github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-10-01 03:57:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updating open-appsec helm charts

Browse Source
This commit is contained in:
Ned Wright
2023-12-27 17:06:44 +02:00
parent 12da9547dd
commit 4f58819eaf
160 changed files with 2028 additions and 899 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
build_system/charts/open-appsec-k8s-nginx-ingress/values.yaml
View File

@@ -9,7 +9,6 @@
# -- Override the deployment namespace; defaults to .Release.Namespace
namespaceOverride: ""
## Labels to apply to all resources
##
commonLabels: {}
@@ -27,13 +26,17 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "v1.9.4"
digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
tag: "v1.9.5"
digest: sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
digestChroot: sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d
pullPolicy: IfNotPresent
runAsNonRoot: true
# www-data -> uid 101
runAsUser: 101
allowPrivilegeEscalation: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
# -- Use an existing PSP instead of creating one
existingPsp: ""
# -- Configures the controller container name
@@ -127,13 +130,15 @@ controller:
podLabels: {}
# key: value
# -- Security Context policies for controller pods
# -- Security context for controller pods
podSecurityContext: {}
# -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
# -- sysctls for controller pods
## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctls: {}
# sysctls:
# "net.core.somaxconn": "8192"
# -- Security context for controller containers
containerSecurityContext: {}
# -- Allows customization of the source of the IP address or FQDN to report
# in the ingress status field. By default, it reads the information provided
# by the service. If disable, the status field reports the IP address of the
@@ -173,6 +178,9 @@ controller:
extraArgs: {}
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"
## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
## length-buckets: "10,20,30,40,50,60,70,80,90,100"
## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
# -- Additional environment variables to set
extraEnvs: []
@@ -339,7 +347,7 @@ controller:
# -- Minimum available pods set in PodDisruptionBudget.
# Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1
# -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# maxUnavailable: 1
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@@ -435,96 +443,170 @@ controller:
configMapName: ""
configMapKey: ""
service:
# -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
enabled: true
# -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
# using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
# It allows choosing the protocol for each backend specified in the Kubernetes service.
# See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
# Will be ignored for Kubernetes versions older than 1.20
##
appProtocol: true
# -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
external:
# -- Enable the external controller service or not. Useful for internal-only deployments.
enabled: true
# -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
annotations: {}
# -- Labels to be added to both controller services.
labels: {}
# clusterIP: ""
# -- List of IP addresses at which the controller services are available
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
# -- Type of the external controller service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: LoadBalancer
# -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services.
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
clusterIP: ""
# -- List of node IP addresses at which the external controller service is available.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
externalIPs: []
# -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
# -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
# -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
loadBalancerSourceRanges: []
# -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
# -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
loadBalancerClass: ""
enableHttp: true
enableHttps: true
## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
# externalTrafficPolicy: ""
# -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
# sessionAffinity: ""
## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isnt specified,
## the service controller allocates a port from your clusters NodePort range.
## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: ""
# -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
sessionAffinity: ""
# -- Specifies the health check node port (numeric port number) for the external controller service.
# If not specified, the service controller allocates a port from your cluster's node port range.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# healthCheckNodePort: 0
# -- Represents the dual-stack-ness requested or required by this Service. Possible values are
# SingleStack, PreferDualStack or RequireDualStack.
# The ipFamilies and clusterIPs fields depend on the value of this field.
## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
ipFamilyPolicy: "SingleStack"
# -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
# based on cluster configuration and the ipFamilyPolicy field.
## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
# -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilyPolicy: SingleStack
# -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilies:
- IPv4
# -- Enable the HTTP listener on both controller services or not.
enableHttp: true
# -- Enable the HTTPS listener on both controller services or not.
enableHttps: true
ports:
# -- Port the external HTTP listener is published with.
http: 80
# -- Port the external HTTPS listener is published with.
https: 443
targetPorts:
# -- Port of the ingress controller the external HTTP listener is mapped to.
http: http
# -- Port of the ingress controller the external HTTPS listener is mapped to.
https: https
type: LoadBalancer
## type: NodePort
## nodePorts:
## http: 32080
## https: 32443
## tcp:
## 8080: 32808
# -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
appProtocol: true
nodePorts:
# -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
http: ""
# -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
https: ""
# -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
# Example:
# tcp:
# 8080: 30080
tcp: {}
# -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range.
# Example:
# udp:
# 53: 30053
udp: {}
external:
enabled: true
internal:
# -- Enables an additional internal load balancer (besides the external one).
# -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
enabled: false
# -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
# -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {}
# -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
# -- Type of the internal controller service.
# Defaults to the value of `controller.service.type`.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ""
# -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services.
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
clusterIP: ""
# -- List of node IP addresses at which the internal controller service is available.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
externalIPs: []
# -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
# -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
# -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default.
loadBalancerSourceRanges: []
## Set external traffic policy to: "Local" to preserve source IP on
## providers supporting it
## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
# externalTrafficPolicy: ""
# -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
loadBalancerClass: ""
# -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
# -- Custom port mapping for internal service
# -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: ""
# -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
sessionAffinity: ""
# -- Specifies the health check node port (numeric port number) for the internal controller service.
# If not specified, the service controller allocates a port from your cluster's node port range.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# healthCheckNodePort: 0
# -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilyPolicy: SingleStack
# -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilies:
- IPv4
ports: {}
# http: 80
# https: 443
# -- Port the internal HTTP listener is published with.
# Defaults to the value of `controller.service.ports.http`.
# http: 80
# -- Port the internal HTTPS listener is published with.
# Defaults to the value of `controller.service.ports.https`.
# https: 443
# -- Custom target port mapping for internal service
targetPorts: {}
# http: http
# https: https
# -- Port of the ingress controller the internal HTTP listener is mapped to.
# Defaults to the value of `controller.service.targetPorts.http`.
# http: http
# -- Port of the ingress controller the internal HTTPS listener is mapped to.
# Defaults to the value of `controller.service.targetPorts.https`.
# https: https
# -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
appProtocol: true
nodePorts:
# -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
http: ""
# -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
https: ""
# -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
# Example:
# tcp:
# 8080: 30080
tcp: {}
# -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range.
# Example:
# udp:
# 53: 30053
udp: {}
# shareProcessNamespace enables process namespace sharing within the pod.
# This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
shareProcessNamespace: false
@@ -571,9 +653,26 @@ controller:
# -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module
extraModules: []
# - name: mytestmodule
# image: registry.k8s.io/ingress-nginx/mytestmodule
# image:
# registry: registry.k8s.io
# image: ingress-nginx/mytestmodule
# ## for backwards compatibility consider setting the full image url via the repository value below
# ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# ## repository:
# tag: "v1.0.0"
# digest: ""
# distroless: false
# containerSecurityContext:
# runAsNonRoot: true
# runAsUser: <user-id>
# allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# resources: {}
#
# The image must contain a `/usr/local/bin/init_module.sh` executable, which
# will be executed as initContainers, to move its config files within the
@@ -581,11 +680,30 @@ controller:
opentelemetry:
enabled: false
image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
name: opentelemetry
image:
registry: registry.k8s.io
image: ingress-nginx/opentelemetry
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "v20230721-3e2062ee5"
digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
distroless: true
containerSecurityContext:
runAsNonRoot: true
# -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
admissionWebhooks:
name: admission
annotations: {}
# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@@ -622,8 +740,18 @@ controller:
servicePort: 443
type: ClusterIP
createSecretJob:
name: create
# -- Security context for secret creation containers
securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
# limits:
# cpu: 10m
@@ -632,8 +760,18 @@ controller:
# cpu: 10m
# memory: 20Mi
patchWebhookJob:
name: patch
# -- Security context for webhook patch containers
securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
patch:
enabled: true
@@ -650,15 +788,17 @@ controller:
##
priorityClassName: ""
podAnnotations: {}
# NetworkPolicy for webhook patch
networkPolicy:
# -- Enable 'networkPolicy' or not
enabled: false
nodeSelector:
kubernetes.io/os: linux
tolerations: []
# -- Labels to be added to patch job resources
labels: {}
securityContext:
runAsNonRoot: true
runAsUser: 2000
fsGroup: 2000
# -- Security context for secret creation & webhook patch pods
securityContext: {}
# Use certmanager to generate webhook certs
certManager:
enabled: false
@@ -698,6 +838,7 @@ controller:
serviceMonitor:
enabled: false
additionalLabels: {}
annotations: {}
## The label to use to retrieve the job name from.
## jobLabel: "app.kubernetes.io/name"
namespace: ""
@@ -725,8 +866,13 @@ controller:
# annotations:
# description: bad ingress config - nginx config test failed
# summary: uninstall the latest ingress changes to allow config reloads to resume
# # By default a fake self-signed certificate is generated as default and
# # it is fine if it expires. If `--default-ssl-certificate` flag is used
# # and a valid certificate passed please do not filter for `host` label!
# # (i.e. delete `{host!="_"}` so also the default SSL certificate is
# # checked for expiration)
# - alert: NGINXCertificateExpiry
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
# for: 1s
# labels:
# severity: critical
@@ -779,11 +925,13 @@ defaultBackend:
## repository:
tag: "1.5"
pullPolicy: IfNotPresent
runAsNonRoot: true
# nobody user -> uid 65534
runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one
existingPsp: ""
extraArgs: {}
@@ -829,15 +977,9 @@ defaultBackend:
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
affinity: {}
# -- Security Context policies for controller pods
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
# -- Security context for default backend pods
podSecurityContext: {}
# -- Security Context policies for controller main container.
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
# -- Security context for default backend containers
containerSecurityContext: {}
# -- Labels to add to the pod container metadata
podLabels: {}
@@ -871,6 +1013,21 @@ defaultBackend:
# - name: copy-portal-skins
# emptyDir: {}
extraConfigMaps: []
## Additional configmaps to the default backend pod.
# - name: my-extra-configmap-1
# labels:
# type: config-1
# data:
# extra_file_1.html: |
# <!-- Extra HTML content for ConfigMap 1 -->
# - name: my-extra-configmap-2
# labels:
# type: config-2
# data:
# extra_file_2.html: |
# <!-- Extra HTML content for ConfigMap 2 -->
autoscaling:
annotations: {}
enabled: false