Merge pull request #41 from openappsec/Jul_24_23_chart_update

Update charts
2025-06-28 16:41:02 +03:00 · 2023-07-25 13:51:59 +03:00 · 2023-07-25 13:51:59 +03:00 · 3ed569fe35
commit 3ed569fe35
parent 08583fdb4c edd357f297
53 changed files with 707 additions and 251 deletions
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/Chart.yaml
@ -1,11 +1,12 @@
 annotations:
  artifacthub.io/changes: |
-    - "[helm] Support custom port configuration for internal service (#9846)"
+    - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)"
-    - "Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)"
+    - "feat(helm): Add loadBalancerClass (#9562)"
-    - "Update Ingress-Nginx version controller-v1.7.1"
+    - "added helmshowvalues example (#10019)"
    - "Update Ingress-Nginx version controller-v1.8.1"
  artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.7.1
+appVersion: 1.8.1
 keywords:
 - ingress
 - nginx
@ -13,4 +14,4 @@ kubeVersion: '>=1.20.0-0'
 name: open-appsec-k8s-nginx-ingress
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.6.1
+version: 4.7.1
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md
@ -2,7 +2,7 @@
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
-![Version: 4.6.1](https://img.shields.io/badge/Version-4.6.1-informational?style=flat-square) ![AppVersion: 1.7.1](https://img.shields.io/badge/AppVersion-1.7.1-informational?style=flat-square)
+![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square)
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -79,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:
 ### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
 ### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@ -143,8 +143,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        # Create internal ELB(Deprecated)
        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```
@ -187,13 +189,15 @@ controller:
        # Any other annotation can be declared here.
 ```
 The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
 ### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**
 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
@ -202,7 +206,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi
 A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
-2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
 3. Validating and Mutating webhook configurations are created in the cluster.
 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
@ -248,11 +252,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v20230312-helm-chart-4.5.2-28-g66a760794"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
@ -273,7 +277,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected |
 | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
 | controller.autoscaling.annotations | object | `{}` |  |
 | controller.autoscaling.apiVersion | string | `"autoscaling/v2"` |  |
 | controller.autoscaling.behavior | object | `{}` |  |
 | controller.autoscaling.enabled | bool | `false` |  |
 | controller.autoscaling.maxReplicas | int | `11` |  |
@ -294,14 +297,14 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
 | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false |
 | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
-| controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use |
+| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use |
 | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. |
 | controller.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. |
 | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module |
 | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. |
 | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. |
-| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. |
+| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. |
 | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. |
 | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged |
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
@ -310,13 +313,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `true` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407"` |  |
+| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` |  |
-| controller.image.digestChroot | string | `"sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988"` |  |
+| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.registry | string | `"registry.k8s.io"` |  |
 | controller.image.runAsUser | int | `101` |  |
-| controller.image.tag | string | `"v1.7.1"` |  |
+| controller.image.tag | string | `"v1.8.1"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@ -353,7 +356,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.prometheusRule.enabled | bool | `false` |  |
 | controller.metrics.prometheusRule.rules | list | `[]` |  |
 | controller.metrics.service.annotations | object | `{}` |  |
-| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource |
 | controller.metrics.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.metrics.service.servicePort | int | `10254` |  |
@ -366,13 +369,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.serviceMonitor.relabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` |  |
 | controller.metrics.serviceMonitor.targetLabels | list | `[]` |  |
-| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. |
+| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
 | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | controller.name | string | `"controller"` |  |
-| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f"` |  |
+| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
 | controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
@ -390,7 +393,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.readinessProbe.successThreshold | int | `1` |  |
 | controller.readinessProbe.timeoutSeconds | int | `1` |  |
 | controller.replicaCount | int | `1` |  |
-| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
+| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
 | controller.resources.requests.cpu | string | `"100m"` |  |
 | controller.resources.requests.memory | string | `"90Mi"` |  |
 | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
@ -402,15 +405,17 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.service.enableHttps | bool | `true` |  |
 | controller.service.enabled | bool | `true` |  |
 | controller.service.external.enabled | bool | `true` |  |
-| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. |
 | controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). |
 | controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. |
 | controller.service.internal.ports | object | `{}` | Custom port mapping for internal service |
 | controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service |
 | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ |
 | controller.service.labels | object | `{}` |  |
 | controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.loadBalancerSourceRanges | list | `[]` |  |
 | controller.service.nodePorts.http | string | `""` |  |
@ -435,7 +440,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false |
 | defaultBackend.affinity | object | `{}` |  |
 | defaultBackend.autoscaling.annotations | object | `{}` |  |
 | defaultBackend.autoscaling.apiVersion | string | `"autoscaling/v2"` |  |
 | defaultBackend.autoscaling.enabled | bool | `false` |  |
 | defaultBackend.autoscaling.maxReplicas | int | `2` |  |
 | defaultBackend.autoscaling.minReplicas | int | `1` |  |
@ -465,7 +469,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.minAvailable | int | `1` |  |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
-| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # |
+| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
 | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
 | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
 | defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
@ -479,7 +483,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.replicaCount | int | `1` |  |
 | defaultBackend.resources | object | `{}` |  |
 | defaultBackend.service.annotations | object | `{}` |  |
-| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # |
+| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # |
 | defaultBackend.service.loadBalancerSourceRanges | list | `[]` |  |
 | defaultBackend.service.servicePort | int | `80` |  |
 | defaultBackend.service.type | string | `"ClusterIP"` |  |
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/README.md.gotmpl
@ -76,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https:
 ### Prometheus Metrics
-The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
+The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`.
 Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`)
 ### ingress-nginx nginx\_status page/stats server
-Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
+Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller:
 - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
 - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
@ -140,8 +140,10 @@ controller:
    internal:
      enabled: true
      annotations:
-        # Create internal ELB
+        # Create internal NLB
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
        # Create internal ELB(Deprecated)
        # service.beta.kubernetes.io/aws-load-balancer-internal: "true"
        # Any other annotation can be declared here.
 ```
@ -184,13 +186,15 @@ controller:
        # Any other annotation can be declared here.
 ```
 The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer).
 An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
 Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`.
 ### Ingress Admission Webhooks
-With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
 **This feature is enabled by default since 0.31.0.**
 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
@ -199,7 +203,7 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi
 A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks.
 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits.
-2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate.
+2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate.
 3. Validating and Mutating webhook configurations are created in the cluster.
 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.0.md
@ -0,0 +1,14 @@
 # Changelog
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 ### 4.7.0
 * helm: Fix opentelemetry module installation for daemonset (#9792)
 * Update charts/* to keep project name display aligned (#9931)
 * HPA: Use capabilites & align manifests. (#9521)
 * PodDisruptionBudget spec logic update (#9904)
 * add option for annotations in PodDisruptionBudget (#9843)
 * Update Ingress-Nginx version controller-v1.8.0
 **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/changelog/Changelog-4.7.1.md
@ -0,0 +1,12 @@
 # Changelog
 This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
 ### 4.7.1
 * Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
 * feat(helm): Add loadBalancerClass (#9562)
 * added helmshowvalues example (#10019)
 * Update Ingress-Nginx version controller-v1.8.1
 **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/_helpers.tpl
@ -201,8 +201,12 @@ Extra modules.
 - name: {{ .name }}
  image: {{ .image }}
  {{- if .distroless | default false }}
  command: ['/init_module']
  {{- else }}
  command: ['sh', '-c', '/usr/local/bin/init_module.sh']
-  {{- if (.containerSecurityContext) }}
+  {{- end }}
  {{- if .containerSecurityContext }}
  securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
  {{- end }}
  volumeMounts:
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-learning-pvc.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
 kind: PersistentVolumeClaim
 apiVersion: v1
@ -18,3 +19,4 @@ spec:
  storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
 {{- end -}}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-pvc.yaml
@ -1,4 +1,4 @@
-{{- if (eq .Values.controller.kind "Deployment") -}}
+{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-configmap.yaml
@ -0,0 +1,32 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if .Values.appsec.configMapContent }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }}
 data:
  {{- if .Values.appsec.configMapContent.crowdsec }}
  CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false"  | quote }}
  {{- if .Values.appsec.configMapContent.crowdsec.api }}
  CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }}
  {{- else }}
  CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.auth }}
  CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }}
  {{- else }}
  CROWDSEC_AUTH_METHOD: "apikey"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.mode }}
  CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }}
  {{- else }}
  CROWDSEC_MODE: "prevent"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.logging }}
  CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }}
  {{- else }}
  CROWDSEC_LOGGING: "enabled"
  {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/appsec-settings-secret.yaml
@ -0,0 +1,12 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{ if .Values.appsec.secretContent }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }}
 data:
  {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }}
  CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }}
  {{- end }}
 {{ end }}
 {{ end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-statefulset.yaml
@ -1,6 +1,15 @@
-{{- if or (eq .Values.controller.kind "StatefulSet") (eq .Values.controller.kind "Both") -}}
+{{- if  (not (eq .Values.kind "Vanilla")) }}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 {{- if (eq .Values.kind "AppSec") }}
 {{- if (eq .Values.controller.kind "DaemonSet") }}
 kind: DaemonSet
 {{- else }}
 kind: Deployment
 {{- end }}
 {{- else if eq .Values.kind "AppSecStateful" }}
 kind: StatefulSet
 {{- end }}
 metadata:
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -19,15 +28,25 @@ spec:
      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: controller
  {{- if not .Values.controller.autoscaling.enabled }}
  {{- if eq .Values.kind "AppSecStateful" }}
  serviceName: "open-appsec-stateful-set"
  {{- end }}
  {{- if or (not (eq .Values.controller.kind "DaemonSet")) (and (eq .Values.kind "AppSecStateful") (eq .Values.controller.kind "DaemonSet")) }}
  replicas: {{ .Values.controller.replicaCount }}
  {{- end }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
  {{- if .Values.controller.updateStrategy }}
  {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }}
  updateStrategy:
  {{- else }}
  strategy:
  {{- end }}
    {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
  {{- end }}
-  #minReadySeconds: {{ .Values.controller.minReadySeconds }}
+  {{- if (eq .Values.kind "AppSec") }}
  minReadySeconds: {{ .Values.controller.minReadySeconds }}
  {{- end }}
  template:
    metadata:
    {{- if .Values.controller.podAnnotations }}
@ -79,6 +98,10 @@ spec:
        - name: {{ .Values.appsec.name }}
          securityContext:
            {{ toYaml .Values.appsec.securityContext | nindent 12 }}
          {{- $tag := .Values.appsec.image.tag }}
          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "crowdsec-1.2314-rc1" }}
          {{- end }}
          {{- with .Values.appsec.image }}
          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
          {{- end }}
@ -106,6 +129,8 @@ spec:
          env:
            - name: user_email
              value: {{ .Values.appsec.userEmail }}
            - name: registered_server
              value: "NGINX Server"
        {{- if eq .Values.appsec.playground false }}
            - name: SHARED_STORAGE_HOST
              value: {{ .Values.appsec.storage.name }}-svc
@ -115,20 +140,29 @@ spec:
            - name: PLAYGROUND
              value: "true"
        {{- end }}
          envFrom:
          - configMapRef:
              name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
          - secretRef:
              name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
          resources:
            {{ toYaml .Values.resources | nindent 12 }}
          volumeMounts:
          - name: advanced-model
            mountPath: /advanced-model
-        {{- if .Values.appsec.persistence.enabled }}
+        {{- if (eq .Values.appsec.persistence.enabled true) }}
          - name: appsec-conf
            mountPath: /etc/cp/conf
          - name: appsec-data
            mountPath: /etc/cp/data
        {{- end }}
        - name: {{ .Values.controller.containerName }}
-          {{- with .Values.controller.image }}
+          {{- $tag := .Values.appsec.nginx.image.tag }}
-          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
+          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "1.2303.1-rc1-v1.3.0" }}
          {{- end }}
          {{- with .Values.appsec.nginx.image }}
          image: "{{ .repository }}:{{ .tag }}"
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
        {{- if .Values.controller.lifecycle }}
@ -240,7 +274,11 @@ spec:
      {{- end }}
      {{- if .Values.controller.opentelemetry.enabled}}
          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{- if (and (not (eq .Values.kind "AppSecStateful")) (eq .Values.controller.kind "DaemonSet")) }}
          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext ) | nindent 8}}
          {{ else }}
          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}}
          {{- end }}
      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
@ -266,6 +304,14 @@ spec:
          configMap:
            name: advanced-model-config
            optional: true
      {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
      {{- end }}
      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
        - name: modules
          emptyDir: {}
@ -294,7 +340,7 @@ spec:
        {{ toYaml .Values.controller.extraVolumes | nindent 8 }}
      {{- end }}
    {{- end }}
-{{- if .Values.appsec.persistence.enabled }}
+  {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
  volumeClaimTemplates:
  - metadata:
      name: appsec-conf
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-daemonset.yaml
@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
+{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both")) -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
@ -53,12 +53,12 @@ spec:
      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.priorityClassName }}
-      priorityClassName: {{ .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName | quote }}
    {{- end }}
    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
      securityContext:
    {{- end }}
-    {{- if .Values.controller.podSecurityContext  }}
+    {{- if .Values.controller.podSecurityContext }}
        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
    {{- end }}
    {{- if .Values.controller.sysctls }}
@ -143,11 +143,15 @@ spec:
              hostPort: {{ $key }}
              {{- end }}
          {{- end }}
-        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
          volumeMounts:
-          {{- if .Values.controller.extraModules }}
+          {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
            - name: modules
            {{ if .Values.controller.image.chroot }}
              mountPath: /chroot/modules_mount
            {{ else }}
              mountPath: /modules_mount
            {{ end }}
          {{- end }}
          {{- if .Values.controller.customTemplate.configMapName }}
            - mountPath: /etc/nginx/template
@ -169,9 +173,7 @@ spec:
      {{- if .Values.controller.extraContainers }}
        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
      {{- end }}
-
+    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
    {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
      initContainers:
      {{- if .Values.controller.extraInitContainers }}
        {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-deployment.yaml
@ -1,4 +1,4 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
+{{- if and (eq .Values.kind "Vanilla") (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
 {{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
@ -76,59 +76,9 @@ spec:
      shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
    {{- end }}
      containers:
        - name: {{ .Values.appsec.name }}
          securityContext:
            {{ toYaml .Values.appsec.securityContext | nindent 12 }}
          {{- with .Values.appsec.image }}
          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
          {{- end }}
          command:
          - {{ .Values.appsec.command }}
          imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
          args:
        {{- if (eq "standalone" .Values.appsec.mode) }}
          - --hybrid-mode
          - --token
          - cp-3fb5c718-5e39-47e6-8d5e-99b4bc5660b74b4b7fc8-5312-451d-a763-aaf7872703c0
        {{- else }}
          - --token
          - {{ .Values.appsec.agentToken }}
        {{- end -}}
        {{- if .Values.appsec.customFog.enabled }}
          - --fog
          - {{ .Values.appsec.customFog.fogAddress }}
        {{- end }}
        {{- if .Values.appsec.proxy }}
          - --proxy
          - {{ .Values.appsec.proxy }}
        {{- end }}
          imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
          env:
            - name: user_email
              value: {{ .Values.appsec.userEmail }}
        {{- if eq .Values.appsec.playground false }}
            - name: SHARED_STORAGE_HOST
              value: {{ .Values.appsec.storage.name }}-svc
            - name: LEARNING_HOST
              value: {{ .Values.appsec.learning.name }}-svc
        {{- else }}
            - name: PLAYGROUND
              value: "true"
        {{- end }}
          resources:
            {{ toYaml .Values.resources | nindent 12 }}
          volumeMounts:
          - name: advanced-model
            mountPath: /advanced-model
        {{- if .Values.appsec.persistence.enabled }}
          - name: appsec-conf
            mountPath: /etc/cp/conf
          - name: appsec-data
            mountPath: /etc/cp/data
        {{- end }}
        - name: {{ .Values.controller.containerName }}
          {{- with .Values.controller.image }}
-          image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
+          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
          {{- end }}
          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
        {{- if .Values.controller.lifecycle }}
@ -240,7 +190,7 @@ spec:
      {{- end }}
      {{- if .Values.controller.opentelemetry.enabled}}
          {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}}
+          {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}}
      {{- end}}
    {{- end }}
    {{- if .Values.controller.hostNetwork }}
@ -260,14 +210,8 @@ spec:
    {{- end }}
      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
      volumes:
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
      volumes:
      {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}}
        - name: modules
          emptyDir: {}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-hpa.yaml
@ -1,12 +1,9 @@
-{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}}
-{{- if not .Values.controller.keda.enabled }}
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 apiVersion: {{ .Values.controller.autoscaling.apiVersion }}
 kind: HorizontalPodAutoscaler
 metadata:
  annotations:
  {{- with .Values.controller.autoscaling.annotations }}
-  {{- toYaml . | trimSuffix "\n" | nindent 4 }}
+  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
@ -48,5 +45,3 @@ spec:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-keda.yaml
@ -25,6 +25,11 @@ spec:
  cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }}
  minReplicaCount: {{ .Values.controller.keda.minReplicas }}
  maxReplicaCount: {{ .Values.controller.keda.maxReplicas }}
 {{- with .Values.controller.keda.fallback }}
  fallback:
    failureThreshold: {{ .failureThreshold | default 3 }}
    replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }}
 {{- end }}
  triggers:
 {{- with .Values.controller.keda.triggers }}
 {{ toYaml . | indent 2 }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-poddisruptionbudget.yaml
@ -10,12 +10,15 @@ metadata:
    {{- end }}
  name: {{ include "ingress-nginx.controller.fullname" . }}
  namespace: {{ .Release.Namespace }}
  {{- if .Values.controller.annotations }}
  annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
  {{- end }}
 spec:
  selector:
    matchLabels:
      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
      app.kubernetes.io/component: controller
-  {{- if .Values.controller.minAvailable }}
+  {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }}
  minAvailable: {{ .Values.controller.minAvailable }}
  {{- else if .Values.controller.maxUnavailable }}
  maxUnavailable: {{ .Values.controller.maxUnavailable }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/controller-service.yaml
@ -28,6 +28,9 @@ spec:
 {{- if .Values.controller.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
 {{- if .Values.controller.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }}
 {{- end }}
 {{- if .Values.controller.service.externalTrafficPolicy }}
  externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/default-backend-hpa.yaml
@ -1,37 +1,40 @@
 {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }}
-apiVersion: {{ .Values.defaultBackend.autoscaling.apiVersion }}
+apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }}
 kind: HorizontalPodAutoscaler
 metadata:
  {{- with .Values.defaultBackend.autoscaling.annotations }}
  annotations: {{ toYaml . | nindent 4 }}
  {{- end }}
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: default-backend
    {{- with .Values.defaultBackend.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
-  name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
-    name: {{ template "ingress-nginx.defaultBackend.fullname" . }}
+    name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
  minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }}
  maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }}
  metrics:
-{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
+  {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
+  - type: Resource
-      resource:
+    resource:
-        name: cpu
+      name: cpu
-        target:
+      target:
-          type: Utilization
+        type: Utilization
-          averageUtilization: {{ . }}
+        averageUtilization: {{ . }}
-{{- end }}
+  {{- end }}
-{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
+  - type: Resource
-      resource:
+    resource:
-        name: memory
+      name: memory
-        target:
+      target:
-          type: Utilization
+        type: Utilization
-          averageUtilization: {{ . }}
+        averageUtilization: {{ . }}
-{{- end }}
+  {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-deployment.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: apps/v1
 kind: Deployment
@ -137,3 +138,4 @@ spec:
            claimName: {{ .Values.appsec.name }}-storage
      {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/templates/learning-services.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: v1
 kind: Service
@ -31,3 +32,4 @@ spec:
  selector:
    app: {{ .Values.appsec.storage.name }}-lbl
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
+++ b/build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
@ -18,14 +18,14 @@ controller:
  image:
    ## Keep false as default for now!
    chroot: false
-    registry: ghcr.io/openappsec
+    registry: registry.k8s.io
-    image: nginx-ingress-attachment
+    image: ingress-nginx/controller
    ## for backwards compatibility consider setting the full image url via the repository value below
    ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    ## repository:
-    tag: latest
+    tag: "v1.8.1"
-    digest: 
+    digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
-    digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+    digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
    pullPolicy: IfNotPresent
    # www-data -> uid 101
    runAsUser: 101
@ -55,7 +55,7 @@ controller:
  # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
  dnsPolicy: ClusterFirst
  # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
-  # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
+  # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
  reportNodeInternalIp: false
  # -- Process Ingress objects without ingressClass annotation/ingressClassName field
  # Overrides value for --watch-ingress-without-class flag of the controller binary
@ -150,7 +150,7 @@ controller:
  # -- Maxmind license key to download GeoLite2 Databases.
  ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
  maxmindLicenseKey: ""
-  # -- Additional command line arguments to pass to nginx-ingress-controller
+  # -- Additional command line arguments to pass to Ingress-Nginx Controller
  # E.g. to specify the default SSL certificate you can use
  extraArgs: {}
  ## extraArgs:
@ -166,7 +166,7 @@ controller:
  #         name: secret-resource
  # -- Use a `DaemonSet` or `Deployment`
-  kind: StatefulSet
+  kind: Deployment
  # -- Annotations to be added to the controller Deployment or DaemonSet
  ##
  annotations: {}
@ -257,7 +257,7 @@ controller:
  ##
  terminationGracePeriodSeconds: 300
  # -- Node labels for controller pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
@ -302,15 +302,16 @@ controller:
  healthCheckPath: "/healthz"
  # -- Address to bind the health check endpoint.
  # It is better to set this option to the internal node address
-  # if the ingress nginx controller is running in the `hostNetwork: true` mode.
+  # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode.
  healthCheckHost: ""
  # -- Annotations to be added to controller pods
  ##
  podAnnotations: {}
  replicaCount: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Minimum available pods set in PodDisruptionBudget.
  # Define either 'minAvailable' or 'maxUnavailable', never both.
  minAvailable: 1
-  # -- Define either 'minAvailable' or 'maxUnavailable', never both.
+  # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
  # maxUnavailable: 1
  ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@ -326,7 +327,6 @@ controller:
      memory: 90Mi
  # Mutually exclusive with keda autoscaling
  autoscaling:
    apiVersion: autoscaling/v2
    enabled: false
    annotations: {}
    minReplicas: 1
@ -368,6 +368,9 @@ controller:
    maxReplicas: 11
    pollingInterval: 30
    cooldownPeriod: 300
    # fallback:
    #   failureThreshold: 3
    #   replicas: 11
    restoreToOriginalReplicaCount: false
    scaledObject:
      annotations: {}
@ -417,12 +420,14 @@ controller:
    # clusterIP: ""
    # -- List of IP addresses at which the controller services are available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
    ##
    externalIPs: []
    # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
    loadBalancerClass: ""
    enableHttp: true
    enableHttps: true
    ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
@ -473,8 +478,8 @@ controller:
      enabled: false
      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
      annotations: {}
-      # loadBalancerIP: ""
+      # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
-
+      loadBalancerIP: ""
      # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
      loadBalancerSourceRanges: []
      ## Set external traffic policy to: "Local" to preserve source IP on
@ -547,7 +552,7 @@ controller:
  opentelemetry:
    enabled: false
-    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
+    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0
    containerSecurityContext:
      allowPrivilegeEscalation: false
  admissionWebhooks:
@ -609,8 +614,8 @@ controller:
        ## for backwards compatibility consider setting the full image url via the repository value below
        ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
        ## repository:
-        tag: v20230312-helm-chart-4.5.2-28-g66a760794
+        tag: v20230407
-        digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
+        digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b
        pullPolicy: IfNotPresent
      # -- Provide a priority class name to the webhook patching job
      ##
@ -652,7 +657,7 @@ controller:
      # clusterIP: ""
      # -- List of IP addresses at which the stats-exporter service is available
-      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+      ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
      ##
      externalIPs: []
      # loadBalancerIP: ""
@ -810,7 +815,7 @@ defaultBackend:
  #  key: value
  # -- Node labels for default backend pod assignment
-  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
@ -838,7 +843,6 @@ defaultBackend:
  #    emptyDir: {}
  autoscaling:
    apiVersion: autoscaling/v2
    annotations: {}
    enabled: false
    minReplicas: 1
@ -850,7 +854,7 @@ defaultBackend:
    # clusterIP: ""
    # -- List of IP addresses at which the default backend service is available
-    ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
+    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
    ##
    externalIPs: []
    # loadBalancerIP: ""
@ -907,7 +911,7 @@ appsec:
    repository: ghcr.io/openappsec
    image: agent
    tag: latest
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
    securityContext: {}
      # capabilities:
@ -916,7 +920,26 @@ appsec:
      # readOnlyRootFilesystem: true
      # runAsNonRoot: true
      # runAsUser: 1000
-  
+  nginx:
    image:
      repository: "ghcr.io/openappsec/nginx-ingress-attachment"
      tag: "latest"
  configMapName: appsec-settings-configmap
  configMapContent:
    crowdsec:
      enabled: false
      mode: prevent
      logging: enabled
      api:
        url: http://crowdsec-service:8080/v1/decisions/stream
      auth:
        method: apikey
  secretName: appsec-settings-secret
  # If you would like to use your own secret with CrowdSec authentication data, please remove the following block
  secretContent:
    crowdsec:
      auth:
        data: "00000000000000000000000000000000"
  resources:
  #  limits:
  #    cpu: 100m
@ -980,3 +1003,8 @@ appsec:
      image: smartsync-shared-files
      tag: latest
 # -- For nginx vanilla installation use kind Vanilla (no appsec components).
 # -- For nginx with appsec installation use kind AppSec (default: nginx + appsec without state).
 # -- For nginx with appsec (statefulset) installation use kind AppSecStateful.
 kind: AppSec
--- a/build_system/charts/open-appsec-kong/CHANGELOG.md
+++ b/build_system/charts/open-appsec-kong/CHANGELOG.md
@ -1,6 +1,46 @@
 # Changelog
-## Unreleased
+## 2.25.0
 - Generate the `adminApiService.name` value from `.Release.Name` rather than
  hardcoding to `kong`
  [#839](https://github.com/Kong/charts/pull/839)
 ## 2.24.0
 ### Improvements
 * Running `tpl` against user-supplied labels and annotations used in Deployment
  [#814](https://github.com/Kong/charts/pull/814)
  Example:
  ```yaml
  podLabels:
    version: "{{ .Values.image.tag }}"  # Will render dynamically when overridden downstream
  ```
 * Fail to render templates when PodSecurityPolicy was requested but cluster doesn't
  serve its API.
  [#823](https://github.com/Kong/charts/pull/823)
 * Add support for multiple hosts and tls configurations for Kong proxy `Ingress`.
  [#813](https://github.com/Kong/charts/pull/813)
 * Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images.
  [#834](https://github.com/Kong/charts/pull/834)
 ### Fixed
 * Fix Ingress and HPA API versions during capabilities checking
  [#827](https://github.com/Kong/charts/pull/827)
 ## 2.23.0
 ### Improvements
 * Add custom label configuration option for Kong proxy `Ingress`.
  [#812](https://github.com/Kong/charts/pull/812)
 * Bump default `kong/kubernetes-ingress-controller` image tag to 2.10.
  Bump default `kong` image tag to 3.3.
  [#815](https://github.com/Kong/charts/pull/815)
 ## 2.22.0
--- a/build_system/charts/open-appsec-kong/Chart.yaml
+++ b/build_system/charts/open-appsec-kong/Chart.yaml
@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "3.2"
+appVersion: "3.3"
 dependencies:
 - condition: postgresql.enabled
  name: postgresql
@ -16,4 +16,4 @@ maintainers:
 name: open-appsec-kong
 sources:
 - https://github.com/Kong/charts/tree/main/charts/kong
-version: 2.22.0
+version: 2.25.0
--- a/build_system/charts/open-appsec-kong/README.md
+++ b/build_system/charts/open-appsec-kong/README.md
@ -679,11 +679,13 @@ or `ingress` sections, as it is used only for stream listens.
 | SVC.externalTrafficPolicy          | k8s service's externalTrafficPolicy. Options: Cluster, Local                          |                          |
 | SVC.ingress.enabled                | Enable ingress resource creation (works with SVC.type=ClusterIP)                      | `false`                  |
 | SVC.ingress.ingressClassName       | Set the ingressClassName to associate this Ingress with an IngressClass               |                          |
 | SVC.ingress.tls                    | Name of secret resource, containing TLS secret                                        |                          |
 | SVC.ingress.hostname               | Ingress hostname                                                                      | `""`                     |
 | SVC.ingress.path                   | Ingress path.                                                                         | `/`                      |
 | SVC.ingress.pathType               | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix`                | `ImplementationSpecific` |
 | SVC.ingress.hosts                  | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys       | `[]`                     |
 | SVC.ingress.tls                    | Name of secret resource or slice of `secretName` and `hosts` keys                     |                          |
 | SVC.ingress.annotations            | Ingress annotations. See documentation for your ingress controller for details        | `{}`                     |
 | SVC.ingress.labels                 | Ingress labels. Additional custom labels to add to the ingress.                       | `{}`                     |
 | SVC.annotations                    | Service annotations                                                                   | `{}`                     |
 | SVC.labels                         | Service labels                                                                        | `{}`                     |
@ -744,6 +746,7 @@ section of `values.yaml` file:
 | userDefinedVolumeMounts                    | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts                                                                        |                                    |
 | terminationGracePeriodSeconds              | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30                                 |
 | gatewayDiscovery.enabled                   | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section])                                                    | false                              |
 | gatewayDiscovery.generateAdminApiService   | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section])                                                    | false                              |
 | gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section])                                                | `.Release.Namespace`               |
 | gatewayDiscovery.adminApiService.name      | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section])                                                     | ""                                 |
 | konnect.enabled                            | Enable synchronisation of data plane configuration with Konnect Runtime Group                                                                            | false                              |
@ -796,12 +799,16 @@ You'll be able to configure this feature through configuration section under
  service.
  (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
-  The following admin API Service flags have to be provided in order for gateway
+  The following admin API Service flags have to be present in order for gateway
  discovery to work:
  - `ingressController.gatewayDiscovery.adminApiService.name`
  - `ingressController.gatewayDiscovery.adminApiService.namespace`
  If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`,
  the chart will generate values for `name` and `namespace` based on the current release name and
  namespace. This is useful when consuming the `kong` chart as a subchart.
 Using this feature requires a split release installation of Gateways and Ingress Controller.
 For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
--- a/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml
+++ b/build_system/charts/open-appsec-kong/ci/admin-api-service-clusterip.yaml
@ -0,0 +1,6 @@
 admin:
  enabled: true
  type: ClusterIP
 ingressController:
  enabled: false
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-1-values.yaml
@ -0,0 +1,16 @@
 # CI test for empty hostname including tls secret using string
 proxy:
  type: NodePort
  ingress:
    enabled: true
    tls: "kong.proxy.example.secret"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-2-values.yaml
@ -0,0 +1,17 @@
 # CI test for hostname including tls secret using string
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hostname: "proxy.kong.example"
    tls: "kong.proxy.example.secret"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-3-values.yaml
@ -0,0 +1,10 @@
 # CI test for using ingress hosts configuration
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hosts:
    - host: proxy.kong.example
      paths:
      - path: /
        pathType: ImplementationSpecific
--- a/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/kong-ingress-4-values.yaml
@ -0,0 +1,43 @@
 # CI test for testing combined ingress hostname and hosts configuration including tls configuraion using slice
 proxy:
  type: NodePort
  ingress:
    enabled: true
    hostname: "proxy.kong.example"
    hosts:
    - host: "proxy2.kong.example"
      paths:
        - path: /foo
          pathType: Prefix
        - path: /bar
          pathType: Prefix
    - host: "proxy3.kong.example"
      paths:
        - path: /baz
          pathType: Prefix
    tls:
    - hosts:
        - "proxy.kong.example"
      secretName: "proxy.kong.example.secret"
    - hosts:
        - "proxy2.kong.example"
        - "proxy3.kong.example"
      secretName: "proxy.kong.example.secret2"
 extraObjects:
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret
  type: kubernetes.io/tls
 - apiVersion: v1
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
  kind: Secret
  metadata:
    name: kong.proxy.example.secret2
  type: kubernetes.io/tls
--- a/build_system/charts/open-appsec-kong/ci/test1-values.yaml
+++ b/build_system/charts/open-appsec-kong/ci/test1-values.yaml
@ -28,9 +28,6 @@ ingressController:
 podLabels:
  app: kong
  environment: test
 # - podSecurityPolicies are enabled
 podSecurityPolicy:
  enabled: true
 # - ingress resources are created with hosts
 admin:
  type: NodePort
--- a/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
@ -146,7 +146,7 @@ extraLabels:
  konghq.com/component: quickstart
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 ingressController:
  enabled: true
  env:
@ -162,7 +162,7 @@ ingressController:
    publish_service: kong/quickstart-kong-proxy
  image:
    repository: docker.io/kong/kubernetes-ingress-controller
-    tag: "2.8"
+    tag: "2.10"
  ingressClass: default
  installCRDs: false
 manager:
@ -278,8 +278,4 @@ status:
  tls:
    containerPort: 8543
    enabled: false
-updateStrategy:
+
  rollingUpdate:
    maxSurge: 100%
    maxUnavailable: 100%
  type: RollingUpdate
--- a/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/full-k4k8s-with-kong-enterprise.yaml
@ -12,7 +12,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-k4k8s-with-kong-enterprise.yaml
@ -9,7 +9,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 admin:
  enabled: true
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-controller.yaml
@ -2,7 +2,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-dbless.yaml
@ -4,7 +4,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 enterprise:
  enabled: true
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-control.yaml
@ -14,7 +14,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  database: postgres
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-enterprise-hybrid-data.yaml
@ -12,7 +12,7 @@
 image:
  repository: kong/kong-gateway
-  tag: "3.2"
+  tag: "3.3"
 env:
  role: data_plane
@ -43,4 +43,3 @@ portal:
 portalapi:
  enabled: false
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-control.yaml
@ -6,7 +6,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-hybrid-data.yaml
@ -11,7 +11,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
+++ b/build_system/charts/open-appsec-kong/example-values/minimal-kong-standalone.yaml
@ -6,7 +6,7 @@
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
 env:
  prefix: /kong_prefix/
--- a/build_system/charts/open-appsec-kong/templates/_helpers.tpl
+++ b/build_system/charts/open-appsec-kong/templates/_helpers.tpl
@ -32,7 +32,7 @@ app.kubernetes.io/instance: "{{ .Release.Name }}"
 app.kubernetes.io/managed-by: "{{ .Release.Service }}"
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- range $key, $value := .Values.extraLabels }}
-{{ $key }}: {{ $value | quote }}
+{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
 {{- end }}
 {{- end -}}
@ -78,13 +78,16 @@ Create Ingress resource for a Kong service
 {{- $path := .ingress.path -}}
 {{- $hostname := .ingress.hostname -}}
 {{- $pathType := .ingress.pathType -}}
-apiVersion: {{ .ingressVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ .fullName }}-{{ .serviceName }}
  namespace: {{ .namespace }}
  labels:
  {{- .metaLabels | nindent 4 }}
  {{- range $key, $value := .ingress.labels }}
    {{- $key | nindent 4 }}: {{ $value | quote }}
  {{- end }}
  {{- if .ingress.annotations }}
  annotations:
    {{- range $key, $value := .ingress.annotations }}
@ -92,33 +95,74 @@ metadata:
    {{- end }}
  {{- end }}
 spec:
-{{- if (and (not (eq .ingressVersion "extensions/v1beta1")) .ingress.ingressClassName) }}
+{{- if .ingress.ingressClassName }}
  ingressClassName: {{ .ingress.ingressClassName }}
 {{- end }}
  rules:
-  - host: {{ $hostname | quote }}
+  {{- if ( not (or $hostname .ingress.hosts)) }}
-    http:
+  - http:
      paths:
        - backend:
          {{- if (not (eq .ingressVersion "networking.k8s.io/v1")) }}
            serviceName: {{ .fullName }}-{{ .serviceName }}
            servicePort: {{ $servicePort }}
          {{- else }}
            service:
              name: {{ .fullName }}-{{ .serviceName }}
              port:
                number: {{ $servicePort }}
            {{- end }}
          path: {{ $path }}
          {{- if (not (eq .ingressVersion "extensions/v1beta1")) }}
          pathType: {{ $pathType }}
  {{- else if $hostname }}
  - host: {{ $hostname | quote }}
    http:
      paths:
        - backend:
            service:
              name: {{ .fullName }}-{{ .serviceName }}
              port:
                number: {{ $servicePort }}
          path: {{ $path }}
          pathType: {{ $pathType }}
  {{- end }}
  {{- range .ingress.hosts }}
  - host: {{ .host | quote }}
    http:
      paths:
        {{- range .paths }}
        - backend:
          {{- if .backend -}}
            {{ .backend | toYaml | nindent 12 }}
          {{- else }}
            service:
              name: {{ $.fullName }}-{{ $.serviceName }}
              port:
                number: {{ $servicePort }}
          {{- end }}
          {{- if (and $hostname (and (eq $path .path))) }}
          {{- fail "duplication of specified ingress path" }}
          {{- end }}
          path: {{ .path }}
          pathType: {{ .pathType }}
        {{- end }}
  {{- end }}
  {{- if (hasKey .ingress "tls") }}
  tls:
-  - hosts:
+  {{- if (kindIs "string" .ingress.tls) }}
-    - {{ $hostname | quote }}
+    - hosts:
-    secretName: {{ .ingress.tls }}
+      {{- range .ingress.hosts }}
-  {{- end -}}
+        - {{ .host | quote }}
      {{- end }}
      {{- if $hostname }}
        - {{ $hostname | quote }}
      {{- end }}
      secretName: {{ .ingress.tls }}
  {{- else if (kindIs "slice" .ingress.tls) }}
    {{- range .ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  {{- end }}
 {{- end -}}
 {{/*
@ -326,7 +370,18 @@ Return the admin API service name for service discovery
 {{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}}
 {{- if $gatewayDiscovery.enabled -}}
  {{- $adminApiService := $gatewayDiscovery.adminApiService -}}
-  {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $adminApiService -}}
+  {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}}
  {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}}
  {{- if and $generateAdminApiService $adminApiService.name -}}
    {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time")  -}}
  {{- end -}}
  {{- if $generateAdminApiService -}}
    {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}}
  {{- else }}
    {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $adminApiServiceName -}}
  {{- end }}
  {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
  {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
@ -337,9 +392,7 @@ Return the admin API service name for service discovery
  {{- end }}
  {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}}
-  {{- $name := $adminApiService.name -}}
+  {{- printf "%s/%s" $namespace $adminApiServiceName -}}
  {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true"  $name -}}
  {{- printf "%s/%s" $namespace $name -}}
 {{- else -}}
  {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}}
 {{- end -}}
@ -1526,22 +1579,44 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
  - watch
 {{- end -}}
 {{- define "kong.ingressVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") -}}
 networking.k8s.io/v1
 {{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress") -}}
 networking.k8s.io/v1beta1
 {{- else -}}
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
 {{- define "kong.autoscalingVersion" -}}
-{{- if (.Capabilities.APIVersions.Has "autoscaling/v2/HorizontalPodAutoscaler") -}}
+{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}}
 autoscaling/v2
-{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2/HorizontalPodAutoscaler") -}}
+{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}}
 autoscaling/v2beta2
 {{- else -}}
 autoscaling/v1
 {{- end -}}
 {{- end -}}
 {{- define "kong.policyVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}}
 policy/v1beta1
 {{- else -}}
 {{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }}
 {{- end -}}
 {{- end -}}
 {{- define "kong.renderTpl" -}}
    {{- if typeIs "string" .value }}
 {{- tpl .value .context }}
    {{- else }}
 {{- tpl (.value | toYaml) .context }}
    {{- end }}
 {{- end -}}
 {{- define "kong.ingressVersion" -}}
 {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}}
 networking.k8s.io/v1
 {{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}}
 networking.k8s.io/v1beta1
 {{- else -}}
 extensions/v1beta1
 {{- end -}}
 {{- end -}}
 {{/*
 appsec labels
 */}}
 {{- define "appsec.labels" -}}
 {{- end -}}
--- a/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-learning-pvc.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.persistence.enabled true) -}}
 kind: PersistentVolumeClaim
 apiVersion: v1
@ -18,3 +19,4 @@ spec:
  storageClassName: {{ required "A storage class for learning data is required" .Values.appsec.persistence.learning.storageClass.name }}
 {{- end -}}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-pvc.yaml
@ -1,4 +1,4 @@
-{{- if (eq .Values.kind "AppSecStateful") -}}
+{{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
--- a/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-configmap.yaml
@ -0,0 +1,32 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if .Values.appsec.configMapContent }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" | quote }}
 data:
  {{- if .Values.appsec.configMapContent.crowdsec }}
  CROWDSEC_ENABLED: {{ .Values.appsec.configMapContent.crowdsec.enabled | default "false"  | quote }}
  {{- if .Values.appsec.configMapContent.crowdsec.api }}
  CROWDSEC_API_URL: {{ .Values.appsec.configMapContent.crowdsec.api.url | default "http://crowdsec-service:8080/v1/decisions/stream" }}
  {{- else }}
  CROWDSEC_API_URL: "http://crowdsec-service:8080/v1/decisions/stream"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.auth }}
  CROWDSEC_AUTH_METHOD: {{ .Values.appsec.configMapContent.crowdsec.auth.method | default "apikey" }}
  {{- else }}
  CROWDSEC_AUTH_METHOD: "apikey"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.mode }}
  CROWDSEC_MODE: {{ .Values.appsec.configMapContent.crowdsec.mode | default "prevent" }}
  {{- else }}
  CROWDSEC_MODE: "prevent"
  {{- end }}
  {{- if .Values.appsec.configMapContent.crowdsec.logging }}
  CROWDSEC_LOGGING: {{ .Values.appsec.configMapContent.crowdsec.logging | default "enabled" }}
  {{- else }}
  CROWDSEC_LOGGING: "enabled"
  {{- end }}
  {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec-settings-secret.yaml
@ -0,0 +1,12 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{ if .Values.appsec.secretContent }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Values.appsec.secretName | default "appsec-settings-secret" | quote }}
 data:
  {{- if and .Values.appsec.secretContent.crowdsec .Values.appsec.secretContent.crowdsec.auth }}
  CROWDSEC_AUTH_DATA: {{ .Values.appsec.secretContent.crowdsec.auth.data | b64enc }}
  {{- end }}
 {{ end }}
 {{ end }}
--- a/build_system/charts/open-appsec-kong/templates/appsec.yaml
+++ b/build_system/charts/open-appsec-kong/templates/appsec.yaml
@ -18,13 +18,13 @@ metadata:
  {{- if .Values.deploymentAnnotations }}
  annotations:
  {{- range $key, $value := .Values.deploymentAnnotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
  {{- end }}
  {{- end }}
 spec:
  {{- if not .Values.autoscaling.enabled }}
  {{- if eq .Values.kind "AppSecStateful" }}
-  serviceName: "cp-appsec-stateful-set"
+  serviceName: "open-appsec-stateful-set"
  {{- end }}
  {{- if or (not .Values.deployment.daemonset) (and (eq .Values.kind "AppSecStateful") ( .Values.deployment.daemonset )) }}
  replicas: {{ .Values.replicaCount }}
@ -58,7 +58,7 @@ spec:
        {{- end }}
        {{- if .Values.podAnnotations }}
        {{- range $key, $value := .Values.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
+        {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
        {{- end }}
        {{- end }}
      labels:
@ -67,7 +67,7 @@ spec:
        app: {{ template "kong.fullname" . }}
        version: {{ .Chart.AppVersion | quote }}
        {{- if .Values.podLabels }}
-        {{ toYaml .Values.podLabels | nindent 8 }}
+        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.deployment.hostNetwork }}
@ -90,6 +90,7 @@ spec:
        - name: {{ . }}
      {{- end }}
      {{- end }}
      {{- if .Values.deployment.kong.enabled }}
      initContainers:
      - name: clear-stale-pid
        image: {{ include "kong.getRepoTag" .Values.image }}
@ -112,6 +113,7 @@ spec:
        {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }}
        {{- include "kong.wait-for-db" . | nindent 6 }}
        {{- end }}
      {{- end }}
      {{- if .Values.deployment.hostAliases }}
      hostAliases:
        {{- toYaml .Values.deployment.hostAliases | nindent 6 }}
@ -137,6 +139,10 @@ spec:
            successThreshold: 1
        securityContext:
          {{ toYaml .Values.appsec.securityContext | nindent 12 }}
        {{- $tag := .Values.appsec.image.tag }}
        {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
        {{- $tag = "crowdsec-1.2314-rc1" }}
        {{- end }}
        {{- with .Values.appsec.image }}
        image: "{{- if .registry }}{{ .registry }}/{{- end }}{{- if .repository }}{{ .repository }}/{{- end }}{{ .image }}{{- if .tag }}:{{ .tag }}{{- end }}{{- if (.digest) -}} @{{.digest}} {{- end }}"
        {{- end }}
@ -162,6 +168,15 @@ spec:
      {{- end }}
        imagePullPolicy: {{ .Values.appsec.image.pullPolicy }}
        env:
          - name: registered_server
            value: "Kong Server"
      {{- if .Values.appsec.userEmail }}
        {{- if eq .Values.appsec.userEmail "PROVIDE-EMAIL-HERE" }}
          {{- fail "Please replace PROVIDE-EMAIL-HERE with an email address" }}
        {{- end }}
          - name: user_email
            value: {{ .Values.appsec.userEmail }}
      {{- end }}
      {{- if eq .Values.appsec.playground false }}
          - name: SHARED_STORAGE_HOST
            value: {{ .Values.appsec.storage.name }}-svc
@ -171,12 +186,17 @@ spec:
          - name: PLAYGROUND
            value: "true"
      {{- end }}
        envFrom:
        - configMapRef:
            name: {{ .Values.appsec.configMapName | default "appsec-settings-configmap" }}
        - secretRef:
            name: {{ .Values.appsec.secretName | default "appsec-settings-secret" }}
        resources:
          {{ toYaml .Values.resources | nindent 12 }}
        {{- if eq .Values.kind "AppSecStateful" }}
        volumeMounts:
        - name: advanced-model
          mountPath: /advanced-model
        {{- if (eq .Values.appsec.persistence.enabled true) }}
        - name: appsec-conf
          mountPath: /etc/cp/conf
        - name: appsec-data
@ -190,6 +210,10 @@ spec:
      {{- end }}
      {{- if .Values.deployment.kong.enabled }}
      - name: "proxy"
          {{- $tag := .Values.appsec.kong.image.tag }}
          {{- if .Values.appsec.configMapContent.crowdsec.enabled }}
          {{- $tag = "1.2303.1-rc1-v1.3.0" }}
          {{- end }}
        {{- with .Values.appsec.kong.image }}
        image: "{{ .repository }}:{{ .tag }}"
        {{- end }}
@ -338,6 +362,10 @@ spec:
 {{ toYaml .Values.readinessProbe | indent 10 }}
        livenessProbe:
 {{ toYaml .Values.livenessProbe | indent 10 }}
        {{- if .Values.startupProbe }}
        startupProbe:
 {{ toYaml .Values.startupProbe | indent 10 }}
        {{- end }}
        resources:
 {{ toYaml .Values.resources | indent 10 }}
        {{- end }} {{/* End of Kong container spec */}}
@ -365,6 +393,14 @@ spec:
          configMap:
            name: advanced-model-config
            optional: true
      {{- if (and (eq .Values.kind "AppSec") .Values.appsec.persistence.enabled) }}
        - name: appsec-conf
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-conf
        - name: appsec-data
          persistentVolumeClaim:
            claimName: {{ .Values.appsec.name }}-data
      {{- end }}
      {{- include "kong.volumes" . | nindent 8 -}}
      {{- include "kong.userDefinedVolumes" . | nindent 8 -}}
      {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }}
@ -400,9 +436,9 @@ spec:
              path: ca.crt
            - key: namespace
              path: namespace
-          {{- end -}}
+          {{- end }}
      {{- end }}
-  {{- if eq .Values.kind "AppSecStateful" }}
+  {{- if (and (eq .Values.kind "AppSecStateful") .Values.appsec.persistence.enabled) }}
  volumeClaimTemplates:
  - metadata:
      name: appsec-conf
--- a/build_system/charts/open-appsec-kong/templates/deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/deployment.yaml
@ -14,7 +14,7 @@ metadata:
  {{- if .Values.deploymentAnnotations }}
  annotations:
  {{- range $key, $value := .Values.deploymentAnnotations }}
-    {{ $key }}: {{ $value | quote }}
+    {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
  {{- end }}
  {{- end }}
 spec:
@ -51,7 +51,7 @@ spec:
        {{- end }}
        {{- if .Values.podAnnotations }}
        {{- range $key, $value := .Values.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
+        {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }}
        {{- end }}
        {{- end }}
      labels:
@ -60,7 +60,7 @@ spec:
        app: {{ template "kong.fullname" . }}
        version: {{ .Chart.AppVersion | quote }}
        {{- if .Values.podLabels }}
-        {{ toYaml .Values.podLabels | nindent 8 }}
+        {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
        {{- end }}
    spec:
      {{- if .Values.deployment.hostNetwork }}
--- a/build_system/charts/open-appsec-kong/templates/ingress-class.yaml
+++ b/build_system/charts/open-appsec-kong/templates/ingress-class.yaml
@ -1,6 +1,6 @@
 {{/* Default to not managing if unsupported or created outside this chart */}}
 {{- $includeIngressClass := false -}}
-{{- if (and .Values.ingressController.enabled (not (eq (include "kong.ingressVersion" .) "extensions/v1beta1"))) -}}
+{{- if .Values.ingressController.enabled -}}
  {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}}
    {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}}
      {{- if (hasKey .metadata "annotations") -}}
--- a/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml
+++ b/build_system/charts/open-appsec-kong/templates/learning-deployment.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: apps/v1
 kind: Deployment
@ -139,3 +140,4 @@ spec:
            claimName: {{ .Values.appsec.name }}-storage
      {{- end }}
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/learning-services.yaml
+++ b/build_system/charts/open-appsec-kong/templates/learning-services.yaml
@ -1,3 +1,4 @@
 {{- if not (eq .Values.kind "Vanilla") -}}
 {{- if and (eq "standalone" .Values.appsec.mode) (eq .Values.appsec.playground false) }}
 apiVersion: v1
 kind: Service
@ -31,3 +32,4 @@ spec:
  selector:
    app: {{ .Values.appsec.storage.name }}-lbl
 {{- end }}
 {{- end }}
--- a/build_system/charts/open-appsec-kong/templates/psp.yaml
+++ b/build_system/charts/open-appsec-kong/templates/psp.yaml
@ -1,5 +1,5 @@
-{{- if and (.Values.podSecurityPolicy.enabled) (.Capabilities.APIVersions.Has "policy/v1beta1") }}
+{{- if and (.Values.podSecurityPolicy.enabled) }}
-apiVersion: policy/v1beta1
+apiVersion: {{ include "kong.policyVersion" . }}
 kind: PodSecurityPolicy
 metadata:
  name: {{ template "kong.serviceAccountName" . }}-psp
--- a/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml
+++ b/build_system/charts/open-appsec-kong/templates/service-kong-proxy.yaml
@ -2,7 +2,6 @@
 {{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}}
 {{- $serviceConfig := dict -}}
 {{- $serviceConfig := merge $serviceConfig .Values.proxy -}}
 {{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}}
 {{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}}
 {{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}}
 {{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}}
--- a/build_system/charts/open-appsec-kong/values.yaml
+++ b/build_system/charts/open-appsec-kong/values.yaml
@ -121,10 +121,10 @@ extraLabels: {}
 # Specify Kong's Docker image and repository details here
 image:
  repository: kong
-  tag: "3.2"
+  tag: "3.3"
  # Kong Enterprise
  # repository: kong/kong-gateway
-  # tag: "3.2"
+  # tag: "3.3"
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
@ -334,16 +334,46 @@ proxy:
    # Enable/disable exposure using ingress.
    enabled: false
    ingressClassName:
-    # Ingress hostname
+    # To specify annotations or labels for the ingress, add them to the respective
-    # TLS secret name.
+    # "annotations" or "labels" dictionaries below.
    # tls: kong-proxy.example.com-tls
    hostname:
    # Map of ingress annotations.
    annotations: {}
-    # Ingress path.
+    labels: {}
    # Ingress hostname
    hostname:
    # Ingress path (when used with hostname above).
    path: /
-    # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
+    # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
    pathType: ImplementationSpecific
    # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
    hosts: []
    # - host: kong-proxy.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /*
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    # - host: kong-proxy-other.example.com
    #   paths:
    #   # Ingress path.
    #   - path: /other
    #   # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
    #     pathType: ImplementationSpecific
    #     backend:
    #       service:
    #         name: kong-other-proxy
    #         port:
    #           number: 80
    #
    # TLS secret(s)
    # tls: kong-proxy.example.com-tls
    # Or if multiple hosts/secrets needs to be configured:
    # tls:
    # - secretName: kong-proxy.example.com-tls
    #   hosts:
    #   - kong-proxy.example.com
    # - secretName: kong-proxy-other.example.com-tls
    #   hosts:
    #   - kong-proxy-other.example.com
  # Optionally specify a static load balancer IP.
  # loadBalancerIP:
@ -484,7 +514,7 @@ ingressController:
  enabled: true
  image:
    repository: kong/kubernetes-ingress-controller
-    tag: "2.9"
+    tag: "2.10"
    # Optionally set a semantic version for version-gated features. This can normally
    # be left unset. You only need to set this if your tag is not a semver string,
    # such as when you are using a "next" tag. Set this to the effective semantic
@ -495,6 +525,7 @@ ingressController:
  gatewayDiscovery:
    enabled: false
    generateAdminApiService: false
    adminApiService:
      namespace: ""
      name: ""
@ -661,7 +692,7 @@ postgresql:
  image:
    # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
    # enterprise (kong-gateway) supports postgres 14
-    tag: 13.6.0-debian-10-r52
+    tag: 13.11.0-debian-11-r20
  service:
    ports:
      postgresql: "5432"
@ -1200,7 +1231,7 @@ appsec:
    repository: ghcr.io/openappsec
    image: agent
    tag: latest
-    pullPolicy: IfNotPresent
+    pullPolicy: Always
    securityContext:
      {}
@ -1214,6 +1245,22 @@ appsec:
    image:
      repository: "ghcr.io/openappsec/kong-gateway-attachment"
      tag: "latest"
  configMapName: appsec-settings-configmap
  configMapContent:
    crowdsec:
      enabled: false
      mode: prevent
      logging: enabled
      api:
        url: http://crowdsec-service:8080/v1/decisions/stream
      auth:
        method: apikey
  secretName: appsec-settings-secret
  # If you would like to use your own secret with CrowdSec authentication data, please remove the following block
  secretContent:
    crowdsec:
      auth:
        data: "00000000000000000000000000000000"
  resources:
    #  limits:
    #    cpu: 100m