github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-09-29 19:24:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

open-appsec helm chart update Mon Feb 12 17:56:07 IST 2024

Browse Source
This commit is contained in:
Ned Wright
2024-02-12 17:56:07 +02:00
parent 636e667e85
commit 4def79504e
105 changed files with 20582 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
build_system/charts/open-appsec-kong/CHANGELOG.md
View File

@@ -1,7 +1,53 @@
# Changelog
## Unreleased
Nothing yet.
## 2.35.1
### Fixed
* The plugin helper no longer sets the plugin list when not in use.
[#1002](https://github.com/Kong/charts/pull/1002)
## 2.35.0
### Added
* Added controller's RBAC rules for `KongVault` CRD (installed only when KIC
version >= 3.1.0).
[#992](https://github.com/Kong/charts/pull/992)
### Fixed
* Added a missing `envFrom` render in the main Kong proxy container.
[#994](https://github.com/Kong/charts/pull/994)
## 2.34.0
### Added
* The `envFrom` and `ingressController.envFrom` values.yaml keys now populate
the container field of the same name. This loads environment variables from
ConfigMap or Secret resource keys in bulk:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
[#987](https://github.com/Kong/charts/pull/987)
* Kong listens now use both IPv4 and IPv6 addresses.
[#986](https://github.com/Kong/charts/pull/986)
## 2.33.3
### Fixed
* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API
controllers in KIC can access using a cached controller-runtime client.
[#974](https://github.com/Kong/charts/pull/974)
## 2.33.2
### Fixed
* Fix a template bug related to the `affinity` field for migrations Pods.
[#972](https://github.com/Kong/charts/pull/972)

4
build_system/charts/open-appsec-kong/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: 1.1.3
appVersion: 1.1.5
dependencies:
- condition: postgresql.enabled
name: postgresql
@@ -14,4 +14,4 @@ maintainers:
name: open-appsec-kong
sources:
- https://github.com/Kong/charts/tree/main/charts/kong
version: 2.33.2
version: 2.35.1

6
build_system/charts/open-appsec-kong/README.md
View File

@@ -613,10 +613,11 @@ directory.
| image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | |
| image.pullPolicy | Image pull policy | `IfNotPresent` |
| image.pullSecrets | Image pull secrets | `null` |
| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` |
| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` |
| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` |
| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | |
| customEnv | Custom Environment variables without `KONG_` prefix | |
| customEnv | Custom Environment variables without `KONG_` prefix | |
| envFrom | Populate environment variables from ConfigMap or Secret keys | |
| migrations.preUpgrade | Run "kong migrations up" jobs | `true` |
| migrations.postUpgrade | Run "kong migrations finish" jobs | `true` |
| migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" |
@@ -741,6 +742,7 @@ section of `values.yaml` file:
| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
| env | Specify Kong Ingress Controller configuration via environment variables | |
| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
| envFrom | Populate environment variables from ConfigMap or Secret keys | |
| ingressClass | The name of this controller's ingressClass | kong |
| ingressClassAnnotations | The ingress-class value for controller | kong |
| args | List of ingress-controller cli arguments | [] |

26
build_system/charts/open-appsec-kong/ci/.chartsnap.yaml Normal file
View File

@@ -0,0 +1,26 @@
# It's a configuration file used by helm-chartsnap to ignore dynamically generated fields
# when comparing the chart's snapshot with the rendered chart.
# See https://github.com/jlandowner/helm-chartsnap?tab=readme-ov-file#handling-dynamic-values-.
dynamicFields:
- apiVersion: v1
kind: Secret
name: chartsnap-postgresql
jsonPath:
- /data/postgres-password
- apiVersion: v1
kind: Secret
name: chartsnap-kong-validation-webhook-keypair
jsonPath:
- /data/tls.crt
- /data/tls.key
- apiVersion: v1
kind: Secret
name: chartsnap-kong-validation-webhook-ca-keypair
jsonPath:
- /data/tls.crt
- /data/tls.key
- apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
name: chartsnap-kong-validations
jsonPath:
- /webhooks/0/clientConfig/caBundle

371
build_system/charts/open-appsec-kong/ci/__snapshots__/admin-api-service-clusterip-values.snap Normal file
View File

@@ -0,0 +1,371 @@
[admin-api-service-clusterip-values]
SnapShot = """
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
checksum/dbless.config: 626be043e4a43b0d55af934d06216254abe132b29af82450379439ecd927219a
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8444
name: admin-tls
protocol: TCP
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 0.0.0.0:8444 http2 ssl, [::]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
name: chartsnap-kong-custom-dbless-config
name: kong-custom-dbless-config-volume
- object:
apiVersion: v1
data:
kong.yml: |
_format_version: \"1.1\"
services:
- name: example.com
url: http://example.com
routes:
- name: example
paths:
- \"/example\"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-custom-dbless-config
namespace: default
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-admin
namespace: default
spec:
ports:
- name: kong-admin-tls
port: 8444
protocol: TCP
targetPort: 8444
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: ClusterIP
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

888
build_system/charts/open-appsec-kong/ci/__snapshots__/custom-labels-values.snap Normal file
View File

@@ -0,0 +1,888 @@
[custom-labels-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
acme.com/some-key: some-value
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
acme.com/some-key: some-value
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
acme.com/some-key: some-value
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

880
build_system/charts/open-appsec-kong/ci/__snapshots__/default-values.snap Normal file
View File

@@ -0,0 +1,880 @@
[default-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ANONYMOUS_REPORTS
value: \"false\"
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

909
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-1-values.snap Normal file
View File

@@ -0,0 +1,909 @@
[kong-ingress-1-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
tls:
- hosts: null
secretName: kong.proxy.example.secret
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

911
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-2-values.snap Normal file
View File

@@ -0,0 +1,911 @@
[kong-ingress-2-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- proxy.kong.example
secretName: kong.proxy.example.secret
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

898
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-3-values.snap Normal file
View File

@@ -0,0 +1,898 @@
[kong-ingress-3-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

951
build_system/charts/open-appsec-kong/ci/__snapshots__/kong-ingress-4-values.snap Normal file
View File

@@ -0,0 +1,951 @@
[kong-ingress-4-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
- host: proxy2.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /foo
pathType: Prefix
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /bar
pathType: Prefix
- host: proxy3.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /baz
pathType: Prefix
tls:
- hosts:
- proxy.kong.example
secretName: proxy.kong.example.secret
- hosts:
- proxy2.kong.example
- proxy3.kong.example
secretName: proxy.kong.example.secret2
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoakNDQW00Q0NRQ0tyTDdSS1Y0NTBEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmhERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhHekFaCkJnTlZCQU1NRW5CeWIzaDVMbXR2Ym1jdVpYaGhiWEJzWlRBZUZ3MHlNekEyTWprd09ERTBNekJhRncwek16QTIKTWpZd09ERTBNekJhTUlHRU1Rc3dDUVlEVlFRR0V3SllXREVTTUJBR0ExVUVDQXdKVTNSaGRHVk9ZVzFsTVJFdwpEd1lEVlFRSERBaERhWFI1VG1GdFpURVVNQklHQTFVRUNnd0xRMjl0Y0dGdWVVNWhiV1V4R3pBWkJnTlZCQXNNCkVrTnZiWEJoYm5sVFpXTjBhVzl1VG1GdFpURWJNQmtHQTFVRUF3d1NjSEp2ZUhrdWEyOXVaeTVsZUdGdGNHeGwKTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE4Wmd4czI1RXdtaXRsRG1HMitWVwpscUZ4R3lkVHU2dWlCVldFZjNoV0h2R3YvUWpYZHBBWXlkc3ZpNS92b1FtcjNUeVJBb3VaR1lCR3RuVEF0cU5rCnFLUmFVaWppVlN3TTNzeUl1cHluMlRjSjk1N2RLUCtUYTRaL0VNUlRwSCtya1psV01LNVYrNUszTmFIL21leDUKVWRRWkl4WUxNM0xIM0t0cmt2OWZRNlhSZ2dkeXo0MEt2YUV6SW1scEVoQnBoS0g5UWJiL3RFRE0vdFFqbC9FUApmbUF5M2Y5WE1uRDNSeFY3TnFrZktpUjNXZ1JDMnFyNWtPbXlJTGp1YWxERk1Zb3lDZUlmSnd1WmVDaEpGb3ZHClFKUFY2WU9xTG5aRWN3MU9BaVBXQnMycXVmWmlsNXplekRDZUFGZDV3eXVrS1dPZ3pTZ3Q2VzZvN2FBRTBDK3YKclFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNGZHhFOFVsMVorcWxBbW1lTk5BdlAyZVVxSElTbQpHWXZidzdGdW82bXNJY3V3cjZKeENBWjIwako5UkphalMzWS9TS3BteXM2OXZxU21ic25oeUJzc01mL1ZtenFSClBVLzVkUUZiblNybUJqMnFBNWxtRCtENDVLUEtrTjc1V21NeDRQWkZseEw3WHVLYnZhYVZBUjFFUmRNZy90NisKUXpPV3BVWVZrcFJnQmlxTDBTTjhvTStOTjdScGFESFNkZjlTY1FtUmhNVklNNDdVZ1ZXNWhta21mQjBkUTFhQQo5NWdTQ3E0cGVwUFRzY3NsbVBzM0lOck5BTk45KytyMnM1bXRTWnp5VktRU0cwRjQ0Y1puWjdTdkdTVFJORDlUCnRKVzNTcko3elBwS0JqWi9qVDRRVnpBdGtHN3FSV2ZhYnlWTmVrK29wMTgwSVY5Um9IR1JDU0kyCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHhtREd6YmtUQ2FLMlUKT1liYjVWYVdvWEViSjFPN3E2SUZWWVIvZUZZZThhLzlDTmQya0JqSjJ5K0xuKytoQ2F2ZFBKRUNpNWtaZ0VhMgpkTUMybzJTb3BGcFNLT0pWTEF6ZXpJaTZuS2ZaTnduM250MG8vNU5yaG44UXhGT2tmNnVSbVZZd3JsWDdrcmMxCm9mK1o3SGxSMUJrakZnc3pjc2ZjcTJ1Uy8xOURwZEdDQjNMUGpRcTlvVE1pYVdrU0VHbUVvZjFCdHYrMFFNeisKMUNPWDhROStZRExkLzFjeWNQZEhGWHMycVI4cUpIZGFCRUxhcXZtUTZiSWd1TzVxVU1VeGlqSUo0aDhuQzVsNApLRWtXaThaQWs5WHBnNm91ZGtSekRVNENJOVlHemFxNTltS1huTjdNTUo0QVYzbkRLNlFwWTZETktDM3BicWp0Cm9BVFFMNit0QWdNQkFBRUNnZ0VCQUs3N1I0d3BJcDRZU1JoaGJoN1loWldHQ3JEYkZCZUtZVWd4djB5LzhNaHEKenNlYlhzdGQ1TVpXL2FISVRqdzZFQU9tT1hVNWZNTHVtTWpQMlVDdktWbkg2QzgzczI1ekFFTmlxdWxXUzIvVgpJRi83N1Qwamx6ZTY2MDlPa3pKQzBoWWJsRVNnRUdDc3pBdUpjT0tnVnVLQWwxQkZTQW1VYWRPWFNNdm9NS3lDCkJlekZaVEhOcGRWQ2xwUHVLNGQrWFJJZ1hHWS84RzNmWlFXRWNjV2tTYmRjQUlLdVYvWktHQ0IyT2dXS1VzSHgKTStscEw1TTZ3aXdYOEFNdUVWVHJsMWNwKzAzTjdOaUYwMFpYdCszZzVZUkJmRitYWjZ1b3hmbENQZ3VHdzh6bgpvN2tFRVNKZ2YycHZyZWYveHBjSVFSM090aHZjSzR5RldOcndPbExHQk9FQ2dZRUErNmJBREF0bDAvRlpzV08zCnVvNlBRNXZTL0tqbS9XaUkzeUo5TUdLNzQxTFZpMlRMUGpVZ092SDdkZUVjNVJjUmoxV1Nna3d1bUdzZWE2WkQKWXRWSTRZTDdMM1NUQ3JyZUNFTDRhOUJPcFB0azcxWWw3TmhxZktEaXhzU1FnNmt4dDJ1TlYvZXNSQ1JPeENoWgp5bk9JTmkvN3lOeFpVek4zcndyVjBCMUFNYVVDZ1lFQTljVDBZNkJWRHZLdFFaV1gvR1REZ2pUUzN6QWlPWmFNCjVFM3NleHh6MXY4eDF0N3JvWDV3aHNaVjlzQ05nNlJaNjIyT3hJejhHQnVvMnU1M2h2WFJabmdDaG1PcHYwRjgKcm5STWFNR0tIeGN2TmNrVUZUMW9TdDJCeEhNT1FNZTM2cERVTnZ0S3pvNGJoakpVUU94Mm14RU9TNERscm4rMApRU3FqVFpyWGwya0NnWUJ1UmIyMkNYQ1BsUjBHbkhtd0tEUWpIaTh3UkJza1JDQm1Gc2pnNFFNUU5BWWJWUW15CnNyankyNEtqUHdmWVkybHdjOEVGazdoL1ZjRTR6dHlNZklXNVBCb3h5MVY3eURMdlQ5bG45Um5oTmNBZkdKTDUKM0VPZFpTcTZpdndBbGEyUmdIR3BjSUJ1UTdLNFJpNUNocW5UaE9kQ056eDFOd0psRTh4cHE4ZXJlUUtCZ1FEeQppV3B3UXRLT0ROa0VCdi9WT1E5am1JT2RjOS9pbXZyeGR5RHZvWFdENzVXY3FhTTVYUkRwUUNPbmZnQnBzREI0CjBFWjdHM0xReThNSVF4czcyYXpMaFpWZ1VFdzlEUUJoSFM0bWx4Q2FmQU8vL1c3UFF5bC84RGJXeW9CL1YxamQKcUExMU1PcHpDdlNJcTNSUUdjczJYaytRSFdVTW5zUWhKMVcvQ1JiSE9RS0JnRTVQZ0hrbW1PY1VXZkJBZUtzTApvb2FNNzBINVN1YUNYN1Y1enBhM3hFMW5WVWMxend5aldOdkdWbTA5WkpEOFFMR1ZDV2U0R1o5R1NvV2tqSUMvCklFKzA0M29kUERuL2JwSDlTMDF2a0s1ZDRJSGc3QUcwWXI5SW1zS0paT0djT1dmdUdKSlZ5em1CRXhaSU9pbnoKVFFuaFdhZWs0NE1hdVJYOC9pRjZyZWorCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmakNDQW1ZQ0NRREVtWjF0cnJwaURqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmdERUxNQWtHQTFVRUJoTUMKV0ZneEVqQVFCZ05WQkFnTUNWTjBZWFJsVG1GdFpURVJNQThHQTFVRUJ3d0lRMmwwZVU1aGJXVXhGREFTQmdOVgpCQW9NQzBOdmJYQmhibmxPWVcxbE1Sc3dHUVlEVlFRTERCSkRiMjF3WVc1NVUyVmpkR2x2Yms1aGJXVXhGekFWCkJnTlZCQU1NRGlvdWEyOXVaeTVsZUdGdGNHeGxNQjRYRFRJek1EWXlPVEE0TVRjek4xb1hEVE16TURZeU5qQTQKTVRjek4xb3dnWUF4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSURBbFRkR0YwWlU1aGJXVXhFVEFQQmdOVgpCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1VG1GdFpURWJNQmtHQTFVRUN3d1NRMjl0CmNHRnVlVk5sWTNScGIyNU9ZVzFsTVJjd0ZRWURWUVFEREE0cUxtdHZibWN1WlhoaGJYQnNaVENDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlSR1g1VytsRW8wcGg2eTJqeHN6TGZOcjMvNlpFOQpPR0pPMGl1WmpwRml2dHBya24ydDlqYTRaNUdYOGh4NUczS1FsRkhrVFBmV01BWmUzdldINTF0alZzYjZwY2UwCjlkMUo4WXNxWkh5RHVlUzBrS3RUbEFmc0F5MnVjL3ZvUUdmOTdZeUI2TlJ4TEJmNHBnSVJ4eHpGM3o0Q1ZOSTgKTzE5Ym1PYVo1Vkk1QWZpbENSMUI1ekxuN2VoeEJHOHhTQmRtQUg0eWFob2t5RXk2a0ZtRzJCaEtJWjdsL1BZYQpqbU1yQ3cwekRVampvblBublZTWTkxL0EwNUJVTVk5OEZsME00QVV5T1V3enBaajhqMXhLMTNqUVlGeXJwUHQwCklHNUdLR044akVCcnRkdGVlcGZIdFZuekFWYnhoT0hkcXZoUWhrSDJDSGVwOStIQkNIL25VL1VDQXdFQUFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBQkcxVVYyUFRJekhrNEt4cjBHT0NXalhjTTdKUU9hbUJQM3dZSCswRgpyc09YUG9IOHVLV25XYjhSSGE1MDhMenU4MGNzS1lYcnZ4SEhDcmcxdXJjRnl3bnNMaUtMNGhsQklTd2ZMNzFFClVXODhQdGYyWTdjTnJZRzNLc2MvMWVpait1RWd5bVdCbjkraVYzbzE5VERwRjlZZWZwYzNUUDJqMGhNUHcwMlgKa1gzSlh3b250NnBQaDhlQjhXRU1OZkF5NzZmb0lMcytVd0Fjck56QkpjSVZSTERoZWFNMFNFd0xCNUpuaWZ5ZwplRE1aSE56MkhLais0NU1wTzFOSDBtd3ZJRTRLQjNITUNSSlMybmZFbWVMcFdCMWpmZTV6T2o1bWhTeS82M0RVCldDQll1aUhtelFWaGxJS21lQzBlVmd3bGtkMTFrUDRNM1hoWnB6V09aQ1BoaGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQy9VUmwrVnZwUktOS1kKZXN0bzhiTXkzemE5LyttUlBUaGlUdElybVk2UllyN2FhNUo5cmZZMnVHZVJsL0ljZVJ0eWtKUlI1RXozMWpBRwpYdDcxaCtkYlkxYkcrcVhIdFBYZFNmR0xLbVI4Zzdua3RKQ3JVNVFIN0FNdHJuUDc2RUJuL2UyTWdlalVjU3dYCitLWUNFY2NjeGQ4K0FsVFNQRHRmVzVqbW1lVlNPUUg0cFFrZFFlY3k1KzNvY1FSdk1VZ1haZ0IrTW1vYUpNaE0KdXBCWmh0Z1lTaUdlNWZ6MkdvNWpLd3NOTXcxSTQ2Sno1NTFVbVBkZndOT1FWREdQZkJaZERPQUZNamxNTTZXWQovSTljU3RkNDBHQmNxNlQ3ZENCdVJpaGpmSXhBYTdYYlhucVh4N1ZaOHdGVzhZVGgzYXI0VUlaQjlnaDNxZmZoCndRaC81MVAxQWdNQkFBRUNnZ0VCQUlCZ0l3TXJ5ZnY3c0pTd2tSMXlVaFNvdzByckZnZG5WUlppWFpUMERUNXgKVEMrMFR6QVdNMGkwcElxRnN1aDRPM3E4bVVuNkw4dDk1ZXZnYlN2RWJmSmN6alhtcXFjL1BsdW02blcvbEg0WQp4Znc1VFhvcE13Tzkwc1FzYzVkdFdRcHUwWitlN0dUaEsvMUowOXMvb3FRa0FwRFJiNmxDMFhSRE9tNUNoaWFNCi95Z2M2dGUzUHkrRXpzSmRMRm9YWndFQnVQWTB2KzlBclhpNmlUMllaN1ZacE9iZzQxcm1ocHNObTFLNmdJajUKZFZKNGZYa2Z5V0hsSmJBYzVTRDkrVWMrTGFjUEcxSjVJUWx6eTM0WlM0ZG9VQ2lmODZuVHFzSnFVTU1sNXYxcAp3SFFUZFI2MkdnWnRPM1grOU4vdHE3SExqU0tHY0JEd3E4bEM4QXZ0VHdFQ2dZRUErWWpVdzI1em42aWhjaXFpCmo3dDJiQVdLdzdlbng1RXFzU25ZOG1PYzR2TDdNa1YyN2ZhYXp1cW8wUEtOeWJOa1grUlhIMDN4S0NDd0x0N0UKLzRDUlFHMGNkQmhBQ2szMkpadllrQmxESUZ3VmtnMHVnNGk4Snp6VjVCT2hEeWdwZUhJTDVVTkx2eGJDbVh6MAo1bXNYRktPYW1HYkFCbE9KTEZsR1R4WWdzeWtDZ1lFQXhFWWI0dFVmRmhiTmpJTUMyd1hFRXdWZkJYOFJqNzVqCjN6SkwxV3o4YWxUQmxFemZYOTZiNmg3VjFNT1NHcmlabFJ1cGpEaUFsUkhPZytDSXlPbmdISFkwd2xTaHNmemQKSDluL2dOdUZsanFuQkF3OVpaSW9hbE1zUVVER3RLSnVIejhEYzlVNzRFMGM3WldQWk1Ub0pNdFV2Zkl5T0pZSgpQODh1YnYvam4rMENnWUJaNmpzNFhKRmZRNFZCUFNtc2Z4RXg1V0ZXR3RSakxlVGpSNy83djNjbHRBWmQyL2Y1CjBUV0JQNzhxNDJ2QjlWbEMwR1d3U3dhTnZoR2VJZmw4VTVpRFRZM0dLNExQODcyeFdaSFVnclhVY0RuNWtiUmsKQXg1QlNVT05WcUZmYzhwVnMwcWtCdmJCV1hNdm1YNHBsUWNSRWM3QUFhNUoyVW9CWi8zVXU1VjIyUUtCZ0ZnVQpKanQ2N0lKYkpVN2pGQXI1NFcydndWNlVFV3R5UXh0TVZOK29FdlljcHVwSVBRMm10azB3SFVGbnFrODNmQ1IvCnoyeFBodFJlczFCWEdNc2d1U1BNb0F4OU1qclBnT1BrVGxhakxLV29HSDhtaHY3bndoOUV4OTFZbGxORmVTbW8KZTRJbHRNTUpsK3UrYkNVS2dDclMzR3FKSDZScElDbDBiaC85MFVaWkFvR0FaUEsrdldLQ0N6aHNhSnVWak1VSQpiTEJlMi9CM0xxTVBhakFLTjVTNU9GYlpBZm5NeE9BT1lnd25iWmdpZGVkcVk2QkIyLytVVGt4MW1IUjhKcmpGCnRyN20wS2VvRFY4dmQxSENvSkF3b2hqQ1B6SkJhSW9WYWNkRFNsMDNIOVFEck4yd0RFYUxoWFBlVkRoNGZ2NmQKa3d6V3FZWUlETzRKQlp5L21Wa0t4NFU9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: kong.proxy.example.secret2
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

874
build_system/charts/open-appsec-kong/ci/__snapshots__/service-account.snap Normal file
View File

@@ -0,0 +1,874 @@
[service-account]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: my-kong-sa-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: my-kong-sa-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: my-kong-sa
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: my-kong-sa-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: my-kong-sa
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: my-kong-sa
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: my-kong-sa
namespace: default
"""

880
build_system/charts/open-appsec-kong/ci/__snapshots__/single-image-default-values.snap Normal file
View File

@@ -0,0 +1,880 @@
[single-image-default-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ANONYMOUS_REPORTS
value: \"false\"
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.4.1
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.4.1
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

311
build_system/charts/open-appsec-kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap Normal file
View File

@@ -0,0 +1,311 @@
['test-enterprise-version-3.4.0.0-values']
SnapShot = """
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong/kong-gateway:3.4.0.0
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 1
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong/kong-gateway:3.4.0.0
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

967
build_system/charts/open-appsec-kong/ci/__snapshots__/test1-values.snap Normal file
View File

@@ -0,0 +1,967 @@
[test1-values]
SnapShot = """
- object:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validations
namespace: default
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: '###DYNAMIC_FIELD###'
service:
name: chartsnap-kong-validation-webhook
namespace: default
failurePolicy: Ignore
name: validations.kong.konghq.com
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
rules:
- apiGroups:
- configuration.konghq.com
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
resources:
- kongconsumers
- kongplugins
- kongclusterplugins
- kongingresses
- apiGroups:
- \"\"
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- secrets
- services
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
- apiGroups:
- gateway.networking.k8s.io
apiVersions:
- v1alpha2
- v1beta1
- v1
operations:
- CREATE
- UPDATE
resources:
- gateways
- httproutes
sideEffects: None
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
environment: test
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- args: null
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN
value: 0.0.0.0:8080
- name: CONTROLLER_ANONYMOUS_REPORTS
value: \"false\"
- name: CONTROLLER_ELECTION_ID
value: kong-ingress-controller-leader-kong
- name: CONTROLLER_INGRESS_CLASS
value: kong
- name: CONTROLLER_KONG_ADMIN_HEADER
value: foo:bar
- name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY
value: \"true\"
- name: CONTROLLER_KONG_ADMIN_URL
value: https://localhost:8444
- name: CONTROLLER_PUBLISH_SERVICE
value: default/chartsnap-kong-proxy
image: kong/kubernetes-ingress-controller:3.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: ingress-controller
ports:
- containerPort: 8080
name: webhook
protocol: TCP
- containerPort: 10255
name: cmetrics
protocol: TCP
- containerPort: 10254
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: 10254
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /admission-webhook
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: chartsnap-kong-token
readOnly: true
- mountPath: /tmp/foo
name: tmpdir
readOnly: true
- mountPath: /tmp/controller
name: controllerdir
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_API_URI
value: http://admin.kong.example
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_API_URL
value: http://admin.kong.example
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /tmp/foo
name: tmpdir
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_API_URI
value: http://admin.kong.example
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_API_URL
value: http://admin.kong.example
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_KIC
value: \"on\"
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- command:
- /bin/sh
- -c
- \"true\"
image: bash:latest
name: bash
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
volumeMounts:
- mountPath: /tmp/foo
name: tmpdir
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- name: webhook-cert
secret:
secretName: chartsnap-kong-validation-webhook-keypair
- emptyDir: {}
name: tmpdir
- emptyDir: {}
name: controllerdir
- object:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
maxReplicas: 5
metrics:
- resource:
name: cpu
target:
averageUtilization: 80
type: Utilization
type: Resource
minReplicas: 2
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: chartsnap-kong
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- host: proxy.kong.example
http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
rules:
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongupstreampolicies/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumergroups/status
verbs:
- get
- patch
- update
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- \"\"
resources:
- services/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- ingressclassparameterses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongconsumers/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- tcpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- udpingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- get
- patch
- update
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongclusterplugins/status
verbs:
- get
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
rules:
- apiGroups:
- \"\"
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- \"\"
resourceNames:
- kong-ingress-controller-leader-kong-kong
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- \"\"
resources:
- configmaps
verbs:
- create
- apiGroups:
- \"\"
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- \"\"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- \"\"
resources:
- services
verbs:
- get
- object:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chartsnap-kong
subjects:
- kind: ServiceAccount
name: chartsnap-kong
namespace: default
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-ca-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
data:
tls.crt: '###DYNAMIC_FIELD###'
tls.key: '###DYNAMIC_FIELD###'
kind: Secret
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook-keypair
namespace: default
type: kubernetes.io/tls
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-validation-webhook
namespace: default
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: webhook
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

2106
build_system/charts/open-appsec-kong/ci/__snapshots__/test2-values.snap Normal file
View File

File diff suppressed because it is too large Load Diff

369
build_system/charts/open-appsec-kong/ci/__snapshots__/test3-values.snap Normal file
View File

@@ -0,0 +1,369 @@
[test3-values]
SnapShot = """
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
- mountPath: /opt/tmp
name: tmpdir
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
- command:
- /bin/sh
- -c
- \"true\"
image: bash:latest
name: bash
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
volumeMounts:
- mountPath: /opt/tmp
name: tmpdir
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
name: chartsnap-kong-custom-dbless-config
name: kong-custom-dbless-config-volume
- emptyDir: {}
name: tmpdir
- object:
apiVersion: v1
data:
kong.yml: |
_format_version: \"1.1\"
services:
- name: example.com
url: http://example.com
routes:
- name: example
paths:
- \"/example\"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-custom-dbless-config
namespace: default
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

386
build_system/charts/open-appsec-kong/ci/__snapshots__/test4-values.snap Normal file
View File

@@ -0,0 +1,386 @@
[test4-values]
SnapShot = """
- object:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
template:
metadata:
annotations:
checksum/dbless.config: 95c0309e6b27de23d64edae3a3602472635243f133fba88af3034ed4d5703d4a
kuma.io/gateway: enabled
kuma.io/service-account-token-volume: chartsnap-kong-token
traffic.sidecar.istio.io/includeInboundPorts: \"\"
labels:
app: chartsnap-kong
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
version: \"3.5\"
spec:
automountServiceAccountToken: false
containers:
- env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
- name: KONG_NGINX_DAEMON
value: \"off\"
image: kong:3.5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- kong
- quit
- --wait=15
livenessProbe:
failureThreshold: 3
httpGet:
path: /status
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: proxy
ports:
- containerPort: 8000
name: proxy
protocol: TCP
- containerPort: 8443
name: proxy-tls
protocol: TCP
- containerPort: 9000
name: stream-9000
protocol: TCP
- containerPort: 9001
name: stream-9001
protocol: TCP
- containerPort: 8100
name: status
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /status/ready
port: status
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
initContainers:
- command:
- rm
- -vrf
- $KONG_PREFIX/pids
env:
- name: KONG_ADMIN_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_GUI_ACCESS_LOG
value: /dev/stdout
- name: KONG_ADMIN_GUI_ERROR_LOG
value: /dev/stderr
- name: KONG_ADMIN_LISTEN
value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl
- name: KONG_ANONYMOUS_REPORTS
value: \"off\"
- name: KONG_CLUSTER_LISTEN
value: \"off\"
- name: KONG_DATABASE
value: \"off\"
- name: KONG_DECLARATIVE_CONFIG
value: /kong_dbless/kong.yml
- name: KONG_LUA_PACKAGE_PATH
value: /opt/?.lua;/opt/?/init.lua;;
- name: KONG_NGINX_WORKER_PROCESSES
value: \"2\"
- name: KONG_PORTAL_API_ACCESS_LOG
value: /dev/stdout
- name: KONG_PORTAL_API_ERROR_LOG
value: /dev/stderr
- name: KONG_PORT_MAPS
value: 80:8000, 443:8443
- name: KONG_PREFIX
value: /kong_prefix/
- name: KONG_PROXY_ACCESS_LOG
value: /dev/stdout
- name: KONG_PROXY_ERROR_LOG
value: /dev/stderr
- name: KONG_PROXY_LISTEN
value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl
- name: KONG_PROXY_STREAM_ACCESS_LOG
value: /dev/stdout basic
- name: KONG_PROXY_STREAM_ERROR_LOG
value: /dev/stderr
- name: KONG_ROUTER_FLAVOR
value: traditional
- name: KONG_STATUS_ACCESS_LOG
value: \"off\"
- name: KONG_STATUS_ERROR_LOG
value: /dev/stderr
- name: KONG_STATUS_LISTEN
value: 0.0.0.0:8100, [::]:8100
- name: KONG_STREAM_LISTEN
value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl
image: kong:3.5
imagePullPolicy: IfNotPresent
name: clear-stale-pid
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /kong_prefix/
name: chartsnap-kong-prefix-dir
- mountPath: /tmp
name: chartsnap-kong-tmp
- mountPath: /kong_dbless/
name: kong-custom-dbless-config-volume
securityContext: {}
serviceAccountName: chartsnap-kong
terminationGracePeriodSeconds: 30
volumes:
- emptyDir:
sizeLimit: 256Mi
name: chartsnap-kong-prefix-dir
- emptyDir:
sizeLimit: 1Gi
name: chartsnap-kong-tmp
- name: chartsnap-kong-token
projected:
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
name: chartsnap-kong-custom-dbless-config
name: kong-custom-dbless-config-volume
- object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
rules:
- http:
paths:
- backend:
service:
name: chartsnap-kong-proxy
port:
number: 443
path: /
pathType: ImplementationSpecific
- object:
apiVersion: v1
data:
kong.yml: |
_format_version: \"1.1\"
services:
- name: example.com
url: http://example.com
routes:
- name: example
paths:
- \"/example\"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-custom-dbless-config
namespace: default
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-manager
namespace: default
spec:
ports:
- name: kong-manager
port: 8002
protocol: TCP
targetPort: 8002
- name: kong-manager-tls
port: 8445
protocol: TCP
targetPort: 8445
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: NodePort
- object:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
enable-metrics: \"true\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong-proxy
namespace: default
spec:
ports:
- name: kong-proxy
port: 80
protocol: TCP
targetPort: 8000
- name: kong-proxy-tls
port: 443
protocol: TCP
targetPort: 8443
- name: stream-9000
port: 9000
protocol: TCP
targetPort: 9000
- name: stream-9001
port: 9001
protocol: TCP
targetPort: 9001
selector:
app.kubernetes.io/component: app
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/name: kong
type: LoadBalancer
- object:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: chartsnap
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: kong
app.kubernetes.io/version: \"3.5\"
helm.sh/chart: kong-2.35.1
name: chartsnap-kong
namespace: default
"""

1983
build_system/charts/open-appsec-kong/ci/__snapshots__/test5-values.snap Normal file
View File

File diff suppressed because it is too large Load Diff

14
build_system/charts/open-appsec-kong/ci/test2-values.yaml
View File

@@ -11,6 +11,9 @@ ingressController:
timeoutSeconds: 5
env:
anonymous_reports: "false"
envFrom:
- configMapRef:
name: env-config
customEnv:
TZ: "Europe/Berlin"
watchNamespaces:
@@ -23,6 +26,9 @@ postgresql:
env:
anonymous_reports: "off"
database: "postgres"
envFrom:
- configMapRef:
name: env-config
# - ingress resources are created without hosts
admin:
ingress:
@@ -63,3 +69,11 @@ deployment:
requests:
cpu: "100m"
memory: "64Mi"
extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: env-config
data:
test-env: test

1
build_system/charts/open-appsec-kong/example-values/doc-examples/quickstart-enterprise-licensed-aio.yaml
View File

@@ -1,3 +1,4 @@
demo: true
admin:
annotations:
konghq.com/protocol: https

14
build_system/charts/open-appsec-kong/templates/NOTES.txt
View File

@@ -26,3 +26,17 @@ Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/gettin
{{- end -}}
{{- include "kong.deprecation-warnings" $warnings -}}
{{- if .Values.demo -}}
#############################################################################################
##### WARNING: DEMO VALUES USED
#############################################################################################
The values file used has been marked as a demo configuration.
It should NOT be used in production without comprehensive review of all settings provided.
#############################################################################################
##### WARNING: DEMO VALUES USED
#############################################################################################
{{- end -}}

91
build_system/charts/open-appsec-kong/templates/_helpers.tpl
View File

@@ -267,6 +267,7 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
*/}}
{{- define "kong.listen" -}}
{{- $unifiedListen := list -}}
{{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
{{/* Some services do not support these blocks at all, so these checks are a
two-stage "is it safe to evaluate this?" and then "should we evaluate
@@ -276,9 +277,12 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
{{- if .http.enabled -}}
{{- $listenConfig := dict -}}
{{- $listenConfig := merge $listenConfig .http -}}
{{- $_ := set $listenConfig "address" (default "0.0.0.0" .address) -}}
{{- $httpListen := (include "kong.singleListen" $listenConfig) -}}
{{- $unifiedListen = append $unifiedListen $httpListen -}}
{{- $addresses := (default $defaultAddrs .addresses) -}}
{{- range $addresses -}}
{{- $_ := set $listenConfig "address" . -}}
{{- $httpListen := (include "kong.singleListen" $listenConfig) -}}
{{- $unifiedListen = append $unifiedListen $httpListen -}}
{{- end -}}
{{- end -}}
{{- end -}}
@@ -295,9 +299,12 @@ Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc.
{{- $listenConfig := merge $listenConfig .tls -}}
{{- $parameters := append .tls.parameters "ssl" -}}
{{- $_ := set $listenConfig "parameters" $parameters -}}
{{- $_ := set $listenConfig "address" (default "0.0.0.0" .address) -}}
{{- $tlsListen := (include "kong.singleListen" $listenConfig) -}}
{{- $unifiedListen = append $unifiedListen $tlsListen -}}
{{- $addresses := (default $defaultAddrs .addresses) -}}
{{- range $addresses -}}
{{- $_ := set $listenConfig "address" . -}}
{{- $tlsListen := (include "kong.singleListen" $listenConfig) -}}
{{- $unifiedListen = append $unifiedListen $tlsListen -}}
{{- end -}}
{{- end -}}
{{- end -}}
@@ -332,19 +339,22 @@ Create KONG_STREAM_LISTEN string
*/}}
{{- define "kong.streamListen" -}}
{{- $unifiedListen := list -}}
{{- $address := (default "0.0.0.0" .address) -}}
{{- $defaultAddrs := (list "0.0.0.0" "[::]") -}}
{{- range .stream -}}
{{- $listenConfig := dict -}}
{{- $listenConfig := merge $listenConfig . -}}
{{- $_ := set $listenConfig "address" $address -}}
{{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
Our configuration is dual-purpose, for both the Service and listen string, so we
forcibly inject this parameter if that's the Service protocol. The default handles
configs that predate the addition of the protocol field, where we only supported TCP. */}}
{{- if (eq (default "TCP" .protocol) "UDP") -}}
{{- $_ := set $listenConfig "parameters" (append (default (list) .parameters) "udp") -}}
{{- $addresses := (default $defaultAddrs .addresses) -}}
{{- range $addresses -}}
{{- $_ := set $listenConfig "address" . -}}
{{/* You set NGINX stream listens to UDP using a parameter due to historical reasons.
Our configuration is dual-purpose, for both the Service and listen string, so we
forcibly inject this parameter if that's the Service protocol. The default handles
configs that predate the addition of the protocol field, where we only supported TCP. */}}
{{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}}
{{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}}
{{- end -}}
{{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}}
{{- end -}}
{{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}}
{{- end -}}
{{- $listenString := ($unifiedListen | join ", ") -}}
@@ -827,6 +837,7 @@ The name of the Service which will be used by the controller to update the Ingre
{{ toYaml .Values.containerSecurityContext | nindent 4 }}
env:
{{- include "kong.env" . | nindent 2 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
{{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295
Note that we use args instead of command here to /not/ override the standard image entrypoint. */}}
args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"]
@@ -879,6 +890,9 @@ The name of the Service which will be used by the controller to update the Ingre
containerPort: 10255
protocol: TCP
{{- end }}
- name: status
containerPort: 10254
protocol: TCP
env:
- name: POD_NAME
valueFrom:
@@ -891,6 +905,7 @@ The name of the Service which will be used by the controller to update the Ingre
apiVersion: v1
fieldPath: metadata.namespace
{{- include "kong.ingressController.env" . | indent 2 }}
{{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }}
image: {{ include "kong.getRepoTag" .Values.ingressController.image }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger
@@ -967,13 +982,11 @@ the template that it itself is using form the above sections.
{{- end -}}
{{- with .Values.admin -}}
{{- $address := "0.0.0.0" -}}
{{- if (not .enabled) -}}
{{- $address = "127.0.0.1" -}}
{{- end -}}
{{- $listenConfig := dict -}}
{{- $listenConfig := merge $listenConfig . -}}
{{- $_ := set $listenConfig "address" (default $address .address) -}}
{{- if (and (not (hasKey . "addresses")) (not .enabled)) -}}
{{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}}
{{- end -}}
{{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}}
{{- if or .tls.client.secretName .tls.client.caBundle -}}
@@ -1145,7 +1158,9 @@ the template that it itself is using form the above sections.
{{- end }}
{{- end }}
{{- if (.Values.plugins) }}
{{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}}
{{- end }}
{{/*
====== USER-SET ENVIRONMENT VARIABLES ======
@@ -1222,6 +1237,7 @@ Environment variables are sorted alphabetically
imagePullPolicy: {{ .Values.waitImage.pullPolicy }}
env:
{{- include "kong.no_daemon_env" . | nindent 2 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 2 }}
command: [ "bash", "/wait_postgres/wait.sh" ]
volumeMounts:
- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres
@@ -1255,7 +1271,6 @@ Kubernetes namespace-scoped resources it uses to build Kong configuration.
Collectively, these are built from:
kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main
kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/knative?ref=main
kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main
However, there is no way to generate the split between cluster and namespaced
@@ -1648,6 +1663,24 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
- get
- list
- watch
{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults
verbs:
- get
- list
- watch
- apiGroups:
- configuration.konghq.com
resources:
- kongvaults/status
verbs:
- get
- patch
- update
{{- end }}
- apiGroups:
- configuration.konghq.com
resources:
@@ -1689,6 +1722,14 @@ Kubernetes Cluster-scoped resources it uses to build Kong configuration.
verbs:
- get
- update
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- networking.k8s.io
@@ -1745,6 +1786,14 @@ extensions/v1beta1
{{- end -}}
{{- (toYaml $proxyReadiness) -}}
{{- end -}}
{{- define "kong.envFrom" -}}
{{- if (gt (len .) 0) -}}
envFrom:
{{- toYaml . | nindent 2 -}}
{{- else -}}
{{- end -}}
{{- end -}}
{{/*
appsec labels
*/}}

2
build_system/charts/open-appsec-kong/templates/appsec.yaml
View File

@@ -112,6 +112,7 @@ spec:
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
@@ -229,6 +230,7 @@ spec:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:

2
build_system/charts/open-appsec-kong/templates/deployment.yaml
View File

@@ -101,6 +101,7 @@ spec:
- "$KONG_PREFIX/pids"
env:
{{- include "kong.env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}
{{- if .Values.deployment.initContainers }}
@@ -136,6 +137,7 @@ spec:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
lifecycle:
{{- toYaml .Values.lifecycle | nindent 10 }}
ports:

1
build_system/charts/open-appsec-kong/templates/migrations-post-upgrade.yaml
View File

@@ -72,6 +72,7 @@ spec:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
args: [ "kong", "migrations", "finish" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}

1
build_system/charts/open-appsec-kong/templates/migrations-pre-upgrade.yaml
View File

@@ -74,6 +74,7 @@ spec:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
args: [ "kong", "migrations", "up" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}

1
build_system/charts/open-appsec-kong/templates/migrations.yaml
View File

@@ -78,6 +78,7 @@ spec:
{{ toYaml .Values.containerSecurityContext | nindent 10 }}
env:
{{- include "kong.no_daemon_env" . | nindent 8 }}
{{- include "kong.envFrom" .Values.envFrom | nindent 8 }}
args: [ "kong", "migrations", "bootstrap" ]
volumeMounts:
{{- include "kong.volumeMounts" . | nindent 8 }}

12
build_system/charts/open-appsec-kong/values.yaml
View File

@@ -120,6 +120,10 @@ env:
# name: api_key
# client_name: testClient
# Load all ConfigMap or Secret keys as environment variables:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
envFrom: []
# This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
extraLabels: {}
@@ -565,6 +569,10 @@ ingressController:
# customEnv:
# TZ: "Europe/Berlin"
# Load all ConfigMap or Secret keys as environment variables:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
envFrom: []
admissionWebhook:
enabled: true
failurePolicy: Ignore
@@ -1247,7 +1255,7 @@ appsec:
#registry:
repository: ghcr.io/openappsec
image: "agent"
tag: "1.1.3"
tag: "1.1.5"
pullPolicy: Always
securityContext:
@@ -1261,7 +1269,7 @@ appsec:
kong:
image:
repository: "ghcr.io/openappsec/kong-attachment"
tag: "1.1.3"
tag: "1.1.5"
configMapName: appsec-settings-configmap
configMapContent:
crowdsec: