Updating charts

2025-09-30 03:34:26 +03:00 · 2023-10-08 07:15:09 +00:00
parent 39b8c5a5ff
commit 3d11ead170
60 changed files with 2259 additions and 540 deletions
--- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl
@@ -330,10 +330,11 @@ Create KONG_STREAM_LISTEN string
 */}}
 {{- define "kong.streamListen" -}}
  {{- $unifiedListen := list -}}
+  {{- $address := (default "0.0.0.0" .address) -}}
  {{- range .stream -}}
    {{- $listenConfig := dict -}}
    {{- $listenConfig := merge $listenConfig . -}}
-    {{- $_ := set $listenConfig "address" "0.0.0.0" -}}
+    {{- $_ := set $listenConfig "address" $address -}}
    {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
         Our configuration is dual-purpose, for both the Service and listen string, so we
         forcibly inject this parameter if that's the Service protocol. The default handles
@@ -458,7 +459,8 @@ The name of the service used for the ingress controller's validation webhook
  {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}

  {{- if .Values.ingressController.admissionWebhook.enabled }}
-    {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
+    {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}}
+    {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}}
  {{- end }}
  {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
    {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
@@ -552,6 +554,41 @@ The name of the service used for the ingress controller's validation webhook
 - name: {{ template "kong.fullname" . }}-tmp
  emptyDir:
    sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
+{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+- name: {{ template "kong.serviceAccountTokenName" . }}
+  {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
+  See the related documentation of semver module that Helm depends on for semverCompare:
+  https://github.com/Masterminds/semver#working-with-prerelease-versions
+  Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
+  {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+  projected:
+    sources:
+    - serviceAccountToken:
+        expirationSeconds: 3607
+        path: token
+    - configMap:
+        items:
+        - key: ca.crt
+          path: ca.crt
+        name: kube-root-ca.crt
+    - downwardAPI:
+        items:
+        - fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+          path: namespace
+  {{- else }}
+  secret:
+    secretName: {{ template "kong.serviceAccountTokenName" . }}
+    items:
+    - key: token
+      path: token
+    - key: ca.crt
+      path: ca.crt
+    - key: namespace
+      path: namespace
+  {{- end }}
+{{- end }}
 {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
 {{- if .Values.certificates.cluster.enabled }}
 - name: {{ include "kong.fullname" . }}-cluster-cert
@@ -786,10 +823,22 @@ The name of the service used for the ingress controller's validation webhook

 {{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}}
 {{- define "kong.effectiveVersion" -}}
+{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}}
+{{- /* as semver does, we need to account for that here by extracting */ -}}
+{{- /* first 3 segments for comparison */ -}}
 {{- if .effectiveSemver -}}
-{{- .effectiveSemver -}}
+  {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+  {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+  {{- else -}}
+  {{- .effectiveSemver -}}
+  {{- end -}}
 {{- else -}}
-{{- (trimSuffix "-redhat" .tag) -}}
+  {{- $tag := (trimSuffix "-redhat" .tag) -}}
+  {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+  {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+  {{- else -}}
+  {{- .tag -}}
+  {{- end -}}
 {{- end -}}
 {{- end -}}

@@ -908,7 +957,7 @@ the template that it itself is using form the above sections.
  {{- end -}}
  {{- $listenConfig := dict -}}
  {{- $listenConfig := merge $listenConfig . -}}
-  {{- $_ := set $listenConfig "address" $address -}}
+  {{- $_ := set $listenConfig "address" (default $address .address) -}}
  {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}

  {{- if or .tls.client.secretName .tls.client.caBundle -}}
@@ -952,6 +1001,7 @@ the template that it itself is using form the above sections.
 {{- end -}}

 {{- if .Values.admin.ingress.enabled }}
+  {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
  {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
 {{- end -}}

@@ -1203,6 +1253,24 @@ resource roles into their separate templates.
  - namespaces
  verbs:
  - list
+{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongconsumergroups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongconsumergroups/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
 {{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
 - apiGroups:
  - ""
@@ -1614,6 +1682,16 @@ networking.k8s.io/v1beta1
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
+
+{{- define "kong.proxy.compatibleReadiness" -}}
+{{- $proxyReadiness := .Values.readinessProbe -}}
+{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}}
+    {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}}
+        {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}}
+    {{- end -}}
+{{- end -}}
+{{- (toYaml $proxyReadiness) -}}
+{{- end -}}
 {{/*
 appsec labels
 */}}
--- a/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
+++ b/build_system/charts/open-appsec-kong/templates/admission-webhook.yaml
@@ -46,6 +46,9 @@ webhooks:
  namespaceSelector:
    {{- toYaml . | nindent 4 }}
  {{- end }}
+  {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
+  timeoutSeconds: {{ . }}
+  {{- end }}
  objectSelector:
    matchExpressions:
    - key: owner
@@ -80,6 +83,28 @@ webhooks:
    - UPDATE
    resources:
    - secrets
+{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+      - 'v1'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  - apiGroups:
+    - gateway.networking.k8s.io
+    apiVersions:
+    - 'v1alpha2'
+    - 'v1beta1'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gateways
+    - httproutes
+{{- end }}
  clientConfig:
    {{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
    caBundle: {{ b64enc $caCert }}
--- a/build_system/charts/open-appsec-kong/templates/appsec.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml
@@ -359,7 +359,7 @@ spec:
        {{- include "kong.volumeMounts" . | nindent 10 }}
        {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
        readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
        livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
        {{- if .Values.startupProbe }}
@@ -403,41 +403,6 @@ spec:
      {{- end }}
      {{- include "kong.volumes" . | nindent 8 -}}
      {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
-      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
-        - name: {{ template "kong.serviceAccountTokenName" . }}
-          {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
-          See the related documentation of semver module that Helm depends on for semverCompare:
-          https://github.com/Masterminds/semver#working-with-prerelease-versions
-          Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
-          {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
-          projected:
-            sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                items:
-                - key: ca.crt
-                  path: ca.crt
-                name: kube-root-ca.crt
-            - downwardAPI:
-                items:
-                - fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.namespace
-                  path: namespace
-          {{- else }}
-          secret:
-            secretName: {{ template "kong.serviceAccountTokenName" . }}
-            items:
-            - key: token
-              path: token
-            - key: ca.crt
-              path: ca.crt
-            - key: namespace
-              path: namespace
-          {{- end }}
-      {{- end }}
  {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
  volumeClaimTemplates:
  - metadata:
--- a/build_system/charts/open-appsec-kong/templates/deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml
@@ -270,7 +270,7 @@ spec:
        {{- include "kong.volumeMounts" . | nindent 10 }}
        {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
        readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
        livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
        {{- if .Values.startupProbe }}
@@ -302,39 +302,4 @@ spec:
      volumes:
      {{- include "kong.volumes" . | nindent 8 -}}
      {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
-      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
-        - name: {{ template "kong.serviceAccountTokenName" . }}
-          {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
-          See the related documentation of semver module that Helm depends on for semverCompare:
-          https://github.com/Masterminds/semver#working-with-prerelease-versions
-          Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
-          {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
-          projected:
-            sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                items:
-                - key: ca.crt
-                  path: ca.crt
-                name: kube-root-ca.crt
-            - downwardAPI:
-                items:
-                - fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.namespace
-                  path: namespace
-          {{- else }}
-          secret:
-            secretName: {{ template "kong.serviceAccountTokenName" . }}
-            items:
-            - key: token
-              path: token
-            - key: ca.crt
-              path: ca.crt
-            - key: namespace
-              path: namespace
-          {{- end }}
-      {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
+++ b/build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
@@ -29,6 +29,9 @@ spec:
      {{- range $key, $value := .Values.migrations.annotations }}
        {{ $key }}: {{ $value | quote }}
      {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
      {{- end }}
    spec:
      {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
--- a/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
+++ b/build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
@@ -13,6 +13,8 @@ metadata:
  annotations:
    helm.sh/hook: "pre-upgrade"
    helm.sh/hook-delete-policy: "before-hook-creation"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
  {{- range $key, $value := .Values.migrations.jobAnnotations }}
    {{ $key }}: {{ $value | quote }}
  {{- end }}
@@ -29,6 +31,9 @@ spec:
      {{- range $key, $value := .Values.migrations.annotations }}
        {{ $key }}: {{ $value | quote }}
      {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
      {{- end }}
    spec:
      {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
--- a/build_system/charts/open-appsec-kong/templates/migrations.yaml
+++ b/build_system/charts/open-appsec-kong/templates/migrations.yaml
@@ -21,6 +21,8 @@ metadata:
    {{- include "kong.metaLabels" . | nindent 4 }}
    app.kubernetes.io/component: init-migrations
  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
  {{- range $key, $value := .Values.migrations.jobAnnotations }}
    {{ $key }}: {{ $value | quote }}
  {{- end }}
@@ -37,6 +39,9 @@ spec:
      {{- range $key, $value := .Values.migrations.annotations }}
        {{ $key }}: {{ $value | quote }}
      {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
      {{- end }}
    spec:
      {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}
--- a/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml
+++ b/build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml
@@ -1,5 +1,4 @@
 {{- if .Values.deployment.kong.enabled }}
-{{- if .Values.enterprise.enabled }}
 {{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
 {{- $serviceConfig := dict -}}
 {{- $serviceConfig := merge $serviceConfig .Values.manager -}}
@@ -16,4 +15,3 @@
 {{- end -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}