{{- end }}
|
||||
{{- if .Values.appsec.proxy }}
|
||||
- --proxy
|
||||
- {{ .Values.appsec.proxy }}
|
||||
{{- end }}
|
||||
command:
|
||||
- {{ .Values.appsec.command }}
|
||||
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
||||
resources:
|
||||
{{ toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
- name: appsec-conf
|
||||
mountPath: /etc/cp/conf
|
||||
- name: appsec-data
|
||||
mountPath: /etc/cp/data
|
||||
{{- if .Values.controller.extraContainers }}
|
||||
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
initContainers:
|
||||
{{- if .Values.controller.extraInitContainers }}
|
||||
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- range .Values.controller.extraModules }}
|
||||
- name: {{ .name }}
|
||||
image: {{ .image }}
|
||||
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
|
||||
volumeMounts:
|
||||
- name: modules
|
||||
mountPath: /modules_mount
|
||||
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.opentelemetry.enabled}}
|
||||
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.hostNetwork }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
@@ -234,10 +265,10 @@ spec:
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.appsec.name }}-conf
|
||||
- name: appsec-data
|
||||
persistentVolumeClaim:
|
||||
persistentVolumeClaim:
|
||||
claimName: {{ .Values.appsec.name }}-data
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
|
||||
- name: modules
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
@@ -253,6 +284,13 @@ spec:
|
||||
- name: webhook-cert
|
||||
secret:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: cert
|
||||
- key: tls.key
|
||||
path: key
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraVolumes }}
|
||||
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
|
||||
{{- if not .Values.controller.keda.enabled }}
|
||||
|
||||
apiVersion: autoscaling/v2beta2
|
||||
apiVersion: {{ .Values.controller.autoscaling.apiVersion }}
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
annotations:
|
||||
|
||||
@@ -15,5 +15,9 @@ spec:
|
||||
matchLabels:
|
||||
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- if .Values.controller.minAvailable }}
|
||||
minAvailable: {{ .Values.controller.minAvailable }}
|
||||
{{- else if .Values.controller.maxUnavailable }}
|
||||
maxUnavailable: {{ .Values.controller.maxUnavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
|
||||
{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
@@ -27,9 +28,9 @@ spec:
|
||||
volumes:
|
||||
- 'configMap'
|
||||
- 'emptyDir'
|
||||
#- 'projected'
|
||||
- 'projected'
|
||||
- 'secret'
|
||||
#- 'downwardAPI'
|
||||
- 'downwardAPI'
|
||||
{{- if .Values.controller.hostNetwork }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
{{- end }}
|
||||
@@ -90,3 +91,4 @@ spec:
|
||||
seLinux:
|
||||
rule: 'RunAsAny'
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -59,18 +59,18 @@ rules:
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- ""
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- configmaps
|
||||
- leases
|
||||
resourceNames:
|
||||
- {{ .Values.controller.electionID }}
|
||||
- {{ include "ingress-nginx.controller.electionID" . }}
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
- apiGroups:
|
||||
- ""
|
||||
- coordination.k8s.io
|
||||
resources:
|
||||
- configmaps
|
||||
- leases
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
@@ -80,6 +80,14 @@ rules:
|
||||
verbs:
|
||||
- create
|
||||
- patch
|
||||
- apiGroups:
|
||||
- discovery.k8s.io
|
||||
resources:
|
||||
- endpointslices
|
||||
verbs:
|
||||
- list
|
||||
- watch
|
||||
- get
|
||||
- apiGroups:
|
||||
- openappsec.io
|
||||
resources:
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
{{- if .Values.dhParam -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- with .Values.controller.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ include "ingress-nginx.controller.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
data:
|
||||
dhparam.pem: {{ .Values.dhParam }}
|
||||
{{- end }}
|
||||
@@ -29,9 +29,9 @@ spec:
|
||||
{{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
|
||||
{{- if .Values.controller.service.enableHttp }}
|
||||
- name: http
|
||||
port: {{ .Values.controller.service.ports.http }}
|
||||
port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.controller.service.targetPorts.http }}
|
||||
targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }}
|
||||
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
|
||||
appProtocol: http
|
||||
{{- end }}
|
||||
@@ -41,9 +41,9 @@ spec:
|
||||
{{- end }}
|
||||
{{- if .Values.controller.service.enableHttps }}
|
||||
- name: https
|
||||
port: {{ .Values.controller.service.ports.https }}
|
||||
port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.controller.service.targetPorts.https }}
|
||||
targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }}
|
||||
{{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
|
||||
appProtocol: https
|
||||
{{- end }}
|
||||
|
||||
@@ -31,10 +31,10 @@ spec:
|
||||
externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: metrics
|
||||
- name: {{ .Values.controller.metrics.portName }}
|
||||
port: {{ .Values.controller.metrics.service.servicePort }}
|
||||
protocol: TCP
|
||||
targetPort: metrics
|
||||
targetPort: {{ .Values.controller.metrics.portName }}
|
||||
{{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
|
||||
{{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}
|
||||
nodePort: {{ .Values.controller.metrics.service.nodePort }}
|
||||
|
||||
@@ -12,7 +12,7 @@ metadata:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- if .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
|
||||
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
|
||||
@@ -14,7 +14,7 @@ metadata:
|
||||
{{- end }}
|
||||
spec:
|
||||
endpoints:
|
||||
- port: metrics
|
||||
- port: {{ .Values.controller.metrics.portName }}
|
||||
interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: true
|
||||
|
||||
@@ -37,7 +37,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
|
||||
{{- include "ingress-nginx.labels" . | nindent 8 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- with .Values.controller.labels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@@ -85,8 +85,8 @@ spec:
|
||||
command:
|
||||
- {{ .Values.appsec.command }}
|
||||
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
||||
args:
|
||||
{{- if (eq "stand-alone" .Values.appsec.mode) }}
|
||||
args:
|
||||
{{- if (eq "standalone" .Values.appsec.mode) }}
|
||||
- --hybrid-mode
|
||||
- --token
|
||||
- cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
|
||||
@@ -101,9 +101,11 @@ spec:
|
||||
{{- if .Values.appsec.proxy }}
|
||||
- --proxy
|
||||
- {{ .Values.appsec.proxy }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
|
||||
env:
|
||||
- name: user_email
|
||||
value: {{ .Values.appsec.userEmail }}
|
||||
{{- if eq .Values.appsec.playground false }}
|
||||
- name: SHARED_STORAGE_HOST
|
||||
value: {{ .Values.appsec.storage.name }}-svc
|
||||
@@ -122,8 +124,8 @@ spec:
|
||||
- name: appsec-conf
|
||||
mountPath: /etc/cp/conf
|
||||
- name: appsec-data
|
||||
mountPath: /etc/cp/data
|
||||
{{- end }}
|
||||
mountPath: /etc/cp/data
|
||||
{{- end }}
|
||||
- name: {{ .Values.controller.containerName }}
|
||||
{{- with .Values.controller.image }}
|
||||
image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
|
||||
@@ -132,7 +134,7 @@ spec:
|
||||
{{- if .Values.controller.lifecycle }}
|
||||
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
|
||||
{{- end }}
|
||||
args:
|
||||
args:
|
||||
{{- include "ingress-nginx.params" . | nindent 12 }}
|
||||
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
|
||||
env:
|
||||
@@ -150,12 +152,16 @@ spec:
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraEnvs }}
|
||||
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.startupProbe }}
|
||||
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.livenessProbe }}
|
||||
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.readinessProbe }}
|
||||
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
{{- range $key, $value := .Values.controller.containerPort }}
|
||||
- name: {{ $key }}
|
||||
@@ -166,7 +172,7 @@ spec:
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.enabled }}
|
||||
- name: metrics
|
||||
- name: {{ .Values.controller.metrics.portName }}
|
||||
containerPort: {{ .Values.controller.metrics.port }}
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
@@ -191,11 +197,15 @@ spec:
|
||||
hostPort: {{ $key }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
volumeMounts:
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
- name: modules
|
||||
{{ if .Values.controller.image.chroot }}
|
||||
mountPath: /chroot/modules_mount
|
||||
{{ else }}
|
||||
mountPath: /modules_mount
|
||||
{{ end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.customTemplate.configMapName }}
|
||||
- mountPath: /etc/nginx/template
|
||||
@@ -217,21 +227,21 @@ spec:
|
||||
{{- if .Values.controller.extraContainers }}
|
||||
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
initContainers:
|
||||
{{- if .Values.controller.extraInitContainers }}
|
||||
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- range .Values.controller.extraModules }}
|
||||
- name: {{ .name }}
|
||||
image: {{ .image }}
|
||||
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
|
||||
volumeMounts:
|
||||
- name: modules
|
||||
mountPath: /modules_mount
|
||||
{{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.opentelemetry.enabled}}
|
||||
{{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
|
||||
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
|
||||
{{- end}}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.hostNetwork }}
|
||||
hostNetwork: {{ .Values.controller.hostNetwork }}
|
||||
@@ -250,13 +260,13 @@ spec:
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
|
||||
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
|
||||
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
|
||||
volumes:
|
||||
- name: advanced-model
|
||||
configMap:
|
||||
name: advanced-model-config
|
||||
optional: true
|
||||
{{- if .Values.controller.extraModules }}
|
||||
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
|
||||
- name: modules
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
@@ -272,6 +282,13 @@ spec:
|
||||
- name: webhook-cert
|
||||
secret:
|
||||
secretName: {{ include "ingress-nginx.fullname" . }}-admission
|
||||
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: cert
|
||||
- key: tls.key
|
||||
path: key
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.extraVolumes }}
|
||||
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
{{- if .Values.controller.admissionWebhooks.enabled }}
|
||||
{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
|
||||
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ingress:
|
||||
- {}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -19,6 +19,11 @@ spec:
|
||||
replicas: {{ .Values.defaultBackend.replicaCount }}
|
||||
{{- end }}
|
||||
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
|
||||
{{- if .Values.defaultBackend.updateStrategy }}
|
||||
strategy:
|
||||
{{ toYaml .Values.defaultBackend.updateStrategy | nindent 4 }}
|
||||
{{- end }}
|
||||
minReadySeconds: {{ .Values.defaultBackend.minReadySeconds }}
|
||||
template:
|
||||
metadata:
|
||||
{{- if .Values.defaultBackend.podAnnotations }}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }}
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
labels:
|
||||
@@ -22,12 +22,16 @@ spec:
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ . }}
|
||||
target:
|
||||
type: Utilization
|
||||
averageUtilization: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
|
||||
- type: Resource
|
||||
resource:
|
||||
name: memory
|
||||
targetAverageUtilization: {{ . }}
|
||||
target:
|
||||
type: Utilization
|
||||
averageUtilization: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
|
||||
apiVersion: policy/v1beta1
|
||||
kind: PodSecurityPolicy
|
||||
@@ -34,3 +35,4 @@ spec:
|
||||
- secret
|
||||
- downwardAPI
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
{{- with .Values.dhParam -}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.controller.fullname" $ }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" $ | nindent 4 }}
|
||||
data:
|
||||
dhparam.pem: {{ . }}
|
||||
{{- end }}
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
|
||||
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -53,7 +53,7 @@ spec:
|
||||
timeoutSeconds: 10
|
||||
env:
|
||||
- name: APPSEC_MODE
|
||||
value: {{ .Values.appsec.mode }}
|
||||
value: stand-alone
|
||||
- name: RP_BASEURL
|
||||
value: http://{{ .Values.appsec.storage.name }}-svc/api
|
||||
- name: K8S_NAMESPACE
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and (eq "stand-alone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
|
||||
{{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
||||
Reference in New Issue
Block a user