Updating charts

build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml

@@ -1,12 +1,9 @@
 annotations:
   artifacthub.io/changes: |
-    - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)"
+    - "Update Ingress-Nginx version controller-v1.9.1"
-    - "feat(helm): Add loadBalancerClass (#9562)"
-    - "added helmshowvalues example (#10019)"
-    - "Update Ingress-Nginx version controller-v1.8.1"
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.8.1
+appVersion: latest
 keywords:
 - ingress
 - nginx
@@ -14,4 +11,4 @@ kubeVersion: '>=1.20.0-0'
 name: open-appsec-k8s-nginx-ingress
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.7.1
+version: 4.8.1

build_system/charts/open-appsec-k8s-nginx-ingress/README.md

@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
+![Version: 4.8.1](https://img.shields.io/badge/Version-4.8.1-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -249,7 +249,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
 | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
-| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
 | controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
@@ -274,7 +273,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.service.servicePort | int | `443` |  |
 | controller.admissionWebhooks.service.type | string | `"ClusterIP"` |  |
 | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # |
-| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
+| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
 | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
 | controller.autoscaling.annotations | object | `{}` |  |
 | controller.autoscaling.behavior | object | `{}` |  |
@@ -294,8 +293,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
 | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
 | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
+| controller.enableAnnotationValidations | bool | `false` |  |
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
-| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false |
+| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
 | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
@@ -306,6 +306,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
 | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
 | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
+| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. |
 | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
@@ -313,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` |  |
+| controller.image.digest | string | `"sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25"` |  |
-| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` |  |
+| controller.image.digestChroot | string | `"sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"registry.k8s.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.8.1"` |  |
+| controller.image.tag | string | `"v1.9.1"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@@ -372,10 +373,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
+| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` |  |
+| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
+| controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
@@ -399,14 +402,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
 | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
 | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
-| controller.service.annotations | object | `{}` |  |
+| controller.service.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
 | controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # |
 | controller.service.enableHttp | bool | `true` |  |
 | controller.service.enableHttps | bool | `true` |  |
 | controller.service.enabled | bool | `true` |  |
 | controller.service.external.enabled | bool | `true` |  |
 | controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
-| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
+| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. |
 | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
 | controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
@@ -469,6 +472,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.minAvailable | int | `1` |  |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
+| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.2.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.7.2
+
+* Update Ingress-Nginx version controller-v1.8.2
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0-beta.0.md

@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0-beta.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0-beta.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.0.md

@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.0
+
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* [helm] configure allow to configure hostAliases (#10180)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Update Ingress-Nginx version controller-v1.9.0
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0

build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.8.1.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.8.1
+
+* Update Ingress-Nginx version controller-v1.9.1
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1

build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl

@@ -198,7 +198,6 @@ IngressClass parameters.
 Extra modules.
 */}}
 {{- define "extraModules" -}}
-
 - name: {{ .name }}
   image: {{ .image }}
   {{- if .distroless | default false }}
@@ -209,8 +208,10 @@ Extra modules.
   {{- if .containerSecurityContext }}
   securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
   {{- end }}
+  {{- if .resources }}
+  resources: {{ .resources | toYaml | nindent 4 }}
+  {{- end }}
   volumeMounts:
     - name: {{ toYaml "modules"}}
       mountPath: {{ toYaml "/modules_mount"}}
-
 {{- end -}}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/_params.tpl

@@ -1,5 +1,8 @@
 {{- define "ingress-nginx.params" -}}
 - /nginx-ingress-controller
+{{- if .Values.controller.enableAnnotationValidations }}
+- --enable-annotation-validation=true
+{{- end }}
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/admission-webhooks/job-patch/networkpolicy.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -16,7 +16,7 @@ metadata:
 spec:
   podSelector:
     matchLabels:
-      {{- include "ingress-nginx.labels" . | nindent 6 }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: admission-webhook
   policyTypes:
     - Ingress

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml

@@ -45,6 +45,9 @@ spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
     {{- end }}
+    {{- if .Values.controller.hostAliases }}
+      hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+    {{- end }}
     {{- if .Values.controller.hostname }}
       hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
@@ -180,13 +183,14 @@ spec:
       {{- end }}
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
-          {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled}}
-          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
       {{- end}}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
@@ -202,7 +206,7 @@ spec:
       affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml

@@ -19,13 +19,12 @@ spec:
     matchLabels:
       {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-  {{- if not .Values.controller.autoscaling.enabled }}
+  {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }}
   replicas: {{ .Values.controller.replicaCount }}
   {{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   {{- if .Values.controller.updateStrategy }}
-  strategy:
+  strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
-    {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
   {{- end }}
   minReadySeconds: {{ .Values.controller.minReadySeconds }}
   template:
@@ -49,6 +48,9 @@ spec:
     {{- if .Values.controller.dnsConfig }}
       dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
     {{- end }}
+    {{- if .Values.controller.hostAliases }}
+      hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
+    {{- end }}
     {{- if .Values.controller.hostname }}
       hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
     {{- end }}
@@ -184,13 +186,14 @@ spec:
       {{- end }}
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
-          {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled}}
-          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
+          {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}}
+          {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
       {{- end}}
     {{- end }}
     {{- if .Values.controller.hostNetwork }}
@@ -206,7 +209,7 @@ spec:
       affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+      topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
     {{- end }}
       serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-networkpolicy.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.controller.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: controller
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+      {{- range $key, $value := .Values.controller.containerPort }}
+        - protocol: TCP
+          port: {{ $value }}
+      {{- end }}
+      {{- if .Values.controller.metrics.enabled }}
+        - protocol: TCP
+          port: {{ .Values.controller.metrics.port }}
+      {{- end }}
+      {{- if .Values.controller.admissionWebhooks.enabled }}
+        - protocol: TCP
+          port: {{ .Values.controller.admissionWebhooks.port }}
+      {{- end }}
+      {{- range $key, $value := .Values.tcp }}
+        - protocol: TCP
+          port: {{ $key }}
+      {{- end }}
+      {{- range $key, $value := .Values.udp }}
+        - protocol: UDP
+          port: {{ $key }}
+      {{- end }}
+  egress:
+    - {}
+{{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service-internal.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   annotations:
   {{- range $key, $value := .Values.controller.service.internal.annotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml

@@ -4,7 +4,7 @@ kind: Service
 metadata:
   annotations:
   {{- range $key, $value := .Values.controller.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-serviceaccount.yaml

@@ -11,8 +11,7 @@ metadata:
   name: {{ template "ingress-nginx.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   {{- if .Values.serviceAccount.annotations }}
-  annotations:
+  annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
-  {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
   {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-servicemonitor.yaml

@@ -5,6 +5,8 @@ metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
 {{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
+{{- else }}
+  namespace: {{ .Release.Namespace }}
 {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-webhooks-networkpolicy.yaml

@@ -1,19 +0,0 @@
-{{- if .Values.controller.admissionWebhooks.enabled }}
-{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }}
-
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow
-  namespace: {{ .Release.Namespace }}
-spec:
-  ingress:
-  - {}
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
-  policyTypes:
-    - Ingress
-
-{{- end }}
-{{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+    {{- with .Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: default-backend
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: {{ .Values.defaultBackend.port }}
+{{- end }}

build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml

@@ -15,6 +15,7 @@ commonLabels: {}
 
 controller:
   name: controller
+  enableAnnotationValidations: false
   image:
     ## Keep false as default for now!
     chroot: false
@@ -23,9 +24,9 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.8.1"
+    tag: "v1.9.1"
-    digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
+    digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
-    digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
+    digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -48,6 +49,16 @@ controller:
   addHeaders: {}
   # -- Optionally customize the pod dnsConfig.
   dnsConfig: {}
+  # -- Optionally customize the pod hostAliases.
+  hostAliases: []
+  # - ip: 127.0.0.1
+  #   hostnames:
+  #   - foo.local
+  #   - bar.local
+  # - ip: 10.1.2.3
+  #   hostnames:
+  #   - foo.remote
+  #   - bar.remote
   # -- Optionally customize the pod hostname.
   hostname: {}
   # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
@@ -63,14 +74,14 @@ controller:
   watchIngressWithoutClass: false
   # -- Process IngressClass per name (additionally as per spec.controller).
   ingressClassByName: false
-  # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto"
+  # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
   # Defaults to false
   enableTopologyAwareRouting: false
   # -- This configuration defines if Ingress Controller should allow users to set
   # their own *-snippet annotations, otherwise this is forbidden / dropped
   # when users add those annotations.
   # Global snippets in ConfigMap are still respected
-  allowSnippetAnnotations: true
+  allowSnippetAnnotations: false
   # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged
@@ -85,6 +96,10 @@ controller:
       http: 80
       # -- 'hostPort' https port
       https: 443
+  # NetworkPolicy for controller component.
+  networkPolicy:
+    # -- Enable 'networkPolicy' or not
+    enabled: false
   # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
   electionID: ""
   ## This section refers to the creation of the IngressClass resource
@@ -245,12 +260,22 @@ controller:
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
   topologySpreadConstraints: []
-  # - maxSkew: 1
+  # - labelSelector:
-  #   topologyKey: topology.kubernetes.io/zone
-  #   whenUnsatisfiable: DoNotSchedule
-  #   labelSelector:
   #     matchLabels:
-  #       app.kubernetes.io/instance: ingress-nginx-internal
+  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
+  #       app.kubernetes.io/component: controller
+  #   topologyKey: topology.kubernetes.io/zone
+  #   maxSkew: 1
+  #   whenUnsatisfiable: ScheduleAnyway
+  # - labelSelector:
+  #     matchLabels:
+  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
+  #       app.kubernetes.io/component: controller
+  #   topologyKey: kubernetes.io/hostname
+  #   maxSkew: 1
+  #   whenUnsatisfiable: ScheduleAnyway
 
   # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
   ## wait up to five minutes for the drain of connections
@@ -415,6 +440,7 @@ controller:
     # Will be ignored for Kubernetes versions older than 1.20
     ##
     appProtocol: true
+    # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
     annotations: {}
     labels: {}
     # clusterIP: ""
@@ -476,7 +502,7 @@ controller:
     internal:
       # -- Enables an additional internal load balancer (besides the external one).
       enabled: false
-      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
+      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
       annotations: {}
       # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
       loadBalancerIP: ""
@@ -552,9 +578,10 @@ controller:
 
   opentelemetry:
     enabled: false
-    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0
+    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
     containerSecurityContext:
       allowPrivilegeEscalation: false
+    resources: {}
   admissionWebhooks:
     annotations: {}
     # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@@ -583,7 +610,6 @@ controller:
     labels: {}
     # -- Use an existing PSP instead of creating one
     existingPsp: ""
-    networkPolicyEnabled: false
     service:
       annotations: {}
       # clusterIP: ""
@@ -849,6 +875,10 @@ defaultBackend:
     maxReplicas: 2
     targetCPUUtilizationPercentage: 50
     targetMemoryUtilizationPercentage: 50
+  # NetworkPolicy for default backend component.
+  networkPolicy:
+    # -- Enable 'networkPolicy' or not
+    enabled: false
   service:
     annotations: {}
     # clusterIP: ""
@@ -909,8 +939,8 @@ appsec:
   image: 
     #registry:
     repository: ghcr.io/openappsec
-    image: agent
+    image: "agent"
-    tag: latest
+    tag: "latest"
     pullPolicy: Always
 
     securityContext: {}

build_system/charts/open-appsec-kong/CHANGELOG.md

@@ -1,5 +1,98 @@
 # Changelog
 
+## Unreleased
+
+Nothing yet.
+
+## 2.29.0
+
+### Improvements
+* Make it possible to set the admission webhook's `timeoutSeconds`.
+
+## 2.28.1
+
+### Fixed
+
+* The admission webhook now includes Gateway API resources and Ingress
+  resources for controller versions 2.12+. This version introduces new
+  validations for Kong's regex path implementation.
+
+## 2.28.0
+
+### Improvements
+
+* Bump default `kong` image tag to 3.4.
+  [#883](https://github.com/Kong/charts/pull/883)
+* Bump default ingress controller image tag to 2.12.
+* Added validation rule for `latency` upstream load balancing algorithm to
+  CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds)
+  when installing this release.
+
+## 2.27.0
+
+### Improvements
+
+* Listens now all support `.address` configuration. This was an existing
+  setting that was not applied properly for some listens.
+  [#881](https://github.com/Kong/charts/pull/881)
+
+## 2.26.5
+
+### Fixed 
+
+* Kuma ServiceAccount Token hints and volumes are also available in migrations
+  Pods.
+  [#877](https://github.com/Kong/charts/pull/877)
+
+## 2.26.4
+
+### Fixed 
+
+* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). 
+
+## 2.26.3
+
+### Fixed 
+
+* Enabled Service and Ingress in Kong Manager for non enterprise users.
+
+## 2.26.2
+
+### Fixed 
+
+* Add missing CRD KongConsumerGroup and extend status subresource for CRDs
+
+## 2.26.1
+
+### Fixed
+
+* Fix parsing enterprise tags (like e.g. `3.4.0.0`)
+  [#857](https://github.com/Kong/charts/pull/857)
+
+## 2.26.0
+
+### Breaking changes
+
+2.26 changes the default proxy readiness endpoint for newer Kong versions. This
+causes an issue in a narrow edge case. If all of the following are true:
+
+* You use Kong 3.3 or newer.
+* You use controller 2.10 or older.
+* You run the controller and proxy in separate Deployments.
+
+you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260).
+
+### Improvements
+
+* Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if
+  available. If not available, use the old `/status` default.
+  [#844](https://github.com/Kong/charts/pull/844)
+* Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
+  to the the init and pre-upgrade migrations Jobs.
+* Add controller's RBAC rules for `KongConsumerGroups` CRD.
+  [#850](https://github.com/Kong/charts/pull/850)
+* Updated controller version to 2.11.
+
 ## 2.25.0
 
 - Generate the `adminApiService.name` value from `.Release.Name` rather than

build_system/charts/open-appsec-kong/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.3"
+appVersion: 1.1.0
 dependencies:
 - condition: postgresql.enabled
   name: postgresql
@@ -16,4 +16,4 @@ maintainers:
 name: open-appsec-kong
 sources:
 - https://github.com/Kong/charts/tree/main/charts/kong
-version: 2.25.0
+version: 2.29.0

build_system/charts/open-appsec-kong/README.md

@@ -71,6 +71,7 @@ $ helm install kong/kong --generate-name
   - [Sessions](#sessions)
   - [Email/SMTP](#emailsmtp)
 - [Prometheus Operator integration](#prometheus-operator-integration)
+- [Argo CD considerations](#argo-cd-considerations)
 - [Changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md)
 - [Upgrading](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md)
 - [Seeking help](#seeking-help)
@@ -599,7 +600,8 @@ directory.
 | Parameter                          | Description                                                                           | Default             |
 | ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
 | image.repository                   | Kong image                                                                            | `kong`              |
-| image.tag                          | Kong image version                                                                    | `2.5`               |
+| image.tag                          | Kong image version                                                                    | `3.4`               |
+| image.effectiveSemver              | Semantic version to use for version-dependent features (if `tag` is not a semver)     |                     |
 | image.pullPolicy                   | Image pull policy                                                                     | `IfNotPresent`      |
 | image.pullSecrets                  | Image pull secrets                                                                    | `null`              |
 | replicaCount                       | Kong instance count. It has no effect when `autoscaling.enabled` is set to true         | `1`                 |
@@ -723,7 +725,7 @@ section of `values.yaml` file:
 |--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
 | enabled                                    | Deploy the ingress controller, rbac and crd                                                                                                              | true                               |
 | image.repository                           | Docker image with the ingress controller                                                                                                                 | kong/kubernetes-ingress-controller |
-| image.tag                                  | Version of the ingress controller                                                                                                                        | 2.0                                |
+| image.tag                                  | Version of the ingress controller                                                                                                                        | `2.12`                             |
 | image.effectiveSemver                      | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version                                      |                                    |
 | readinessProbe                             | Kong ingress controllers readiness probe                                                                                                                 |                                    |
 | livenessProbe                              | Kong ingress controllers liveness probe                                                                                                                  |                                    |
@@ -737,11 +739,13 @@ section of `values.yaml` file:
 | admissionWebhook.enabled                   | Whether to enable the validating admission webhook                                                                                                       | true                               |
 | admissionWebhook.failurePolicy             | How unrecognized errors from the admission endpoint are handled (Ignore or Fail)                                                                         | Ignore                             |
 | admissionWebhook.port                      | The port the ingress controller will listen on for admission webhooks                                                                                    | 8080                               |
+| admissionWebhook.address                   | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0                                                                 |                                    |
 | admissionWebhook.annotations               | Annotations for the Validation Webhook Configuration                                                                                                     |                                    |
 | admissionWebhook.certificate.provided      | Use a provided certificate. When set to false, the chart will automatically generate a certificate.                                                      | false                              |
 | admissionWebhook.certificate.secretName    | Name of the TLS secret for the provided webhook certificate                                                                                              |                                    |
 | admissionWebhook.certificate.caBundle      | PEM encoded CA bundle which will be used to validate the provided webhook certificate                                                                    |                                    |
 | admissionWebhook.namespaceSelector         | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector)                                                                          |                                    |
+| admissionWebhook.timeoutSeconds            | Kubernetes `apiserver`'s timeout when running this webhook. Default: 10 seconds.                                                                         |                                    |
 | userDefinedVolumes                         | Create volumes. Please go to Kubernetes doc for the spec of the volumes                                                                                  |                                    |
 | userDefinedVolumeMounts                    | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts                                                                        |                                    |
 | terminationGracePeriodSeconds              | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30                                 |
@@ -1045,7 +1049,7 @@ must know where other Kong services (namely the admin and files APIs) can be
 accessed in order to function properly. Kong's default behavior for attempting
 to locate these absent configuration is unlikely to work in common Kubernetes
 environments. Because of this, you should set each of `admin_gui_url`,
-`admin_api_uri`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
+`admin_gui_api_url`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and
 `portal_gui_protocol` under the `.env` key in values.yaml to locations where
 each of their respective services can be accessed to ensure that Kong services
 can locate one another and properly set CORS headers. See the
@@ -1161,6 +1165,28 @@ admin:
     enable-metrics: "true"
 ```
 
+## Argo CD Considerations
+
+The built-in database subchart (`postgresql.enabled` in values) is not
+supported when installing the chart via Argo CD.
+
+Argo CD does not support the full Helm lifecycle. There is no distinction
+between the initial install and upgrades. Both operations are a "sync" in Argo
+terms. This affects when migration Jobs execute in database-backed Kong
+installs.
+
+The chart sets the `Sync` and `BeforeHookCreation` deletion 
+[hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
+on the `init-migrations` and `pre-upgrade-migrations` Jobs.
+
+The `pre-upgrade-migrations` Job normally uses Helm's `pre-upgrade` policy. Argo
+translates this to its `PreSync` policy, which would create the Job before all
+sync phase resources. Doing this before various sync phase resources (such as
+the ServiceAccount) are in place would prevent the Job from running
+successfully. Overriding this with Argo's `Sync` policy starts the Job at the
+same time as the upgraded Deployment Pods. The new Pods may fail to start
+temporarily, but will eventually start normally once migrations complete.
+
 ## Seeking help
 
 If you run into an issue, bug or have a question, please reach out to the Kong

build_system/charts/open-appsec-kong/UPGRADE.md

@@ -17,7 +17,8 @@ upgrading from a previous version.
 ## Table of contents
 
 - [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions)
-- [2.17.0](#2170)
+- [2.26.0](#2260)
+- [2.19.0](#2190)
 - [2.13.0](#2130)
 - [2.8.0](#280)
 - [2.7.0](#270)
@@ -83,6 +84,35 @@ https://raw.githubusercontent.com/Kong/charts/kong-<version>/charts/kong/crds/cu
 For example, if your release is 2.6.4, you would apply
 `https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`.
 
+## 2.26.0
+
+If you are using controller version 2.10 or lower and proxy version 3.3 or
+higher in separate Deployments (such as when using the `ingress` chart), proxy
+Pods will not become ready unless you override the default readiness endpoint:
+
+```
+readinessProbe:
+  httpGet:
+    path: /status
+```
+
+This section goes under the `gateway` section when using the `ingress` chart.
+
+2.26 changes the default proxy readiness endpoint to the `/status/ready`
+endpoint introduced in Kong 3.3. This endpoint reports true when Kong has
+configuration available, whereas the previous `/status` endpoint returned true
+immediately after start, and could result in proxy instances attempting to
+serve requests before they had configuration.
+
+The chart has logic to fall back to the older endpoint if the proxy and
+controller versions do not work well with the new endpoint. However, the chart
+detection cannot determine the controller version when the controller is in a
+separate Deployment, and will always use the new endpoint if the Kong image
+version is 3.3 or higher.
+
+Kong recommends Kong 3.3 and higher users update to controller 2.11 at their
+earliest convenience to take advantage of the improved readiness behavior.
+
 ## 2.19.0
 
 2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)

build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip-values.yaml

@@ -0,0 +1,18 @@
+admin:
+  enabled: true
+  type: ClusterIP
+
+# Stub config to make the instance become ready
+dblessConfig:
+  config: |
+    _format_version: "1.1"
+    services:
+    - name: example.com
+      url: http://example.com
+      routes:
+      - name: example
+        paths:
+        - "/example"
+
+ingressController:
+  enabled: false

build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml

@@ -1,6 +0,0 @@
-admin:
-  enabled: true
-  type: ClusterIP
-
-ingressController:
-  enabled: false

build_system/charts/open-appsec-kong/ci/custom-labels-values.yaml

@@ -1,6 +1,3 @@
-
 # install chart with some extra labels
-
 extraLabels:
   acme.com/some-key: some-value
-

build_system/charts/open-appsec-kong/ci/default-values.yaml

@@ -1,7 +1,4 @@
 # install chart with default values
-proxy:
-  type: NodePort
-
 env:
   anonymous_reports: "off"
 ingressController:

build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml

@@ -1,6 +1,5 @@
 # CI test for empty hostname including tls secret using string
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     tls: "kong.proxy.example.secret"

build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml

@@ -1,6 +1,5 @@
 # CI test for hostname including tls secret using string
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hostname: "proxy.kong.example"

build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml

@@ -1,6 +1,5 @@
 # CI test for using ingress hosts configuration
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hosts:

build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml

@@ -1,6 +1,5 @@
 # CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hostname: "proxy.kong.example"

build_system/charts/open-appsec-kong/ci/single-image-default-values.yaml

@@ -2,9 +2,7 @@
 # use single image strings instead of repository/tag
 
 image:
-  unifiedRepoTag: kong:2.6
+  unifiedRepoTag: kong:3.4
-proxy:
-  type: NodePort
 
 env:
   anonymous_reports: "off"
@@ -12,4 +10,4 @@ ingressController:
   env:
     anonymous_reports: "false"
   image:
-    unifiedRepoTag: kong/kubernetes-ingress-controller:2.0.2
+    unifiedRepoTag: kong/kubernetes-ingress-controller:2.12

build_system/charts/open-appsec-kong/ci/test-enterprise-version-3.4.0.0-values.yaml

@@ -0,0 +1,14 @@
+ingressController:
+  enabled: false
+
+image:
+  repository: kong/kong-gateway
+  tag: "3.4.0.0"
+
+readinessProbe:
+  httpGet:
+    path: "/status"
+    port: status
+    scheme: HTTP
+  initialDelaySeconds: 1
+  periodSeconds: 1

build_system/charts/open-appsec-kong/ci/test1-values.yaml

@@ -30,14 +30,12 @@ podLabels:
   environment: test
 # - ingress resources are created with hosts
 admin:
-  type: NodePort
   ingress:
     enabled: true
     hostname: admin.kong.example
     annotations: {}
     path: /
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hostname: proxy.kong.example

build_system/charts/open-appsec-kong/ci/test2-values.yaml

@@ -3,8 +3,12 @@
 # - stream listens work
 # - a mixture of controller, Kong, and shared volumes successfully mount
 # - watchNamespaces is set
+# - the admission webhook is enabled; has the timeout explicitly set
 ingressController:
   enabled: true
+  admissionWebhook:
+    enabled: true
+    timeoutSeconds: 5
   env:
     anonymous_reports: "false"
   customEnv:
@@ -21,13 +25,11 @@ env:
   database: "postgres"
 # - ingress resources are created without hosts
 admin:
-  type: NodePort
   ingress:
     enabled: true
     hosts: []
     path: /
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hostname: proxy.kong.example

build_system/charts/open-appsec-kong/ci/test3-values.yaml

@@ -8,8 +8,6 @@ env:
   database: "off"
 postgresql:
   enabled: false
-proxy:
-  type: NodePort
 deployment:
   initContainers:
     - name: "bash"

build_system/charts/open-appsec-kong/ci/test4-values.yaml

@@ -12,7 +12,6 @@ env:
 postgresql:
   enabled: false
 proxy:
-  type: NodePort
 # - add stream listens
   stream:
   - containerPort: 9000

build_system/charts/open-appsec-kong/ci/test5-values.yaml

@@ -26,13 +26,11 @@ customEnv:
   client_id: "exampleId"
 # - ingress resources are created without hosts
 admin:
-  type: NodePort
   ingress:
     enabled: true
     hosts: []
     path: /
 proxy:
-  type: NodePort
   ingress:
     enabled: true
     hostname: proxy.kong.example

build_system/charts/open-appsec-kong/ci/test6-values.yaml

@@ -1,34 +0,0 @@
-# CI test for testing dbless deployment without ingress controllers
-# - disable ingress controller
-# - no static config
-ingressController:
-  enabled: false
-# - disable DB for kong
-env:
-  anonymous_reports: "off"
-  database: "off"
-postgresql:
-  enabled: false
-proxy:
-  type: NodePort
-deployment:
-  initContainers:
-    - name: "bash"
-      image: "bash:latest"
-      command: ["/bin/sh", "-c", "true"]
-      resources:
-        limits:
-          cpu: "100m"
-          memory: "64Mi"
-        requests:
-          cpu: "100m"
-          memory: "64Mi"
-      volumeMounts:
-      - name: "tmpdir"
-        mountPath: "/opt/tmp"
-  userDefinedVolumes:
-  - name: "tmpdir"
-    emptyDir: {}
-  userDefinedVolumeMounts:
-  - name: "tmpdir"
-    mountPath: "/opt/tmp"

build_system/charts/open-appsec-kong/crds/custom-resource-definitions.yaml

@@ -1,10 +1,9 @@
-# generated using: kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.8.1
+# generated using: kubectl kustomize 'github.com/kong/kubernetes-ingress-controller/config/crd?ref=v2.12.0'
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: ingressclassparameterses.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -56,8 +55,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: kongclusterplugins.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -91,6 +89,9 @@ spec:
       name: Config
       priority: 1
       type: string
+    - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+      name: Programmed
+      type: string
     name: v1
     schema:
       openAPIV3Schema:
@@ -142,6 +143,11 @@ spec:
           disabled:
             description: Disabled set if the plugin is disabled or not.
             type: boolean
+          instance_name:
+            description: InstanceName is an optional custom name to identify an instance
+              of the plugin. This is useful when running the same plugin in multiple
+              contexts, for example, on multiple services.
+            type: string
           kind:
             description: 'Kind is a string value representing the REST resource this
               object represents. Servers may infer this from the endpoint the client
@@ -183,6 +189,8 @@ spec:
             description: Protocols configures plugin to run on requests received on
               specific protocols.
             items:
+              description: KongProtocol is a valid Kong protocol. This alias is necessary
+                to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
               enum:
               - http
               - https
@@ -201,6 +209,91 @@ spec:
             - second
             - all
             type: string
+          status:
+            description: Status represents the current status of the KongClusterPlugin
+              resource.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Programmed
+                description: "Conditions describe the current conditions of the KongClusterPluginStatus.
+                  \n Known condition types are: \n * \"Programmed\""
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
         required:
         - plugin
         type: object
@@ -213,8 +306,142 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
+  name: kongconsumergroups.configuration.konghq.com
+spec:
+  group: configuration.konghq.com
+  names:
+    categories:
+    - kong-ingress-controller
+    kind: KongConsumerGroup
+    listKind: KongConsumerGroupList
+    plural: kongconsumergroups
+    shortNames:
+    - kcg
+    singular: kongconsumergroup
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Age
+      jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+      name: Programmed
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: KongConsumerGroup is the Schema for the kongconsumergroups API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          status:
+            description: Status represents the current status of the KongConsumer
+              resource.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Programmed
+                description: "Conditions describe the current conditions of the KongConsumerGroup.
+                  \n Known condition types are: \n * \"Programmed\""
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.13.0
   name: kongconsumers.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -238,6 +465,9 @@ spec:
       jsonPath: .metadata.creationTimestamp
       name: Age
       type: date
+    - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+      name: Programmed
+      type: string
     name: v1
     schema:
       openAPIV3Schema:
@@ -248,6 +478,12 @@ spec:
               of an object. Servers should convert recognized schemas to the latest
               internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
             type: string
+          consumerGroups:
+            description: ConsumerGroups are references to consumer groups (that consumer
+              wants to be part of) provisioned in Kong.
+            items:
+              type: string
+            type: array
           credentials:
             description: Credentials are references to secrets containing a credential
               to be provisioned in Kong.
@@ -265,6 +501,91 @@ spec:
             type: string
           metadata:
             type: object
+          status:
+            description: Status represents the current status of the KongConsumer
+              resource.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Programmed
+                description: "Conditions describe the current conditions of the KongConsumer.
+                  \n Known condition types are: \n * \"Programmed\""
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
           username:
             description: Username is a Kong cluster-unique username of the consumer.
             type: string
@@ -278,8 +599,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: kongingresses.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -381,8 +701,7 @@ spec:
                 type: integer
               methods:
                 description: 'Methods is a list of HTTP methods that match this Route.
-                  Deprecated: use Ingress'' "konghq.com/override-protocols" annotation
+                  Deprecated: use Ingress'' "konghq.com/methods" annotation instead.'
-                  instead.'
                 items:
                   type: string
                 type: array
@@ -407,6 +726,8 @@ spec:
                   allow. Deprecated: use Ingress'' "konghq.com/protocols" annotation
                   instead.'
                 items:
+                  description: KongProtocol is a valid Kong protocol. This alias is
+                    necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
                   enum:
                   - http
                   - https
@@ -448,8 +769,8 @@ spec:
             type: object
           upstream:
             description: Upstream represents a virtual hostname and can be used to
-              load balance incoming requests over multiple targets (e.g. Kubernetes
+              loadbalance incoming requests over multiple targets (e.g. Kubernetes
-              Services can be a target, or URLs can be targets).
+              `Services` can be a target, OR `Endpoints` can be targets).
             properties:
               algorithm:
                 description: Algorithm is the load balancing algorithm to use.
@@ -457,6 +778,7 @@ spec:
                 - round-robin
                 - consistent-hashing
                 - least-connections
+                - latency
                 type: string
               hash_fallback:
                 description: 'HashFallback defines What to use as hashing input if
@@ -512,6 +834,12 @@ spec:
                       concurrency:
                         minimum: 1
                         type: integer
+                      headers:
+                        additionalProperties:
+                          items:
+                            type: string
+                          type: array
+                        type: object
                       healthy:
                         description: Healthy configures thresholds and HTTP status
                           codes to mark targets healthy for an upstream.
@@ -626,8 +954,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: kongplugins.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -661,6 +988,9 @@ spec:
       name: Config
       priority: 1
       type: string
+    - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+      name: Programmed
+      type: string
     name: v1
     schema:
       openAPIV3Schema:
@@ -708,6 +1038,11 @@ spec:
           disabled:
             description: Disabled set if the plugin is disabled or not.
             type: boolean
+          instance_name:
+            description: InstanceName is an optional custom name to identify an instance
+              of the plugin. This is useful when running the same plugin in multiple
+              contexts, for example, on multiple services.
+            type: string
           kind:
             description: 'Kind is a string value representing the REST resource this
               object represents. Servers may infer this from the endpoint the client
@@ -749,6 +1084,8 @@ spec:
             description: Protocols configures plugin to run on requests received on
               specific protocols.
             items:
+              description: KongProtocol is a valid Kong protocol. This alias is necessary
+                to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342
               enum:
               - http
               - https
@@ -767,6 +1104,90 @@ spec:
             - second
             - all
             type: string
+          status:
+            description: Status represents the current status of the KongPlugin resource.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for controller
+                  reason: Pending
+                  status: Unknown
+                  type: Programmed
+                description: "Conditions describe the current conditions of the KongPluginStatus.
+                  \n Known condition types are: \n * \"Programmed\""
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource. --- This struct is intended for direct
+                    use as an array at the field path .status.conditions.  For example,
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
+                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
+                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+                  properties:
+                    lastTransitionTime:
+                      description: lastTransitionTime is the last time the condition
+                        transitioned from one status to another. This should be when
+                        the underlying condition changed.  If that is not known, then
+                        using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: observedGeneration represents the .metadata.generation
+                        that the condition was set based upon. For instance, if .metadata.generation
+                        is currently 12, but the .status.conditions[x].observedGeneration
+                        is 9, the condition is out of date with respect to the current
+                        state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: reason contains a programmatic identifier indicating
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                        --- Many .condition.type values are consistent across resources
+                        like Available, but because arbitrary conditions can be useful
+                        (see .node.status.conditions), the ability to deconflict is
+                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 8
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+            type: object
         required:
         - plugin
         type: object
@@ -779,8 +1200,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: tcpingresses.configuration.konghq.com
 spec:
   group: configuration.konghq.com
@@ -966,8 +1386,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
+    controller-gen.kubebuilder.io/version: v0.13.0
-  creationTimestamp: null
   name: udpingresses.configuration.konghq.com
 spec:
   group: configuration.konghq.com

build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml

@@ -88,7 +88,7 @@ enterprise:
     enabled: true
 env:
   admin_access_log: /dev/stdout
-  admin_api_uri: https://kong.127-0-0-1.nip.io/api
+  admin_gui_api_url: https://kong.127-0-0-1.nip.io/api
   admin_error_log: /dev/stdout
   admin_gui_access_log: /dev/stdout
   admin_gui_error_log: /dev/stdout
@@ -146,7 +146,7 @@ extraLabels:
   konghq.com/component: quickstart
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 ingressController:
   enabled: true
   env:

build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml

@@ -9,7 +9,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 
 admin:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml

@@ -2,7 +2,7 @@
 
 image:
   repository: kong
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml

@@ -4,7 +4,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 
 enterprise:
   enabled: true

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml

@@ -14,7 +14,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   database: postgres

build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml

@@ -12,7 +12,7 @@
 
 image:
   repository: kong/kong-gateway
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   role: data_plane

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml

@@ -11,7 +11,7 @@
 
 image:
   repository: kong
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml

@@ -6,7 +6,7 @@
 
 image:
   repository: kong
-  tag: "3.3"
+  tag: "3.4"
 
 env:
   prefix: /kong_prefix/

build_system/charts/open-appsec-kong/templates/_helpers.tpl

@@ -330,10 +330,11 @@ Create KONG_STREAM_LISTEN string
 */}}
 {{- define "kong.streamListen" -}}
   {{- $unifiedListen := list -}}
+  {{- $address := (default "0.0.0.0" .address) -}}
   {{- range .stream -}}
     {{- $listenConfig := dict -}}
     {{- $listenConfig := merge $listenConfig . -}}
-    {{- $_ := set $listenConfig "address" "0.0.0.0" -}}
+    {{- $_ := set $listenConfig "address" $address -}}
     {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
          Our configuration is dual-purpose, for both the Service and listen string, so we
          forcibly inject this parameter if that's the Service protocol. The default handles
@@ -458,7 +459,8 @@ The name of the service used for the ingress controller's validation webhook
   {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}}
 
   {{- if .Values.ingressController.admissionWebhook.enabled }}
-    {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "0.0.0.0:%d" (int64 .Values.ingressController.admissionWebhook.port)) -}}
+    {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}}
+    {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}}
   {{- end }}
   {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
     {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
@@ -552,6 +554,41 @@ The name of the service used for the ingress controller's validation webhook
 - name: {{ template "kong.fullname" . }}-tmp
   emptyDir:
     sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }}
+{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+- name: {{ template "kong.serviceAccountTokenName" . }}
+  {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
+  See the related documentation of semver module that Helm depends on for semverCompare:
+  https://github.com/Masterminds/semver#working-with-prerelease-versions
+  Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
+  {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
+  projected:
+    sources:
+    - serviceAccountToken:
+        expirationSeconds: 3607
+        path: token
+    - configMap:
+        items:
+        - key: ca.crt
+          path: ca.crt
+        name: kube-root-ca.crt
+    - downwardAPI:
+        items:
+        - fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace
+          path: namespace
+  {{- else }}
+  secret:
+    secretName: {{ template "kong.serviceAccountTokenName" . }}
+    items:
+    - key: token
+      path: token
+    - key: ca.crt
+      path: ca.crt
+    - key: namespace
+      path: namespace
+  {{- end }}
+{{- end }}
 {{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}}
 {{- if .Values.certificates.cluster.enabled }}
 - name: {{ include "kong.fullname" . }}-cluster-cert
@@ -786,10 +823,22 @@ The name of the service used for the ingress controller's validation webhook
 
 {{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}}
 {{- define "kong.effectiveVersion" -}}
+{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}}
+{{- /* as semver does, we need to account for that here by extracting */ -}}
+{{- /* first 3 segments for comparison */ -}}
 {{- if .effectiveSemver -}}
-{{- .effectiveSemver -}}
+  {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+  {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}}
+  {{- else -}}
+  {{- .effectiveSemver -}}
+  {{- end -}}
 {{- else -}}
-{{- (trimSuffix "-redhat" .tag) -}}
+  {{- $tag := (trimSuffix "-redhat" .tag) -}}
+  {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+  {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}}
+  {{- else -}}
+  {{- .tag -}}
+  {{- end -}}
 {{- end -}}
 {{- end -}}
 
@@ -908,7 +957,7 @@ the template that it itself is using form the above sections.
   {{- end -}}
   {{- $listenConfig := dict -}}
   {{- $listenConfig := merge $listenConfig . -}}
-  {{- $_ := set $listenConfig "address" $address -}}
+  {{- $_ := set $listenConfig "address" (default $address .address) -}}
   {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
 
   {{- if or .tls.client.secretName .tls.client.caBundle -}}
@@ -952,6 +1001,7 @@ the template that it itself is using form the above sections.
 {{- end -}}
 
 {{- if .Values.admin.ingress.enabled }}
+  {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
   {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}}
 {{- end -}}
 
@@ -1203,6 +1253,24 @@ resource roles into their separate templates.
   - namespaces
   verbs:
   - list
+{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongconsumergroups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - configuration.konghq.com
+  resources:
+  - kongconsumergroups/status
+  verbs:
+  - get
+  - patch
+  - update
+{{- end }}
 {{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
 - apiGroups:
   - ""
@@ -1614,6 +1682,16 @@ networking.k8s.io/v1beta1
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
+
+{{- define "kong.proxy.compatibleReadiness" -}}
+{{- $proxyReadiness := .Values.readinessProbe -}}
+{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}}
+    {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}}
+        {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}}
+    {{- end -}}
+{{- end -}}
+{{- (toYaml $proxyReadiness) -}}
+{{- end -}}
 {{/*
 appsec labels
 */}}

build_system/charts/open-appsec-kong/templates/admission-webhook.yaml

@@ -46,6 +46,9 @@ webhooks:
   namespaceSelector:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+  {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }}
+  timeoutSeconds: {{ . }}
+  {{- end }}
   objectSelector:
     matchExpressions:
     - key: owner
@@ -80,6 +83,28 @@ webhooks:
     - UPDATE
     resources:
     - secrets
+{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
+  - apiGroups:
+    - networking.k8s.io
+    apiVersions:
+      - 'v1'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - ingresses
+  - apiGroups:
+    - gateway.networking.k8s.io
+    apiVersions:
+    - 'v1alpha2'
+    - 'v1beta1'
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - gateways
+    - httproutes
+{{- end }}
   clientConfig:
     {{- if not .Values.ingressController.admissionWebhook.certificate.provided }}
     caBundle: {{ b64enc $caCert }}

build_system/charts/open-appsec-kong/templates/appsec.yaml

@@ -359,7 +359,7 @@ spec:
         {{- include "kong.volumeMounts" . | nindent 10 }}
         {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
         readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
         livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
         {{- if .Values.startupProbe }}
@@ -403,41 +403,6 @@ spec:
       {{- end }}
       {{- include "kong.volumes" . | nindent 8 -}}
       {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
-      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
-        - name: {{ template "kong.serviceAccountTokenName" . }}
-          {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
-          See the related documentation of semver module that Helm depends on for semverCompare:
-          https://github.com/Masterminds/semver#working-with-prerelease-versions
-          Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
-          {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
-          projected:
-            sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                items:
-                - key: ca.crt
-                  path: ca.crt
-                name: kube-root-ca.crt
-            - downwardAPI:
-                items:
-                - fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.namespace
-                  path: namespace
-          {{- else }}
-          secret:
-            secretName: {{ template "kong.serviceAccountTokenName" . }}
-            items:
-            - key: token
-              path: token
-            - key: ca.crt
-              path: ca.crt
-            - key: namespace
-              path: namespace
-          {{- end }}
-      {{- end }}
   {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
   volumeClaimTemplates:
   - metadata:

build_system/charts/open-appsec-kong/templates/deployment.yaml

@@ -270,7 +270,7 @@ spec:
         {{- include "kong.volumeMounts" . | nindent 10 }}
         {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }}
         readinessProbe:
-{{ toYaml .Values.readinessProbe | indent 10 }}
+{{ include "kong.proxy.compatibleReadiness" . | indent 10 }}
         livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
         {{- if .Values.startupProbe }}
@@ -302,39 +302,4 @@ spec:
       volumes:
       {{- include "kong.volumes" . | nindent 8 -}}
       {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
-      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
-        - name: {{ template "kong.serviceAccountTokenName" . }}
-          {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well.
-          See the related documentation of semver module that Helm depends on for semverCompare:
-          https://github.com/Masterminds/semver#working-with-prerelease-versions
-          Related Helm issue: https://github.com/helm/helm/issues/3810 */}}
-          {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
-          projected:
-            sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                items:
-                - key: ca.crt
-                  path: ca.crt
-                name: kube-root-ca.crt
-            - downwardAPI:
-                items:
-                - fieldRef:
-                    apiVersion: v1
-                    fieldPath: metadata.namespace
-                  path: namespace
-          {{- else }}
-          secret:
-            secretName: {{ template "kong.serviceAccountTokenName" . }}
-            items:
-            - key: token
-              path: token
-            - key: ca.crt
-              path: ca.crt
-            - key: namespace
-              path: namespace
-          {{- end }}
-      {{- end }}
 {{- end }}

build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml

@@ -29,6 +29,9 @@ spec:
       {{- range $key, $value := .Values.migrations.annotations }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
       {{- end }}
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml

@@ -13,6 +13,8 @@ metadata:
   annotations:
     helm.sh/hook: "pre-upgrade"
     helm.sh/hook-delete-policy: "before-hook-creation"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
   {{- range $key, $value := .Values.migrations.jobAnnotations }}
     {{ $key }}: {{ $value | quote }}
   {{- end }}
@@ -29,6 +31,9 @@ spec:
       {{- range $key, $value := .Values.migrations.annotations }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
       {{- end }}
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

build_system/charts/open-appsec-kong/templates/migrations.yaml

@@ -21,6 +21,8 @@ metadata:
     {{- include "kong.metaLabels" . | nindent 4 }}
     app.kubernetes.io/component: init-migrations
   annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
   {{- range $key, $value := .Values.migrations.jobAnnotations }}
     {{ $key }}: {{ $value | quote }}
   {{- end }}
@@ -37,6 +39,9 @@ spec:
       {{- range $key, $value := .Values.migrations.annotations }}
         {{ $key }}: {{ $value | quote }}
       {{- end }}
+      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
+        kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }}
+      {{- end }}
       {{- end }}
     spec:
       {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }}

build_system/charts/open-appsec-kong/templates/service-kong-manager.yaml

@@ -1,5 +1,4 @@
 {{- if .Values.deployment.kong.enabled }}
-{{- if .Values.enterprise.enabled }}
 {{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}}
 {{- $serviceConfig := dict -}}
 {{- $serviceConfig := merge $serviceConfig .Values.manager -}}
@@ -16,4 +15,3 @@
 {{- end -}}
 {{- end -}}
 {{- end -}}
-{{- end -}}

build_system/charts/open-appsec-kong/values.yaml

@@ -86,7 +86,7 @@ env:
   database: "off"
   # the chart uses the traditional router (for Kong 3.x+) because the ingress
   # controller generates traditional routes. if you do not use the controller,
-  # you may set this to "traditional_compatible" or "expression" to use the new
+  # you may set this to "traditional_compatible" or "expressions" to use the new
   # DSL-based router
   router_flavor: "traditional"
   nginx_worker_processes: "2"
@@ -121,11 +121,13 @@ extraLabels: {}
 # Specify Kong's Docker image and repository details here
 image:
   repository: kong
-  tag: "3.3"
+  tag: "3.4"
   # Kong Enterprise
   # repository: kong/kong-gateway
-  # tag: "3.3"
+  # tag: "3.4"
 
+  # Specify a semver version if your image tag is not one (e.g. "nightly")
+  effectiveSemver:
   pullPolicy: IfNotPresent
   ## Optionally specify an array of imagePullSecrets.
   ## Secrets must be manually created in the namespace.
@@ -514,7 +516,7 @@ ingressController:
   enabled: true
   image:
     repository: kong/kubernetes-ingress-controller
-    tag: "2.10"
+    tag: "2.12"
     # Optionally set a semantic version for version-gated features. This can normally
     # be left unset. You only need to set this if your tag is not a semver string,
     # such as when you are using a "next" tag. Set this to the effective semantic
@@ -574,6 +576,8 @@ ingressController:
     service:
       # Specify custom labels for the validation webhook service.
       labels: {}
+    # Tune the default Kubernetes timeoutSeconds of 10 seconds
+    # timeoutSeconds: 10
 
   ingressClass: kong
   # annotations for IngressClass resource (Kubernetes 1.18+)
@@ -800,7 +804,7 @@ resources: {}
 # readinessProbe for Kong pods
 readinessProbe:
   httpGet:
-    path: "/status"
+    path: "/status/ready"
     port: status
     scheme: HTTP
   initialDelaySeconds: 5
@@ -1229,8 +1233,8 @@ appsec:
   image:
     #registry:
     repository: ghcr.io/openappsec
-    image: agent
+    image: "agent"
-    tag: latest
+    tag: "1.1.0"
     pullPolicy: Always
 
     securityContext:
@@ -1243,8 +1247,8 @@ appsec:
       # runAsUser: 1000
   kong:
     image:
-      repository: "ghcr.io/openappsec/kong-gateway-attachment"
+      repository: "ghcr.io/openappsec/kong-attachment"
-      tag: "latest"
+      tag: "1.1.0"
   configMapName: appsec-settings-configmap
   configMapContent:
     crowdsec: