From 3d11ead1703bdd58917cf58a69d93f74b214b021 Mon Sep 17 00:00:00 2001 From: Ned Wright Date: Sun, 8 Oct 2023 07:15:09 +0000 Subject: [PATCH] Updating charts --- .../open-appsec-k8s-nginx-ingress/Chart.yaml | 9 +- .../open-appsec-k8s-nginx-ingress/README.md | 24 +- .../changelog/Changelog-4.7.2.md | 9 + .../changelog/Changelog-4.8.0-beta.0.md | 13 + .../changelog/Changelog-4.8.0.md | 13 + .../changelog/Changelog-4.8.1.md | 9 + .../templates/_helpers.tpl | 5 +- .../templates/_params.tpl | 3 + .../job-patch/networkpolicy.yaml | 10 +- .../templates/appsec.yaml | 1548 ++++++++++++++--- .../templates/controller-daemonset.yaml | 14 +- .../templates/controller-deployment.yaml | 19 +- .../templates/controller-networkpolicy.yaml | 45 + .../controller-service-internal.yaml | 2 +- .../templates/controller-service.yaml | 2 +- .../templates/controller-serviceaccount.yaml | 3 +- .../templates/controller-servicemonitor.yaml | 2 + .../controller-webhooks-networkpolicy.yaml | 19 - .../default-backend-networkpolicy.yaml | 25 + .../open-appsec-k8s-nginx-ingress/values.yaml | 60 +- .../charts/open-appsec-kong/CHANGELOG.md | 93 + .../charts/open-appsec-kong/Chart.yaml | 4 +- .../charts/open-appsec-kong/README.md | 32 +- .../charts/open-appsec-kong/UPGRADE.md | 32 +- .../admin-api-service-clusterip-values.yaml | 18 + .../ci/admin-api-service-clusterip.yaml | 6 - ...-labels.yaml => custom-labels-values.yaml} | 3 - .../open-appsec-kong/ci/default-values.yaml | 3 - .../ci/kong-ingress-1-values.yaml | 1 - .../ci/kong-ingress-2-values.yaml | 1 - .../ci/kong-ingress-3-values.yaml | 1 - .../ci/kong-ingress-4-values.yaml | 1 - ....yaml => single-image-default-values.yaml} | 6 +- ...est-enterprise-version-3.4.0.0-values.yaml | 14 + .../open-appsec-kong/ci/test1-values.yaml | 2 - .../open-appsec-kong/ci/test2-values.yaml | 6 +- .../open-appsec-kong/ci/test3-values.yaml | 2 - .../open-appsec-kong/ci/test4-values.yaml | 1 - .../open-appsec-kong/ci/test5-values.yaml | 2 - .../open-appsec-kong/ci/test6-values.yaml | 34 - .../crds/custom-resource-definitions.yaml | 457 ++++- .../quickstart-enterprise-licensed-aio.yaml | 4 +- .../full-k4k8s-with-kong-enterprise.yaml | 2 +- .../minimal-k4k8s-with-kong-enterprise.yaml | 2 +- .../minimal-kong-controller.yaml | 2 +- .../minimal-kong-enterprise-dbless.yaml | 2 +- ...inimal-kong-enterprise-hybrid-control.yaml | 2 +- .../minimal-kong-enterprise-hybrid-data.yaml | 2 +- .../minimal-kong-hybrid-control.yaml | 2 +- .../minimal-kong-hybrid-data.yaml | 2 +- .../minimal-kong-standalone.yaml | 2 +- .../open-appsec-kong/templates/_helpers.tpl | 88 +- .../templates/admission-webhook.yaml | 25 + .../open-appsec-kong/templates/appsec.yaml | 37 +- .../templates/deployment.yaml | 37 +- .../templates/migrations-post-upgrade.yaml | 3 + .../templates/migrations-pre-upgrade.yaml | 5 + .../templates/migrations.yaml | 5 + .../templates/service-kong-manager.yaml | 2 - .../charts/open-appsec-kong/values.yaml | 22 +- 60 files changed, 2259 insertions(+), 540 deletions(-) create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.2.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0-beta.0.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.1.md create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml delete mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml create mode 100644 build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml create mode 100644 build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip-values.yaml delete mode 100644 build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml rename build_system/charts/open-appsec-kong/ci/{custom-labels.yaml => custom-labels-values.yaml} (96%) rename build_system/charts/open-appsec-kong/ci/{single-image-default.yaml => single-image-default-values.yaml} (63%) create mode 100644 build_system/charts/open-appsec-kong/ci/test-enterprise-version-3.4.0.0-values.yaml delete mode 100644 build_system/charts/open-appsec-kong/ci/test6-values.yaml diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml index d9067d7..f5e946c 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml @@ -1,12 +1,9 @@ annotations: artifacthub.io/changes: | - - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)" - - "feat(helm): Add loadBalancerClass (#9562)" - - "added helmshowvalues example (#10019)" - - "Update Ingress-Nginx version controller-v1.8.1" + - "Update Ingress-Nginx version controller-v1.9.1" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.8.1 +appVersion: latest keywords: - ingress - nginx @@ -14,4 +11,4 @@ kubeVersion: '>=1.20.0-0' name: open-appsec-k8s-nginx-ingress sources: - https://github.com/kubernetes/ingress-nginx -version: 4.7.1 +version: 4.8.1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md index 9550918..9016e92 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) +![Version: 4.8.1](https://img.shields.io/badge/Version-4.8.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -249,7 +249,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | | controller.admissionWebhooks.namespaceSelector | object | `{}` | | -| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | @@ -274,7 +273,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | -| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | +| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | | @@ -294,8 +293,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | -| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | +| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | @@ -306,6 +306,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | +| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port | @@ -313,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` | | -| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` | | +| controller.image.digest | string | `"sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25"` | | +| controller.image.digestChroot | string | `"sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.8.1"` | | +| controller.image.tag | string | `"v1.9.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | @@ -372,10 +373,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | +| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | @@ -399,14 +402,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | -| controller.service.annotations | object | `{}` | | +| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | | controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | | controller.service.enableHttp | bool | `true` | | | controller.service.enableHttps | bool | `true` | | | controller.service.enabled | bool | `true` | | | controller.service.external.enabled | bool | `true` | | | controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | -| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | +| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. | | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | | controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | @@ -469,6 +472,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | +| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.2.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.2.md new file mode 100644 index 0000000..57b17b9 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.2 + +* Update Ingress-Nginx version controller-v1.8.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0-beta.0.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0-beta.0.md new file mode 100644 index 0000000..9072a75 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0-beta.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0-beta.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0-beta.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0.md new file mode 100644 index 0000000..af8f124 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.1.md b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.1.md new file mode 100644 index 0000000..53a4493 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.1 + +* Update Ingress-Nginx version controller-v1.9.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1 diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl index 548e8cf..bd268cf 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl @@ -198,7 +198,6 @@ IngressClass parameters. Extra modules. */}} {{- define "extraModules" -}} - - name: {{ .name }} image: {{ .image }} {{- if .distroless | default false }} @@ -209,8 +208,10 @@ Extra modules. {{- if .containerSecurityContext }} securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} {{- end }} + {{- if .resources }} + resources: {{ .resources | toYaml | nindent 4 }} + {{- end }} volumeMounts: - name: {{ toYaml "modules"}} mountPath: {{ toYaml "/modules_mount"}} - {{- end -}} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl index a1aef01..47d024e 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl @@ -1,5 +1,8 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller +{{- if .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=true +{{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml index 08b3225..d59da7c 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -16,11 +16,11 @@ metadata: spec: podSelector: matchLabels: - {{- include "ingress-nginx.labels" . | nindent 6 }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: admission-webhook policyTypes: - - Ingress - - Egress + - Ingress + - Egress egress: - - {} + - {} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml index 147692b..42f6109 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec.yaml @@ -1,304 +1,1207 @@ -{{- if (not (eq .Values.kind "Vanilla")) }} -{{- include "isControllerTagValid" . -}} -apiVersion: apps/v1 -{{- if (eq .Values.kind "AppSec") }} -{{- if (eq .Values.controller.kind "DaemonSet") }} -kind: DaemonSet -{{- else }} -kind: Deployment -{{- end }} -{{- else if eq .Values.kind "AppSecStateful" }} -kind: StatefulSet -{{- end }} -metadata: - labels: - {{- include "ingress-nginx.labels" . | nindent 4 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} - {{- if .Values.controller.annotations }} - annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} - app.kubernetes.io/component: controller - {{- if not .Values.controller.autoscaling.enabled }} - {{- if eq .Values.kind "AppSecStateful" }} - serviceName: "open-appsec-stateful-set" - {{- end }} - {{- if or (not (eq .Values.controller.kind "DaemonSet")) (and (eq .Values.kind "AppSecStateful") (eq .Values.controller.kind "DaemonSet")) }} - replicas: {{ .Values.controller.replicaCount }} - {{- end }} - {{- end }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - {{- if .Values.controller.updateStrategy }} - {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} - updateStrategy: - {{- else }} - strategy: - {{- end }} - {{ toYaml .Values.controller.updateStrategy | nindent 4 }} - {{- end }} - {{- if (eq .Values.kind "AppSec") }} - minReadySeconds: {{ .Values.controller.minReadySeconds }} - {{- end }} - template: - metadata: - {{- if .Values.controller.podAnnotations }} - annotations: - {{- range $key, $value := .Values.controller.podAnnotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} - labels: - {{- include "ingress-nginx.labels" . | nindent 8 }} - app.kubernetes.io/component: controller - {{- with .Values.controller.labels }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.controller.podLabels }} - {{- toYaml .Values.controller.podLabels | nindent 8 }} - {{- end }} - spec: - {{- if .Values.controller.dnsConfig }} - dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} - {{- end }} - {{- if .Values.controller.hostname }} - hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} - {{- end }} - dnsPolicy: {{ .Values.controller.dnsPolicy }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} - {{- end }} - {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName | quote }} - {{- end }} - {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} - securityContext: - {{- end }} - {{- if .Values.controller.podSecurityContext }} - {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} - sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} - {{- end }} - {{- if .Values.controller.shareProcessNamespace }} - shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} - {{- end }} - containers: - - name: {{ .Values.appsec.name }} - securityContext: - {{ toYaml .Values.appsec.securityContext | nindent 12 }} - {{- $tag := .Values.appsec.image.tag }} - {{- if .Values.appsec.configMapContent.crowdsec.enabled }} - {{- $tag = "crowdsec-1.2314-rc1" }} - {{- end }} - {{- with .Values.appsec.image }} - image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" - {{- end }} - command: - - {{ .Values.appsec.command }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - args: - {{- if (eq "standalone" .Values.appsec.mode) }} - - --hybrid-mode - - --token - - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 - {{- else }} - - --token - - {{ .Values.appsec.agentToken }} - {{- end -}} - {{- if .Values.appsec.customFog.enabled }} - - --fog - - {{ .Values.appsec.customFog.fogAddress }} - {{- end }} - {{- if .Values.appsec.proxy }} - - --proxy - - {{ .Values.appsec.proxy }} - {{- end }} - imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} - env: - - name: user_email - value: {{ .Values.appsec.userEmail }} - - name: registered_server - value: "NGINX Server" - {{- if eq .Values.appsec.playground false }} - - name: SHARED_STORAGE_HOST - value: {{ .Values.appsec.storage.name }}-svc - - name: LEARNING_HOST - value: {{ .Values.appsec.learning.name }}-svc - {{- else }} - - name: PLAYGROUND - value: "true" - {{- end }} - envFrom: - - configMapRef: - name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }} - - secretRef: - name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }} - resources: - {{ toYaml .Values.resources | nindent 12 }} - volumeMounts: - - name: advanced-model - mountPath: /advanced-model - {{- if (eq .Values.appsec.persistence.enabled true) }} - - name: appsec-conf - mountPath: /etc/cp/conf - - name: appsec-data - mountPath: /etc/cp/data - {{- end }} - - name: {{ .Values.controller.containerName }} - {{- $tag := .Values.appsec.nginx.image.tag }} - {{- if .Values.appsec.configMapContent.crowdsec.enabled }} - {{- $tag = "1.2303.1-rc1-v1.3.0" }} - {{- end }} - {{- with .Values.appsec.nginx.image }} - image: "{{ .repository }}:{{ .tag }}" - {{- end }} - imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - {{- if .Values.controller.lifecycle }} - lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} - {{- end }} - args: - {{- include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.controller.enableMimalloc }} - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - {{- end }} - {{- if .Values.controller.extraEnvs }} - {{- toYaml .Values.controller.extraEnvs | nindent 12 }} - {{- end }} - {{- if .Values.controller.startupProbe }} - startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.livenessProbe }} - livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} - {{- end }} - {{- if .Values.controller.readinessProbe }} - readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} - {{- end }} - ports: - {{- range $key, $value := .Values.controller.containerPort }} - - name: {{ $key }} - containerPort: {{ $value }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} - {{- end }} - {{- end }} - {{- if .Values.controller.metrics.enabled }} - - name: {{ .Values.controller.metrics.portName }} - containerPort: {{ .Values.controller.metrics.port }} - protocol: TCP - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook - containerPort: {{ .Values.controller.admissionWebhooks.port }} - protocol: TCP - {{- end }} - {{- range $key, $value := .Values.tcp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - containerPort: {{ $key }} - protocol: TCP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- range $key, $value := .Values.udp }} - - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - containerPort: {{ $key }} - protocol: UDP - {{- if $.Values.controller.hostPort.enabled }} - hostPort: {{ $key }} - {{- end }} - {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - volumeMounts: - {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - - name: modules - {{ if .Values.controller.image.chroot }} - mountPath: /chroot/modules_mount - {{ else }} - mountPath: /modules_mount - {{ end }} - {{- end }} - {{- if .Values.controller.customTemplate.configMapName }} - - mountPath: /etc/nginx/template - name: nginx-template-volume - readOnly: true - {{- end }} - {{- if .Values.controller.admissionWebhooks.enabled }} - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - {{- end }} - {{- if .Values.controller.extraVolumeMounts }} - {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.controller.resources }} - resources: {{ toYaml .Values.controller.resources | nindent 12 }} - {{- end }} - {{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 8 }} - {{- end }} - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - initContainers: - {{- if .Values.controller.extraInitContainers }} - {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} - {{- end }} - {{- if .Values.controller.extraModules }} - {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext ) | nindent 8}} +{{- if (not (eq .Values.kind "Vanilla")) }} {{ else }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} {{- end }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- include "isControllerTagValid" . -}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +apiVersion: apps/v1 + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- if (eq .Values.kind "AppSec") }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- if (eq .Values.controller.kind "DaemonSet") }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +kind: DaemonSet + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +kind: Deployment + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- else if eq .Values.kind "AppSecStateful" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +kind: StatefulSet + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +{{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +metadata: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + labels: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "ingress-nginx.labels" . | nindent 4 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + app.kubernetes.io/component: controller + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- with .Values.controller.labels }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml . | nindent 4 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + name: {{ include "ingress-nginx.controller.fullname" . }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + namespace: {{ .Release.Namespace }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.annotations }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} +spec: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + selector: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + matchLabels: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + app.kubernetes.io/component: controller + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if eq .Values.kind "AppSecStateful" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + serviceName: "open-appsec-stateful-set" + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if or (not (eq .Values.controller.kind "DaemonSet")) (and (eq .Values.kind "AppSecStateful") (eq .Values.controller.kind "DaemonSet")) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + replicas: {{ .Values.controller.replicaCount }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.updateStrategy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + updateStrategy: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (eq .Values.kind "AppSec") }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + minReadySeconds: {{ .Values.controller.minReadySeconds }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + template: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + metadata: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.podAnnotations }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + annotations: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range $key, $value := .Values.controller.podAnnotations }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ $key }}: {{ $value | quote }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + labels: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "ingress-nginx.labels" . | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + app.kubernetes.io/component: controller + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- with .Values.controller.labels }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml . | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.podLabels }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml .Values.controller.podLabels | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + spec: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.dnsConfig }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.hostAliases }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.hostname }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + dnsPolicy: {{ .Values.controller.dnsPolicy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.imagePullSecrets }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.priorityClassName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + priorityClassName: {{ .Values.controller.priorityClassName | quote }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + securityContext: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.podSecurityContext }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.sysctls }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + sysctls: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range $sysctl, $value := .Values.controller.sysctls }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ $sysctl | quote }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: {{ $value | quote }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.shareProcessNamespace }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containers: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ .Values.appsec.name }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + securityContext: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ toYaml .Values.appsec.securityContext | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $tag := .Values.appsec.image.tag }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $tag = "crowdsec-1.2314-rc1" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- with .Values.appsec.image }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}" + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + command: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - {{ .Values.appsec.command }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + args: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (eq "standalone" .Values.appsec.mode) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - --hybrid-mode + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - --token + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0 + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - --token + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - {{ .Values.appsec.agentToken }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end -}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.appsec.customFog.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - --fog + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - {{ .Values.appsec.customFog.fogAddress }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.appsec.proxy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - --proxy + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - {{ .Values.appsec.proxy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + imagePullPolicy: {{ .Values.appsec.image.pullPolicy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + env: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: user_email + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: {{ .Values.appsec.userEmail }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: registered_server + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: "NGINX Server" + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if eq .Values.appsec.playground false }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: SHARED_STORAGE_HOST + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: {{ .Values.appsec.storage.name }}-svc + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: LEARNING_HOST + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: {{ .Values.appsec.learning.name }}-svc + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: PLAYGROUND + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: "true" + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + envFrom: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - configMapRef: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - secretRef: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + resources: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ toYaml .Values.resources | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + volumeMounts: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: advanced-model + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /advanced-model + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (eq .Values.appsec.persistence.enabled true) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: appsec-conf + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /etc/cp/conf + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: appsec-data + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /etc/cp/data + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ .Values.controller.containerName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $tag := .Values.appsec.nginx.image.tag }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.appsec.configMapContent.crowdsec.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $tag = "1.2303.1-rc1-v1.3.0" }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- with .Values.appsec.nginx.image }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + image: "{{ .repository }}:{{ .tag }}" + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.lifecycle }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + args: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "ingress-nginx.params" . | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + env: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: POD_NAME + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + valueFrom: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + fieldRef: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + fieldPath: metadata.name + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: POD_NAMESPACE + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + valueFrom: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + fieldRef: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + fieldPath: metadata.namespace + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.enableMimalloc }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: LD_PRELOAD + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + value: /usr/local/lib/libmimalloc.so + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.extraEnvs }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml .Values.controller.extraEnvs | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.startupProbe }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.livenessProbe }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.readinessProbe }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + ports: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range $key, $value := .Values.controller.containerPort }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ $key }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containerPort: {{ $value }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + protocol: TCP + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if $.Values.controller.hostPort.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.metrics.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ .Values.controller.metrics.portName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containerPort: {{ .Values.controller.metrics.port }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + protocol: TCP + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.admissionWebhooks.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: webhook + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containerPort: {{ .Values.controller.admissionWebhooks.port }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + protocol: TCP + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range $key, $value := .Values.tcp }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containerPort: {{ $key }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + protocol: TCP + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if $.Values.controller.hostPort.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + hostPort: {{ $key }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range $key, $value := .Values.udp }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + containerPort: {{ $key }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + protocol: UDP + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if $.Values.controller.hostPort.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + hostPort: {{ $key }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + volumeMounts: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: modules + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ if .Values.controller.image.chroot }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /chroot/modules_mount + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ else }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /modules_mount + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.customTemplate.configMapName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - mountPath: /etc/nginx/template + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + name: nginx-template-volume + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + readOnly: true + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.admissionWebhooks.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + - name: webhook-cert + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + mountPath: /usr/local/certificates/ + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + readOnly: true + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.extraVolumeMounts }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.resources }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + resources: {{ toYaml .Values.controller.resources | nindent 12 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.extraContainers }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + initContainers: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.extraInitContainers }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.extraModules }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- range .Values.controller.extraModules }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- if .Values.controller.opentelemetry.enabled}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.hostNetwork }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} hostNetwork: {{ .Values.controller.hostNetwork }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.nodeSelector }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.tolerations }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.affinity }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} volumes: - name: advanced-model configMap: @@ -312,34 +1215,121 @@ spec: persistentVolumeClaim: claimName: {{ .Values.appsec.name }}-data {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - name: modules + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} emptyDir: {} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.customTemplate.configMapName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - name: nginx-template-volume + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} configMap: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} name: {{ .Values.controller.customTemplate.configMapName }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} items: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - key: {{ .Values.controller.customTemplate.configMapKey }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} path: nginx.tmpl + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.admissionWebhooks.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - name: webhook-cert + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} secret: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} secretName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} items: + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - key: tls.crt + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} path: cert + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} - key: tls.key + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} path: key + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if .Values.controller.extraVolumes }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{ toYaml .Values.controller.extraVolumes | nindent 8 }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- end }} + {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }} +{{- if (not (eq .Values.kind "Vanilla")) }} + {{ else }} {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }} volumeClaimTemplates: - metadata: diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml index 9435f9e..aa7156a 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml @@ -45,6 +45,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -180,13 +183,14 @@ spec: {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -202,7 +206,7 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml index 4ade7d1..b60fd12 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml @@ -19,13 +19,12 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if not .Values.controller.autoscaling.enabled }} + {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }} replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.controller.updateStrategy }} - strategy: - {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} minReadySeconds: {{ .Values.controller.minReadySeconds }} template: @@ -49,6 +48,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -184,13 +186,14 @@ spec: {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} + {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -206,7 +209,7 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml new file mode 100644 index 0000000..15d6012 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + policyTypes: + - Ingress + - Egress + ingress: + - ports: + {{- range $key, $value := .Values.controller.containerPort }} + - protocol: TCP + port: {{ $value }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - protocol: TCP + port: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - protocol: TCP + port: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - protocol: TCP + port: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - protocol: UDP + port: {{ $key }} + {{- end }} + egress: + - {} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml index 87146b7..3966b32 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.internal.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml index b2735d2..f079fd4 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml index e6e776d..e9e9f32 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml @@ -11,8 +11,7 @@ metadata: name: {{ template "ingress-nginx.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml index 8ab16f0..482fe7f 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml @@ -5,6 +5,8 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.serviceMonitor.namespace }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} +{{- else }} + namespace: {{ .Release.Namespace }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml deleted file mode 100644 index f74c2fb..0000000 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }} - -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} - policyTypes: - - Ingress - -{{- end }} -{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml new file mode 100644 index 0000000..f3a0126 --- /dev/null +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.defaultBackend.port }} +{{- end }} diff --git a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml index f2dac65..d99a2ff 100644 --- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml +++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml @@ -15,6 +15,7 @@ commonLabels: {} controller: name: controller + enableAnnotationValidations: false image: ## Keep false as default for now! chroot: false @@ -23,9 +24,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.8.1" - digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd - digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 + tag: "v1.9.1" + digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25 + digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -48,6 +49,16 @@ controller: addHeaders: {} # -- Optionally customize the pod dnsConfig. dnsConfig: {} + # -- Optionally customize the pod hostAliases. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - foo.local + # - bar.local + # - ip: 10.1.2.3 + # hostnames: + # - foo.remote + # - bar.remote # -- Optionally customize the pod hostname. hostname: {} # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. @@ -63,14 +74,14 @@ controller: watchIngressWithoutClass: false # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false - # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" # Defaults to false enableTopologyAwareRouting: false # -- This configuration defines if Ingress Controller should allow users to set # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true + allowSnippetAnnotations: false # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged @@ -85,6 +96,10 @@ controller: http: 80 # -- 'hostPort' https port https: 443 + # NetworkPolicy for controller component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" ## This section refers to the creation of the IngressClass resource @@ -245,12 +260,22 @@ controller: ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: + # - labelSelector: # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: topology.kubernetes.io/zone + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -415,6 +440,7 @@ controller: # Will be ignored for Kubernetes versions older than 1.20 ## appProtocol: true + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. annotations: {} labels: {} # clusterIP: "" @@ -476,7 +502,7 @@ controller: internal: # -- Enables an additional internal load balancer (besides the external one). enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. annotations: {} # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. loadBalancerIP: "" @@ -552,9 +578,10 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 containerSecurityContext: allowPrivilegeEscalation: false + resources: {} admissionWebhooks: annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". @@ -583,7 +610,6 @@ controller: labels: {} # -- Use an existing PSP instead of creating one existingPsp: "" - networkPolicyEnabled: false service: annotations: {} # clusterIP: "" @@ -849,6 +875,10 @@ defaultBackend: maxReplicas: 2 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + # NetworkPolicy for default backend component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false service: annotations: {} # clusterIP: "" @@ -909,8 +939,8 @@ appsec: image: #registry: repository: ghcr.io/openappsec - image: agent - tag: latest + image: "agent" + tag: "latest" pullPolicy: Always securityContext: {} diff --git a/build_system/charts/open-appsec-kong/CHANGELOG.md b/build_system/charts/open-appsec-kong/CHANGELOG.md index d1396d2..00435b5 100644 --- a/build_system/charts/open-appsec-kong/CHANGELOG.md +++ b/build_system/charts/open-appsec-kong/CHANGELOG.md @@ -1,5 +1,98 @@ # Changelog +## Unreleased + +Nothing yet. + +## 2.29.0 + +### Improvements +* Make it possible to set the admission webhook's `timeoutSeconds`. + +## 2.28.1 + +### Fixed + +* The admission webhook now includes Gateway API resources and Ingress + resources for controller versions 2.12+. This version introduces new + validations for Kong's regex path implementation. + +## 2.28.0 + +### Improvements + +* Bump default `kong` image tag to 3.4. + [#883](https://github.com/Kong/charts/pull/883) +* Bump default ingress controller image tag to 2.12. +* Added validation rule for `latency` upstream load balancing algorithm to + CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds) + when installing this release. + +## 2.27.0 + +### Improvements + +* Listens now all support `.address` configuration. This was an existing + setting that was not applied properly for some listens. + [#881](https://github.com/Kong/charts/pull/881) + +## 2.26.5 + +### Fixed + +* Kuma ServiceAccount Token hints and volumes are also available in migrations + Pods. + [#877](https://github.com/Kong/charts/pull/877) + +## 2.26.4 + +### Fixed + +* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). + +## 2.26.3 + +### Fixed + +* Enabled Service and Ingress in Kong Manager for non enterprise users. + +## 2.26.2 + +### Fixed + +* Add missing CRD KongConsumerGroup and extend status subresource for CRDs + +## 2.26.1 + +### Fixed + +* Fix parsing enterprise tags (like e.g. `3.4.0.0`) + [#857](https://github.com/Kong/charts/pull/857) + +## 2.26.0 + +### Breaking changes + +2.26 changes the default proxy readiness endpoint for newer Kong versions. This +causes an issue in a narrow edge case. If all of the following are true: + +* You use Kong 3.3 or newer. +* You use controller 2.10 or older. +* You run the controller and proxy in separate Deployments. + +you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260). + +### Improvements + +* Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if + available. If not available, use the old `/status` default. + [#844](https://github.com/Kong/charts/pull/844) +* Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) + to the the init and pre-upgrade migrations Jobs. +* Add controller's RBAC rules for `KongConsumerGroups` CRD. + [#850](https://github.com/Kong/charts/pull/850) +* Updated controller version to 2.11. + ## 2.25.0 - Generate the `adminApiService.name` value from `.Release.Name` rather than diff --git a/build_system/charts/open-appsec-kong/Chart.yaml b/build_system/charts/open-appsec-kong/Chart.yaml index 38c21be..f94eea2 100644 --- a/build_system/charts/open-appsec-kong/Chart.yaml +++ b/build_system/charts/open-appsec-kong/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "3.3" +appVersion: 1.1.0 dependencies: - condition: postgresql.enabled name: postgresql @@ -16,4 +16,4 @@ maintainers: name: open-appsec-kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.25.0 +version: 2.29.0 diff --git a/build_system/charts/open-appsec-kong/README.md b/build_system/charts/open-appsec-kong/README.md index 009046b..559b8ee 100644 --- a/build_system/charts/open-appsec-kong/README.md +++ b/build_system/charts/open-appsec-kong/README.md @@ -71,6 +71,7 @@ $ helm install kong/kong --generate-name - [Sessions](#sessions) - [Email/SMTP](#emailsmtp) - [Prometheus Operator integration](#prometheus-operator-integration) +- [Argo CD considerations](#argo-cd-considerations) - [Changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md) - [Upgrading](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md) - [Seeking help](#seeking-help) @@ -599,7 +600,8 @@ directory. | Parameter | Description | Default | | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- | | image.repository | Kong image | `kong` | -| image.tag | Kong image version | `2.5` | +| image.tag | Kong image version | `3.4` | +| image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | | | image.pullPolicy | Image pull policy | `IfNotPresent` | | image.pullSecrets | Image pull secrets | `null` | | replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` | @@ -723,7 +725,7 @@ section of `values.yaml` file: |--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| | enabled | Deploy the ingress controller, rbac and crd | true | | image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | -| image.tag | Version of the ingress controller | 2.0 | +| image.tag | Version of the ingress controller | `2.12` | | image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | | readinessProbe | Kong ingress controllers readiness probe | | | livenessProbe | Kong ingress controllers liveness probe | | @@ -737,11 +739,13 @@ section of `values.yaml` file: | admissionWebhook.enabled | Whether to enable the validating admission webhook | true | | admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | | admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | +| admissionWebhook.address | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0 | | | admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | | | admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false | | admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | | | admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | | | admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | | +| admissionWebhook.timeoutSeconds | Kubernetes `apiserver`'s timeout when running this webhook. Default: 10 seconds. | | | userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | | userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | | terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | @@ -1045,7 +1049,7 @@ must know where other Kong services (namely the admin and files APIs) can be accessed in order to function properly. Kong's default behavior for attempting to locate these absent configuration is unlikely to work in common Kubernetes environments. Because of this, you should set each of `admin_gui_url`, -`admin_api_uri`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and +`admin_gui_api_url`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and `portal_gui_protocol` under the `.env` key in values.yaml to locations where each of their respective services can be accessed to ensure that Kong services can locate one another and properly set CORS headers. See the @@ -1161,6 +1165,28 @@ admin: enable-metrics: "true" ``` +## Argo CD Considerations + +The built-in database subchart (`postgresql.enabled` in values) is not +supported when installing the chart via Argo CD. + +Argo CD does not support the full Helm lifecycle. There is no distinction +between the initial install and upgrades. Both operations are a "sync" in Argo +terms. This affects when migration Jobs execute in database-backed Kong +installs. + +The chart sets the `Sync` and `BeforeHookCreation` deletion +[hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) +on the `init-migrations` and `pre-upgrade-migrations` Jobs. + +The `pre-upgrade-migrations` Job normally uses Helm's `pre-upgrade` policy. Argo +translates this to its `PreSync` policy, which would create the Job before all +sync phase resources. Doing this before various sync phase resources (such as +the ServiceAccount) are in place would prevent the Job from running +successfully. Overriding this with Argo's `Sync` policy starts the Job at the +same time as the upgraded Deployment Pods. The new Pods may fail to start +temporarily, but will eventually start normally once migrations complete. + ## Seeking help If you run into an issue, bug or have a question, please reach out to the Kong diff --git a/build_system/charts/open-appsec-kong/UPGRADE.md b/build_system/charts/open-appsec-kong/UPGRADE.md index adca053..906d961 100644 --- a/build_system/charts/open-appsec-kong/UPGRADE.md +++ b/build_system/charts/open-appsec-kong/UPGRADE.md @@ -17,7 +17,8 @@ upgrading from a previous version. ## Table of contents - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) -- [2.17.0](#2170) +- [2.26.0](#2260) +- [2.19.0](#2190) - [2.13.0](#2130) - [2.8.0](#280) - [2.7.0](#270) @@ -83,6 +84,35 @@ https://raw.githubusercontent.com/Kong/charts/kong-/charts/kong/crds/cu For example, if your release is 2.6.4, you would apply `https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`. +## 2.26.0 + +If you are using controller version 2.10 or lower and proxy version 3.3 or +higher in separate Deployments (such as when using the `ingress` chart), proxy +Pods will not become ready unless you override the default readiness endpoint: + +``` +readinessProbe: + httpGet: + path: /status +``` + +This section goes under the `gateway` section when using the `ingress` chart. + +2.26 changes the default proxy readiness endpoint to the `/status/ready` +endpoint introduced in Kong 3.3. This endpoint reports true when Kong has +configuration available, whereas the previous `/status` endpoint returned true +immediately after start, and could result in proxy instances attempting to +serve requests before they had configuration. + +The chart has logic to fall back to the older endpoint if the proxy and +controller versions do not work well with the new endpoint. However, the chart +detection cannot determine the controller version when the controller is in a +separate Deployment, and will always use the new endpoint if the Kong image +version is 3.3 or higher. + +Kong recommends Kong 3.3 and higher users update to controller 2.11 at their +earliest convenience to take advantage of the improved readiness behavior. + ## 2.19.0 2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) diff --git a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip-values.yaml b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip-values.yaml new file mode 100644 index 0000000..8204ad4 --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip-values.yaml @@ -0,0 +1,18 @@ +admin: + enabled: true + type: ClusterIP + +# Stub config to make the instance become ready +dblessConfig: + config: | + _format_version: "1.1" + services: + - name: example.com + url: http://example.com + routes: + - name: example + paths: + - "/example" + +ingressController: + enabled: false diff --git a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml deleted file mode 100644 index 18e5fa3..0000000 --- a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml +++ /dev/null @@ -1,6 +0,0 @@ -admin: - enabled: true - type: ClusterIP - -ingressController: - enabled: false diff --git a/build_system/charts/open-appsec-kong/ci/custom-labels.yaml b/build_system/charts/open-appsec-kong/ci/custom-labels-values.yaml similarity index 96% rename from build_system/charts/open-appsec-kong/ci/custom-labels.yaml rename to build_system/charts/open-appsec-kong/ci/custom-labels-values.yaml index 284aca9..a2adc84 100644 --- a/build_system/charts/open-appsec-kong/ci/custom-labels.yaml +++ b/build_system/charts/open-appsec-kong/ci/custom-labels-values.yaml @@ -1,6 +1,3 @@ - # install chart with some extra labels - extraLabels: acme.com/some-key: some-value - diff --git a/build_system/charts/open-appsec-kong/ci/default-values.yaml b/build_system/charts/open-appsec-kong/ci/default-values.yaml index 94bd4b2..fd2b9b9 100644 --- a/build_system/charts/open-appsec-kong/ci/default-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/default-values.yaml @@ -1,7 +1,4 @@ # install chart with default values -proxy: - type: NodePort - env: anonymous_reports: "off" ingressController: diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml index ac31482..0cab2d4 100644 --- a/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml @@ -1,6 +1,5 @@ # CI test for empty hostname including tls secret using string proxy: - type: NodePort ingress: enabled: true tls: "kong.proxy.example.secret" diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml index 4f7239d..73285b3 100644 --- a/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml @@ -1,6 +1,5 @@ # CI test for hostname including tls secret using string proxy: - type: NodePort ingress: enabled: true hostname: "proxy.kong.example" diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml index 1afcd3e..e712efb 100644 --- a/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml @@ -1,6 +1,5 @@ # CI test for using ingress hosts configuration proxy: - type: NodePort ingress: enabled: true hosts: diff --git a/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml index 5c84b24..ba79f10 100644 --- a/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml @@ -1,6 +1,5 @@ # CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice proxy: - type: NodePort ingress: enabled: true hostname: "proxy.kong.example" diff --git a/build_system/charts/open-appsec-kong/ci/single-image-default.yaml b/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml similarity index 63% rename from build_system/charts/open-appsec-kong/ci/single-image-default.yaml rename to build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml index a9e6e94..f9183be 100644 --- a/build_system/charts/open-appsec-kong/ci/single-image-default.yaml +++ b/build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml @@ -2,9 +2,7 @@ # use single image strings instead of repository/tag image: - unifiedRepoTag: kong:2.6 -proxy: - type: NodePort + unifiedRepoTag: kong:3.4 env: anonymous_reports: "off" @@ -12,4 +10,4 @@ ingressController: env: anonymous_reports: "false" image: - unifiedRepoTag: kong/kubernetes-ingress-controller:2.0.2 + unifiedRepoTag: kong/kubernetes-ingress-controller:2.12 diff --git a/build_system/charts/open-appsec-kong/ci/test-enterprise-version-3.4.0.0-values.yaml b/build_system/charts/open-appsec-kong/ci/test-enterprise-version-3.4.0.0-values.yaml new file mode 100644 index 0000000..ec09b8d --- /dev/null +++ b/build_system/charts/open-appsec-kong/ci/test-enterprise-version-3.4.0.0-values.yaml @@ -0,0 +1,14 @@ +ingressController: + enabled: false + +image: + repository: kong/kong-gateway + tag: "3.4.0.0" + +readinessProbe: + httpGet: + path: "/status" + port: status + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 diff --git a/build_system/charts/open-appsec-kong/ci/test1-values.yaml b/build_system/charts/open-appsec-kong/ci/test1-values.yaml index b0a9c85..5619eb8 100644 --- a/build_system/charts/open-appsec-kong/ci/test1-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test1-values.yaml @@ -30,14 +30,12 @@ podLabels: environment: test # - ingress resources are created with hosts admin: - type: NodePort ingress: enabled: true hostname: admin.kong.example annotations: {} path: / proxy: - type: NodePort ingress: enabled: true hostname: proxy.kong.example diff --git a/build_system/charts/open-appsec-kong/ci/test2-values.yaml b/build_system/charts/open-appsec-kong/ci/test2-values.yaml index a2a27ff..07ed193 100644 --- a/build_system/charts/open-appsec-kong/ci/test2-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test2-values.yaml @@ -3,8 +3,12 @@ # - stream listens work # - a mixture of controller, Kong, and shared volumes successfully mount # - watchNamespaces is set +# - the admission webhook is enabled; has the timeout explicitly set ingressController: enabled: true + admissionWebhook: + enabled: true + timeoutSeconds: 5 env: anonymous_reports: "false" customEnv: @@ -21,13 +25,11 @@ env: database: "postgres" # - ingress resources are created without hosts admin: - type: NodePort ingress: enabled: true hosts: [] path: / proxy: - type: NodePort ingress: enabled: true hostname: proxy.kong.example diff --git a/build_system/charts/open-appsec-kong/ci/test3-values.yaml b/build_system/charts/open-appsec-kong/ci/test3-values.yaml index 46f9b29..76c5f35 100644 --- a/build_system/charts/open-appsec-kong/ci/test3-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test3-values.yaml @@ -8,8 +8,6 @@ env: database: "off" postgresql: enabled: false -proxy: - type: NodePort deployment: initContainers: - name: "bash" diff --git a/build_system/charts/open-appsec-kong/ci/test4-values.yaml b/build_system/charts/open-appsec-kong/ci/test4-values.yaml index 1b63334..2f648ad 100644 --- a/build_system/charts/open-appsec-kong/ci/test4-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test4-values.yaml @@ -12,7 +12,6 @@ env: postgresql: enabled: false proxy: - type: NodePort # - add stream listens stream: - containerPort: 9000 diff --git a/build_system/charts/open-appsec-kong/ci/test5-values.yaml b/build_system/charts/open-appsec-kong/ci/test5-values.yaml index 6366433..76318b4 100644 --- a/build_system/charts/open-appsec-kong/ci/test5-values.yaml +++ b/build_system/charts/open-appsec-kong/ci/test5-values.yaml @@ -26,13 +26,11 @@ customEnv: client_id: "exampleId" # - ingress resources are created without hosts admin: - type: NodePort ingress: enabled: true hosts: [] path: / proxy: - type: NodePort ingress: enabled: true hostname: proxy.kong.example diff --git a/build_system/charts/open-appsec-kong/ci/test6-values.yaml b/build_system/charts/open-appsec-kong/ci/test6-values.yaml deleted file mode 100644 index d137728..0000000 --- a/build_system/charts/open-appsec-kong/ci/test6-values.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# CI test for testing dbless deployment without ingress controllers -# - disable ingress controller -# - no static config -ingressController: - enabled: false -# - disable DB for kong -env: - anonymous_reports: "off" - database: "off" -postgresql: - enabled: false -proxy: - type: NodePort -deployment: - initContainers: - - name: "bash" - image: "bash:latest" - command: ["/bin/sh", "-c", "true"] - resources: - limits: - cpu: "100m" - memory: "64Mi" - requests: - cpu: "100m" - memory: "64Mi" - volumeMounts: - - name: "tmpdir" - mountPath: "/opt/tmp" - userDefinedVolumes: - - name: "tmpdir" - emptyDir: {} - userDefinedVolumeMounts: - - name: "tmpdir" - mountPath: "/opt/tmp" diff --git a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml index 890ee0b..03353de 100644 --- a/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml +++ b/build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml @@ -1,10 +1,9 @@ -# generated using: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.8.1 +# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.12.0' apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: ingressclassparameterses.configuration.konghq.com spec: group: configuration.konghq.com @@ -56,8 +55,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: kongclusterplugins.configuration.konghq.com spec: group: configuration.konghq.com @@ -91,6 +89,9 @@ spec: name: Config priority: 1 type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string name: v1 schema: openAPIV3Schema: @@ -142,6 +143,11 @@ spec: disabled: description: Disabled set if the plugin is disabled or not. type: boolean + instance_name: + description: InstanceName is an optional custom name to identify an instance + of the plugin. This is useful when running the same plugin in multiple + contexts, for example, on multiple services. + type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client @@ -183,6 +189,8 @@ spec: description: Protocols configures plugin to run on requests received on specific protocols. items: + description: KongProtocol is a valid Kong protocol. This alias is necessary + to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 enum: - http - https @@ -201,6 +209,91 @@ spec: - second - all type: string + status: + description: Status represents the current status of the KongClusterPlugin + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the KongClusterPluginStatus. + \n Known condition types are: \n * \"Programmed\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object required: - plugin type: object @@ -213,8 +306,142 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 + name: kongconsumergroups.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongConsumerGroup + listKind: KongConsumerGroupList + plural: kongconsumergroups + shortNames: + - kcg + singular: kongconsumergroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: KongConsumerGroup is the Schema for the kongconsumergroups API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: Status represents the current status of the KongConsumer + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the KongConsumerGroup. + \n Known condition types are: \n * \"Programmed\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 name: kongconsumers.configuration.konghq.com spec: group: configuration.konghq.com @@ -238,6 +465,9 @@ spec: jsonPath: .metadata.creationTimestamp name: Age type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string name: v1 schema: openAPIV3Schema: @@ -248,6 +478,12 @@ spec: of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string + consumerGroups: + description: ConsumerGroups are references to consumer groups (that consumer + wants to be part of) provisioned in Kong. + items: + type: string + type: array credentials: description: Credentials are references to secrets containing a credential to be provisioned in Kong. @@ -265,6 +501,91 @@ spec: type: string metadata: type: object + status: + description: Status represents the current status of the KongConsumer + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the KongConsumer. + \n Known condition types are: \n * \"Programmed\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object username: description: Username is a Kong cluster-unique username of the consumer. type: string @@ -278,8 +599,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: kongingresses.configuration.konghq.com spec: group: configuration.konghq.com @@ -381,8 +701,7 @@ spec: type: integer methods: description: 'Methods is a list of HTTP methods that match this Route. - Deprecated: use Ingress'' "konghq.com/override-protocols" annotation - instead.' + Deprecated: use Ingress'' "konghq.com/methods" annotation instead.' items: type: string type: array @@ -407,6 +726,8 @@ spec: allow. Deprecated: use Ingress'' "konghq.com/protocols" annotation instead.' items: + description: KongProtocol is a valid Kong protocol. This alias is + necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 enum: - http - https @@ -448,8 +769,8 @@ spec: type: object upstream: description: Upstream represents a virtual hostname and can be used to - load balance incoming requests over multiple targets (e.g. Kubernetes - Services can be a target, or URLs can be targets). + loadbalance incoming requests over multiple targets (e.g. Kubernetes + `Services` can be a target, OR `Endpoints` can be targets). properties: algorithm: description: Algorithm is the load balancing algorithm to use. @@ -457,6 +778,7 @@ spec: - round-robin - consistent-hashing - least-connections + - latency type: string hash_fallback: description: 'HashFallback defines What to use as hashing input if @@ -512,6 +834,12 @@ spec: concurrency: minimum: 1 type: integer + headers: + additionalProperties: + items: + type: string + type: array + type: object healthy: description: Healthy configures thresholds and HTTP status codes to mark targets healthy for an upstream. @@ -626,8 +954,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: kongplugins.configuration.konghq.com spec: group: configuration.konghq.com @@ -661,6 +988,9 @@ spec: name: Config priority: 1 type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string name: v1 schema: openAPIV3Schema: @@ -708,6 +1038,11 @@ spec: disabled: description: Disabled set if the plugin is disabled or not. type: boolean + instance_name: + description: InstanceName is an optional custom name to identify an instance + of the plugin. This is useful when running the same plugin in multiple + contexts, for example, on multiple services. + type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client @@ -749,6 +1084,8 @@ spec: description: Protocols configures plugin to run on requests received on specific protocols. items: + description: KongProtocol is a valid Kong protocol. This alias is necessary + to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 enum: - http - https @@ -767,6 +1104,90 @@ spec: - second - all type: string + status: + description: Status represents the current status of the KongPlugin resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: "Conditions describe the current conditions of the KongPluginStatus. + \n Known condition types are: \n * \"Programmed\"" + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object required: - plugin type: object @@ -779,8 +1200,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tcpingresses.configuration.konghq.com spec: group: configuration.konghq.com @@ -966,8 +1386,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: udpingresses.configuration.konghq.com spec: group: configuration.konghq.com diff --git a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml index e4c4bf2..521bef6 100644 --- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml +++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml @@ -88,7 +88,7 @@ enterprise: enabled: true env: admin_access_log: /dev/stdout - admin_api_uri: https://kong.127-0-0-1.nip.io/api + admin_gui_api_url: https://kong.127-0-0-1.nip.io/api admin_error_log: /dev/stdout admin_gui_access_log: /dev/stdout admin_gui_error_log: /dev/stdout @@ -146,7 +146,7 @@ extraLabels: konghq.com/component: quickstart image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" ingressController: enabled: true env: diff --git a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml index 56a6d08..b794e1f 100644 --- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml index f222d38..f8faf44 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml @@ -9,7 +9,7 @@ image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" admin: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml index 3be8e0d..88d61c7 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml @@ -2,7 +2,7 @@ image: repository: kong - tag: "3.3" + tag: "3.4" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml index 2610935..206238d 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml @@ -4,7 +4,7 @@ image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" enterprise: enabled: true diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml index ffc316a..2c5e9bb 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml @@ -14,7 +14,7 @@ image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" env: database: postgres diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml index 012d9b6..ff08b53 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml @@ -12,7 +12,7 @@ image: repository: kong/kong-gateway - tag: "3.3" + tag: "3.4" env: role: data_plane diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml index a48028a..e58cb8d 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.3" + tag: "3.4" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml index 84d9c40..2f40013 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml @@ -11,7 +11,7 @@ image: repository: kong - tag: "3.3" + tag: "3.4" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml index ca06308..ceb9b8b 100644 --- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml +++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml @@ -6,7 +6,7 @@ image: repository: kong - tag: "3.3" + tag: "3.4" env: prefix: /kong_prefix/ diff --git a/build_system/charts/open-appsec-kong/templates/_helpers.tpl b/build_system/charts/open-appsec-kong/templates/_helpers.tpl index 205bc72..836d755 100644 --- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl +++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl @@ -330,10 +330,11 @@ Create KONG_STREAM_LISTEN string */}} {{- define "kong.streamListen" -}} {{- $unifiedListen := list -}} + {{- $address := (default "0.0.0.0" .address) -}} {{- range .stream -}} {{- $listenConfig := dict -}} {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" "0.0.0.0" -}} + {{- $_ := set $listenConfig "address" $address -}} {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons. Our configuration is dual-purpose, for both the Service and listen string, so we forcibly inject this parameter if that's the Service protocol. The default handles @@ -458,7 +459,8 @@ The name of the service used for the ingress controller's validation webhook {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} {{- if .Values.ingressController.admissionWebhook.enabled }} - {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}} + {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}} + {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}} {{- end }} {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} @@ -552,6 +554,41 @@ The name of the service used for the ingress controller's validation webhook - name: {{ template "kong.fullname" . }}-tmp emptyDir: sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }} +{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} +- name: {{ template "kong.serviceAccountTokenName" . }} + {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. + See the related documentation of semver module that Helm depends on for semverCompare: + https://github.com/Masterminds/semver#working-with-prerelease-versions + Related Helm issue: https://github.com/helm/helm/issues/3810 */}} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- else }} + secret: + secretName: {{ template "kong.serviceAccountTokenName" . }} + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + - key: namespace + path: namespace + {{- end }} +{{- end }} {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} {{- if .Values.certificates.cluster.enabled }} - name: {{ include "kong.fullname" . }}-cluster-cert @@ -786,10 +823,22 @@ The name of the service used for the ingress controller's validation webhook {{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}} {{- define "kong.effectiveVersion" -}} +{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}} +{{- /* as semver does, we need to account for that here by extracting */ -}} +{{- /* first 3 segments for comparison */ -}} {{- if .effectiveSemver -}} -{{- .effectiveSemver -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- else -}} + {{- .effectiveSemver -}} + {{- end -}} {{- else -}} -{{- (trimSuffix "-redhat" .tag) -}} + {{- $tag := (trimSuffix "-redhat" .tag) -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- else -}} + {{- .tag -}} + {{- end -}} {{- end -}} {{- end -}} @@ -908,7 +957,7 @@ the template that it itself is using form the above sections. {{- end -}} {{- $listenConfig := dict -}} {{- $listenConfig := merge $listenConfig . -}} - {{- $_ := set $listenConfig "address" $address -}} + {{- $_ := set $listenConfig "address" (default $address .address) -}} {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} {{- if or .tls.client.secretName .tls.client.caBundle -}} @@ -952,6 +1001,7 @@ the template that it itself is using form the above sections. {{- end -}} {{- if .Values.admin.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}} {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}} {{- end -}} @@ -1203,6 +1253,24 @@ resource roles into their separate templates. - namespaces verbs: - list +{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +{{- end }} {{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - "" @@ -1614,6 +1682,16 @@ networking.k8s.io/v1beta1 extensions/v1beta1 {{- end -}} {{- end -}} + +{{- define "kong.proxy.compatibleReadiness" -}} +{{- $proxyReadiness := .Values.readinessProbe -}} +{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}} + {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}} + {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}} + {{- end -}} +{{- end -}} +{{- (toYaml $proxyReadiness) -}} +{{- end -}} {{/* appsec labels */}} diff --git a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml index f887ccf..f7e5c40 100644 --- a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml +++ b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml @@ -46,6 +46,9 @@ webhooks: namespaceSelector: {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} objectSelector: matchExpressions: - key: owner @@ -80,6 +83,28 @@ webhooks: - UPDATE resources: - secrets +{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes +{{- end }} clientConfig: {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} caBundle: {{ b64enc $caCert }} diff --git a/build_system/charts/open-appsec-kong/templates/appsec.yaml b/build_system/charts/open-appsec-kong/templates/appsec.yaml index e7c020d..6d686ea 100644 --- a/build_system/charts/open-appsec-kong/templates/appsec.yaml +++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml @@ -359,7 +359,7 @@ spec: {{- include "kong.volumeMounts" . | nindent 10 }} {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} readinessProbe: -{{ toYaml .Values.readinessProbe | indent 10 }} +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} livenessProbe: {{ toYaml .Values.livenessProbe | indent 10 }} {{- if .Values.startupProbe }} @@ -403,41 +403,6 @@ spec: {{- end }} {{- include "kong.volumes" . | nindent 8 -}} {{- include "kong.userDefinedVolumes" . | nindent 8 -}} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - - name: {{ template "kong.serviceAccountTokenName" . }} - {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. - See the related documentation of semver module that Helm depends on for semverCompare: - https://github.com/Masterminds/semver#working-with-prerelease-versions - Related Helm issue: https://github.com/helm/helm/issues/3810 */}} - {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} - projected: - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- else }} - secret: - secretName: {{ template "kong.serviceAccountTokenName" . }} - items: - - key: token - path: token - - key: ca.crt - path: ca.crt - - key: namespace - path: namespace - {{- end }} - {{- end }} {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }} volumeClaimTemplates: - metadata: diff --git a/build_system/charts/open-appsec-kong/templates/deployment.yaml b/build_system/charts/open-appsec-kong/templates/deployment.yaml index f10536c..5307d23 100644 --- a/build_system/charts/open-appsec-kong/templates/deployment.yaml +++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml @@ -270,7 +270,7 @@ spec: {{- include "kong.volumeMounts" . | nindent 10 }} {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} readinessProbe: -{{ toYaml .Values.readinessProbe | indent 10 }} +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} livenessProbe: {{ toYaml .Values.livenessProbe | indent 10 }} {{- if .Values.startupProbe }} @@ -302,39 +302,4 @@ spec: volumes: {{- include "kong.volumes" . | nindent 8 -}} {{- include "kong.userDefinedVolumes" . | nindent 8 -}} - {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} - - name: {{ template "kong.serviceAccountTokenName" . }} - {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. - See the related documentation of semver module that Helm depends on for semverCompare: - https://github.com/Masterminds/semver#working-with-prerelease-versions - Related Helm issue: https://github.com/helm/helm/issues/3810 */}} - {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} - projected: - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace - {{- else }} - secret: - secretName: {{ template "kong.serviceAccountTokenName" . }} - items: - - key: token - path: token - - key: ca.crt - path: ca.crt - - key: namespace - path: namespace - {{- end }} - {{- end }} {{- end }} diff --git a/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml b/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml index 43a8eb7..ba00e45 100644 --- a/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml +++ b/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml @@ -29,6 +29,9 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} {{- end }} spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} diff --git a/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml b/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml index 09a5c85..9dada75 100644 --- a/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml +++ b/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml @@ -13,6 +13,8 @@ metadata: annotations: helm.sh/hook: "pre-upgrade" helm.sh/hook-delete-policy: "before-hook-creation" + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation {{- range $key, $value := .Values.migrations.jobAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} @@ -29,6 +31,9 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} {{- end }} spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} diff --git a/build_system/charts/open-appsec-kong/templates/migrations.yaml b/build_system/charts/open-appsec-kong/templates/migrations.yaml index 5b918ab..a996fcd 100644 --- a/build_system/charts/open-appsec-kong/templates/migrations.yaml +++ b/build_system/charts/open-appsec-kong/templates/migrations.yaml @@ -21,6 +21,8 @@ metadata: {{- include "kong.metaLabels" . | nindent 4 }} app.kubernetes.io/component: init-migrations annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation {{- range $key, $value := .Values.migrations.jobAnnotations }} {{ $key }}: {{ $value | quote }} {{- end }} @@ -37,6 +39,9 @@ spec: {{- range $key, $value := .Values.migrations.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} {{- end }} spec: {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} diff --git a/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml b/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml index b4c22e4..e673287 100644 --- a/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml +++ b/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml @@ -1,5 +1,4 @@ {{- if .Values.deployment.kong.enabled }} -{{- if .Values.enterprise.enabled }} {{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}} {{- $serviceConfig := dict -}} {{- $serviceConfig := merge $serviceConfig .Values.manager -}} @@ -16,4 +15,3 @@ {{- end -}} {{- end -}} {{- end -}} -{{- end -}} diff --git a/build_system/charts/open-appsec-kong/values.yaml b/build_system/charts/open-appsec-kong/values.yaml index 0cb8fc1..2c0cb36 100644 --- a/build_system/charts/open-appsec-kong/values.yaml +++ b/build_system/charts/open-appsec-kong/values.yaml @@ -86,7 +86,7 @@ env: database: "off" # the chart uses the traditional router (for Kong 3.x+) because the ingress # controller generates traditional routes. if you do not use the controller, - # you may set this to "traditional_compatible" or "expression" to use the new + # you may set this to "traditional_compatible" or "expressions" to use the new # DSL-based router router_flavor: "traditional" nginx_worker_processes: "2" @@ -121,11 +121,13 @@ extraLabels: {} # Specify Kong's Docker image and repository details here image: repository: kong - tag: "3.3" + tag: "3.4" # Kong Enterprise # repository: kong/kong-gateway - # tag: "3.3" + # tag: "3.4" + # Specify a semver version if your image tag is not one (e.g. "nightly") + effectiveSemver: pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -514,7 +516,7 @@ ingressController: enabled: true image: repository: kong/kubernetes-ingress-controller - tag: "2.10" + tag: "2.12" # Optionally set a semantic version for version-gated features. This can normally # be left unset. You only need to set this if your tag is not a semver string, # such as when you are using a "next" tag. Set this to the effective semantic @@ -574,6 +576,8 @@ ingressController: service: # Specify custom labels for the validation webhook service. labels: {} + # Tune the default Kubernetes timeoutSeconds of 10 seconds + # timeoutSeconds: 10 ingressClass: kong # annotations for IngressClass resource (Kubernetes 1.18+) @@ -800,7 +804,7 @@ resources: {} # readinessProbe for Kong pods readinessProbe: httpGet: - path: "/status" + path: "/status/ready" port: status scheme: HTTP initialDelaySeconds: 5 @@ -1229,8 +1233,8 @@ appsec: image: #registry: repository: ghcr.io/openappsec - image: agent - tag: latest + image: "agent" + tag: "1.1.0" pullPolicy: Always securityContext: @@ -1243,8 +1247,8 @@ appsec: # runAsUser: 1000 kong: image: - repository: "ghcr.io/openappsec/kong-gateway-attachment" - tag: "latest" + repository: "ghcr.io/openappsec/kong-attachment" + tag: "1.1.0" configMapName: appsec-settings-configmap configMapContent: crowdsec: