mirror of
https://github.com/openappsec/openappsec.git
synced 2025-10-01 03:57:44 +03:00
Updating open-appsec helm charts
This commit is contained in:
Ned Wright
@@ -31,35 +31,39 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
|
||||
Expand the namespace of the release.
|
||||
Allows overriding it for multi-namespace deployments in combined charts.
|
||||
*/}}
|
||||
{{- define "ingress-nginx.namespace" -}}
|
||||
{{- if .Values.namespaceOverride -}}
|
||||
{{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- .Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{/*
|
||||
Container SecurityContext.
|
||||
Controller container security context.
|
||||
*/}}
|
||||
{{- define "controller.containerSecurityContext" -}}
|
||||
{{- define "ingress-nginx.controller.containerSecurityContext" -}}
|
||||
{{- if .Values.controller.containerSecurityContext -}}
|
||||
{{- toYaml .Values.controller.containerSecurityContext -}}
|
||||
{{- else -}}
|
||||
runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
|
||||
runAsUser: {{ .Values.controller.image.runAsUser }}
|
||||
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
|
||||
{{- if .Values.controller.image.seccompProfile }}
|
||||
seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
|
||||
{{- end }}
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
{{- if .Values.controller.image.chroot }}
|
||||
{{- if .Values.controller.image.seccompProfile }}
|
||||
- SYS_ADMIN
|
||||
{{- end }}
|
||||
- SYS_CHROOT
|
||||
{{- end }}
|
||||
runAsUser: {{ .Values.controller.image.runAsUser }}
|
||||
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
|
||||
{{- end }}
|
||||
readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
@@ -113,7 +117,6 @@ By convention this will simply use the <namespace>/<controller-name> to match th
|
||||
service generated.
|
||||
|
||||
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
|
||||
|
||||
*/}}
|
||||
{{- define "ingress-nginx.controller.publishServicePath" -}}
|
||||
{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
|
||||
@@ -121,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
|
||||
{{- print $servicePath | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified default backend name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "ingress-nginx.defaultBackend.fullname" -}}
|
||||
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
@@ -164,6 +159,38 @@ Create the name of the controller service account to use
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified admission webhook name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "ingress-nginx.admissionWebhooks.fullname" -}}
|
||||
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified admission webhook secret creation job name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}}
|
||||
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified admission webhook patch job name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}}
|
||||
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified default backend name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "ingress-nginx.defaultBackend.fullname" -}}
|
||||
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
|
||||
*/}}
|
||||
@@ -175,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Default backend container security context.
|
||||
*/}}
|
||||
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
|
||||
{{- if .Values.defaultBackend.containerSecurityContext -}}
|
||||
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
|
||||
{{- else -}}
|
||||
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
|
||||
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
|
||||
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
|
||||
{{- if .Values.defaultBackend.image.seccompProfile }}
|
||||
seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
|
||||
{{- end }}
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the appropriate apiGroup for PodSecurityPolicy.
|
||||
*/}}
|
||||
@@ -210,19 +257,24 @@ Extra modules.
|
||||
*/}}
|
||||
{{- define "extraModules" -}}
|
||||
- name: {{ .name }}
|
||||
image: {{ .image }}
|
||||
{{- if .distroless | default false }}
|
||||
command: ['/init_module']
|
||||
{{- with .image }}
|
||||
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
|
||||
command:
|
||||
{{- if .distroless }}
|
||||
- /init_module
|
||||
{{- else }}
|
||||
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
|
||||
- sh
|
||||
- -c
|
||||
- /usr/local/bin/init_module.sh
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .containerSecurityContext }}
|
||||
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
|
||||
securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .resources }}
|
||||
resources: {{ .resources | toYaml | nindent 4 }}
|
||||
resources: {{ toYaml .resources | nindent 4 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: {{ toYaml "modules"}}
|
||||
mountPath: {{ toYaml "/modules_mount"}}
|
||||
- name: modules
|
||||
mountPath: /modules_mount
|
||||
{{- end -}}
|
||||
|
||||
Reference in New Issue
Block a user